File "wordpress-recommendations.lib.php"

Full Path: /home/rrterraplen/public_html/wp-content-20241221212636/plugins/sucuri-scanner/src/wordpress-recommendations.lib.php
File size: 10.9 KB
MIME-type: text/x-php
Charset: utf-8

<?php

/**
 * Code related to the wprecommendations.lib.php checks.
 *
 * PHP version 5
 *
 * @category   Library
 *
 * @author     Northon Torga <[email protected]>
 * @copyright  2010-2019 Sucuri Inc.
 * @license    https://www.gnu.org/licenses/gpl-2.0.txt GPL2
 *
 * @see        https://wordpress.org/plugins/sucuri-scanner
 */
if (!defined('SUCURISCAN_INIT') || SUCURISCAN_INIT !== true) {
    if (!headers_sent()) {
        /* Report invalid access if possible. */
        header('HTTP/1.1 403 Forbidden');
    }
    exit(1);
}

/**
 * Make sure the WordPress install follows security best practices.
 *
 * @category   Library
 *
 * @author     Northon Torga <[email protected]>
 * @copyright  2010-2019 Sucuri Inc.
 * @license    https://www.gnu.org/licenses/gpl-2.0.txt GPL2
 *
 * @see        https://wordpress.org/plugins/sucuri-scanner
 * @see        https://sucuri.net/guides/wordpress-security/
 */
class SucuriWordPressRecommendations
{
    /**
     * Generates the HTML section for the WordPress recommendations section.
     *
     * @return string HTML code to render the recommendations section
     */
    public static function pageWordPressRecommendations()
    {
        $params = array();
        $params['WordPress.Recommendations.Content'] = '';

        /*
         * Register all possible recommendations.
         */
        // phpcs:disable Generic.Files.LineLength
        $recommendations = array(
            'noSSL' => array(
                __('Implement an SSL Certificate', 'sucuri-scanner') => __('SSL certificates help protect the integrity of the data in transit between the host (web server or firewall) and the client (web browser).', 'sucuri-scanner'),
            ),
            'PHPVersionCheck' => array(
                __('Upgrade PHP to a supported version', 'sucuri-scanner') => __('The PHP version you are using no longer receives security support and could be exposed to unpatched security vulnerabilities.', 'sucuri-scanner'),
            ),
            'wpSaltExistenceChecker' => array(
                __('Missing WordPress Salt & Security Keys', 'sucuri-scanner') => __('Consider using WordPress Salt & Security Keys to add an extra layer of protection to the session cookies and credentials.', 'sucuri-scanner'),
            ),
            'wpSaltAgeDiscriminator' => array(
                __('WordPress Salt & Security Keys should be updated', 'sucuri-scanner') => __('Updating WordPress Salt & Security Keys after a compromise and on a regular basis, at least once a year, reduces the risks of session hijacking.', 'sucuri-scanner'),
            ),
            'adminBadUsername' => array(
                __('Admin/Administrator username still exists', 'sucuri-scanner') => __('Using a unique username and removing the default admin/administrator account make it more difficult for attackers to brute force your WordPress.', 'sucuri-scanner'),
            ),
            'lonelySuperAdmin' => array(
                __('Use super admin account only when needed', 'sucuri-scanner') => __('Create an Editor account instead of always using the super-admin to reduce the damage in case of session hijacking.', 'sucuri-scanner'),
            ),
            'forgottenExtension' => array(
                __('Remove unwanted/unused extensions', 'sucuri-scanner') => __('Keeping unwanted themes and plugins increases the chance of a compromise, even if they are disabled.', 'sucuri-scanner'),
            ),
            'tooMuchPlugins' => array(
                __('Decrease the number of plugins', 'sucuri-scanner') => __('The greater the number of plugins installed, the greater the risk of infection and performance issues.', 'sucuri-scanner'),
            ),
            'fileEditStillEnabled' => array(
                __('Disable file editing', 'sucuri-scanner') => __('Using "DISALLOW_FILE_EDIT" helps prevent an attacker from changing your files through WordPress backend.', 'sucuri-scanner'),
            ),
            'wpDebugOnline' => array(
                __('Disable WordPress debug mode', 'sucuri-scanner') => __('When "WP_DEBUG" is set to true, it will cause all PHP errors, notices and warnings to be displayed which can expose sensitive information.', 'sucuri-scanner'),
            ),
            'notHardened' => array(
                __('Prevent PHP direct execution on sensitive directories', 'sucuri-scanner') => __('Directories such as "wp-content" and "wp-includes" are generally not intended to be accessed by any user, consider hardening them via Sucuri Security -> Settings -> Hardening.', 'sucuri-scanner'),
            ),
        );
        // phpcs:enable

        /*
         * Remove recommendations accordingly.
         */
        /*
         * Check if a SSL cert is being used.
         * @see https://blog.sucuri.net/2019/03/how-to-add-ssl-move-wordpress-from-http-to-https.html
         */
        if (is_ssl()) {
            unset($recommendations['noSSL']);
        }

        /*
         * Check PHP version.
         * @see https://www.php.net/supported-versions.php
         */
        if (version_compare(phpversion(), '7.2', '>')) {
            unset($recommendations['PHPVersionCheck']);
        }

        /*
         * Check if WordPress Salt & Security Keys are set and were updated on the last 12 months.
         * @see https://wordpress.org/support/article/editing-wp-config-php/#security-keys
         * @see https://sucuri.net/guides/wordpress-security/#harrec
         */
        if (defined('AUTH_KEY') && defined('AUTH_SALT')) {
            unset($recommendations['wpSaltExistenceChecker']);
        }
        if (file_exists(ABSPATH.'/wp-config.php') &&
        (filemtime(ABSPATH.'/wp-config.php') > strtotime('-12 months'))) {
            unset($recommendations['wpSaltAgeDiscriminator']);
        }

        /*
         * Check for standard administrator/admin account.
         * @see https://sucuri.net/guides/wordpress-security/#uac
         */
        $usersWithAdminLogin = array();
        $adminUsernames = array('admin', 'administrator');

        if (version_compare(SucuriScan::siteVersion(), '4.7', '>=')) {
            $usersWithAdminLogin = get_users(array(
                'role' => 'administrator',
                'login__in' => $adminUsernames,
            ));
        } else {
            $allUsers = get_users(array(
                'role' => 'administrator',
                'fields' => array('user_login'),
            ));
        
            foreach($allUsers as $user) {
                if (in_array($user->user_login, $adminUsernames)) {
                    $usersWithAdminLogin[] = $user->user_login;
                }
            }
        }

        if (empty($usersWithAdminLogin)) {
            unset($recommendations['adminBadUsername']);
        }

        /*
         * Check if super-admin isn't being used for day-to-day operations.
         * @see https://sucuri.net/guides/wordpress-security/#uac
         */
        $wpUsersCount = count_users();
        if ($wpUsersCount['total_users'] !== 1) {
            unset($recommendations['lonelySuperAdmin']);
        }

        /*
         * Check for unwanted extensions.
         * @see https://sucuri.net/guides/wordpress-security/#apt
         *
         * NOTE: $wpPluginsInstalledName, $wpPluginsActivatedName, $wpPluginsDeactivatedName
         * are created by this feature.
        */
        $wpPluginsInstalled = get_plugins();
        $wpPluginsActivatedName = array();
        $wpPluginsDeactivatedName = array();
        foreach ($wpPluginsInstalled as $pluginPath => $pluginDetails) {
            $wpPluginsInstalledName[] = $pluginDetails['Name'];
            if (is_plugin_active($pluginPath)) {
                $wpPluginsActivatedName[] = $pluginDetails['Name'];
            } else {
                $wpPluginsDeactivatedName[] = $pluginDetails['Name'];
            }
        }

        // phpcs:disable Generic.Files.LineLength
        if ((count(wp_get_themes()) < 2 || count($wpPluginsDeactivatedName) < 1) || is_multisite()) {
            unset($recommendations['forgottenExtension']);
        }
        // phpcs:enable

        /*
         * Check for too much plugins.
         * @see https://sucuri.net/guides/wordpress-security/#apt
         */
        if (count($wpPluginsInstalled) < 50 || is_multisite()) {
            unset($recommendations['tooMuchPlugins']);
        }

        /*
         * Check if File Editing was disabled.
         * @see https://sucuri.net/guides/wordpress-security/#appconf
         */
        if (defined('DISALLOW_FILE_EDIT') && true === DISALLOW_FILE_EDIT) {
            unset($recommendations['fileEditStillEnabled']);
        }

        /*
         * Check if WordPress Debug Mode isn't set.
         * @see https://wordpress.org/support/article/debugging-in-wordpress/
         */
        if (!defined('WP_DEBUG') || defined('WP_DEBUG') && false === WP_DEBUG) {
            unset($recommendations['wpDebugOnline']);
        }

        /*
         * Check if Hardening was applied if possible.
         * @see https://sucuri.net/guides/wordpress-security/#harrec
         */
        // phpcs:disable Generic.Files.LineLength
        if (SucuriScan::isNginxServer() || SucuriScan::isIISServer() || SucuriScan::isBehindFirewall() || (SucuriScanHardening::isHardened(WP_CONTENT_DIR) && SucuriScanHardening::isHardened(ABSPATH.'/wp-includes'))) {
            unset($recommendations['notHardened']);
        }
        // phpcs:enable

        /*
         * DELIVERY RESULTS
         *
         * Delivery an "all is good" message, unless recommendations array has values,
         * in which case the plugin must display the items that need fixing.
         */
        $params['WordPress.Recommendations.Color'] = 'green';
        // phpcs:disable Generic.Files.LineLength
        $params['WordPress.Recommendations.Content'] = __('Your WordPress install is following <a href="https://sucuri.net/guides/wordpress-security" target="_blank" rel="noopener">the security best practices</a>.', 'sucuri-scanner');
        // phpcs:enable

        if (count($recommendations) !== 0) {
            /* Set title to blue as not there is still recommendations to be followed. */
            $params['WordPress.Recommendations.Color'] = 'blue';
            $params['WordPress.Recommendations.Content'] = null;

            /* Delivery the recommendations using the getSnippet function. */
            $recommendation = array_keys($recommendations);
            foreach ($recommendation as $checkid) {
                foreach ($recommendations[$checkid] as $title => $description) {
                    $params['WordPress.Recommendations.Content'] .= SucuriScanTemplate::getSnippet(
                        'wordpress-recommendations',
                        array(
                            'WordPress.Recommendations.Title' => $title,
                            'WordPress.Recommendations.Value' => $description,
                        )
                    );
                }
            }
        }

        return SucuriScanTemplate::getSection('wordpress-recommendations', $params);
    }
}