Secure package for WP CLI, built to provide an easier way of securing your WordPress installation

Related tags

Miscellaneous nginx wordpress wp-cli security apache hardening wp-cli-package
Overview

wp-cli/secure-command

Official website: Hackthewp.com

Manages common security aspects of WordPress. Supports nginx and Apache.

Basic Usage

This package implements the following commands:

Deploy All Security rules

Deploys all above-mentioned rules at once.

wp secure all

Remove All Security Rules

Removes all security rules.

wp secure flush

Add Security Headers

Adds the HSTS, Referrer-Policy, X-Content-Type-Options and X-Frame-Options

You can choose to add all above or only one or more by using --headers argument.

Example:

wp secure add-security-headers
wp secure add-security-headers --headers=Strict-Transport-Security
wp secure add-security-headers --headers=Strict-Transport-Security,X-Frame-Options

Block the access to sensitive files and directories

wp secure block-access <what-to-block>

By default, this command blocks the direct access to sensitive files and directories: readme.txt, readme.html, xmlrpc.php, wp-config.php, wp-admin/install.php, wp-admin/upgrade.php, .git, svn, cache and vendors

Possible options are:

  • sensitive-files
  • sensitive-directories
  • xmlrpc
  • htaccess
  • custom
  • all (does all the above)

Examples:

wp secure block-access sensitive-files
wp secure block-access sensitive-directories
wp secure block-access xmlrpc
wp secure block-access htaccess
wp secure block-access all

However, you can also block custom files and/or folders of your choice. To do that you should use custom argument and pass one of two additional options --files and/or --directories.

If you want to block custom files, make sure that you pass only file names, not a full file paths.

Examples:

wp secure block-access custom --files=dump.sql,phpinfo.php,adminer.php
wp secure block-access custom --directories=wp-content/mu-plugins

Block Author Scanning

wp secure block-author-scanning

Blocks author scanning. Author scanning is a common technique of brute force attacks on WordPress. It is used to crack passwords for the known usernames and to gather additional information about the WordPress itself.

Examples:

wp secure block-author-scanning

Block Direct Access and Execution in certain directories

wp secure block-php-execution <where>

Blocks direct access and execution of PHP files in wp-content/plugins, wp-content/uploads, wp-content/themes and wp-includes directories.

You need to specify where you want to prevent direct access to PHP files. Possible options are:

  • all
  • plugins
  • uploads
  • themes
  • wp-includes

Examples:

wp secure block-php-execution all
wp secure block-php-execution plugins
wp secure block-php-execution uploads
wp secure block-php-execution themes
wp secure block-php-execution wp-includes

Disable Directory Browsing

wp secure disable-directory-browsing

Disables directory browsing.

By default, when your web server does not find an index file (i.e. a file like index.php or index.html), it automatically displays an index page showing the contents of the directory. This could make your site vulnerable to hack attacks by revealing important information needed to exploit a vulnerability in a WordPress plugin, theme, or your server in general.

Examples:

wp secure disable-directory-browsing

Disable WordPress File Editor

Disables the WordPress file editor. It could be used to edit arbitrary files using the web interface. This makes it easier for attackers to change files on the server using a web browser.

wp secure disable-file-editor

Fix file and directory permissions

wp secure fix-permissions

Use this command to verify that the permissions of all files and directories are set according the WordPress recommendations. This command will set 0644 to all files and 0755 to all folders inside WordPress installation.

IMPORTANT: Don't use this command if you don't know what you are doing here!

Check the integrity of WordPress files

Downloads MD5 checksums for the current version from WordPress.org, and compares those checksums against the currently installed files.

It also returns a list of files that shouldn't be part of default WordPress installation, which can be very useful when you are looking for a possible injected files.

Examples:

wp secure integrity-scan

Global options

Remove single security rule

Using --remove with any rule command, you can remove it from configuration.

wp secure block-access xmlrpc --remove

Get the output instead of writing in configuration files

Using --output option with any rule command, you can see actual rule code which you can inspect or manually copy to any file of your choice.

wp secure block-access htaccess --output
wp secure block-access htaccess --output --server=nginx

Specify server type

By default, all rules are generated for Apache or LiteSpeed web servers that utilize .htaccess file. However, you can use --server to specify nginx if you want.

wp secure block-access htaccess --server=nginx

Specify custom file path

By default, all commands assume that rules should be written in the root of WordPress installation in .htaccess and nginx.conf, depending on which server you choose. However, you can specify a custom file path that is going to be used for storing security rules.

wp secure block-access htaccess --file-path=/home/user/mysite.com/.htaccess

Important Note for nginx users

The nginx rules are stored in the nginx.conf file. However, for rules to actually work, you need to manually include this file in your vhost configuration and then restart nginx server:

systemctl restart nginx

WIth each rule deploy or removal, you also need to restart nginx server.

Installing

To install the latest version of this package over what's included in WP-CLI, run:

wp package install [email protected]:igorhrcek/wp-cli-secure-command.git

Development and testing

You need to set up two working WordPress installations on Apache and nginx. Usage of Docker containers is highly recommended - you can use the official WordPress Docker containers, BitNami or bootstrap your environment using ddev.

For testing you need to create .env file with the following content:

WORDPRESS_NGINX_PATH=wp/nginx
WORDPRESS_NGINX_URL=https://wpnginx.ddev.site
WORDPRESS_APACHE_PATH=wp/apache
WORDPRESS_APACHE_URL=https://wpapache.ddev.site

These paths and URLs are going to be used during tests, so make sure that they are accessible.

Contributing

We appreciate you taking the initiative to contribute to this project.

Contributing isn’t limited to just code. We encourage you to contribute in the way that best fits your abilities, by writing tutorials, giving a demo at your local meetup, helping other users with their support questions, or revising our documentation.

Comments
  • wp secure all and PHP Parse error

    wp secure all and PHP Parse error

    PHP Parse error: syntax error, unexpected '|', expecting variable (T_VARIABLE) in /.wp-cli/packages/vendor/igor/wp_cli_secure_command/src/SubCommands/SubCommand.php on line 109

    PHP 7.4.28 WP-CLI 2.6.0

    bug released 
    opened by fschmittlein 5
  • Error: Package installation failed.

    Error: Package installation failed.

    Describe the bug I tried to install the package, just copied the line wp package install [email protected]:igorhrcek/wp-cli-secure-command.git and inserted it into iTerm. The error i got was:

    `Warning: Package name mismatch...Updating from git name 'igorhrcek/wp-cli-secure-command' to composer.json name 'igor/wp_cli_secure_command'. Installing package igor/wp_cli_secure_command (dev-master) Updating /Users/xxxx/.wp-cli/packages/composer.json to require the package... Registering [email protected]:igorhrcek/wp-cli-secure-command.git as a VCS repository... Using Composer to install the package...

    Loading composer repositories with package information Warning: The 'https://api.github.com/repos/igorhrcek/wp-cli-secure-command' URL could not be accessed: HTTP/1.1 400 Bad Request

    Error: Package installation failed. Reverted composer.json.`

    • OS: MacOS Monterey
    opened by vayurobins 4
  • FixFileAndDirPermissions default mask sets file permissions to writable by any user.

    FixFileAndDirPermissions default mask sets file permissions to writable by any user.

    Describe the bug

    The Default permission mask used in FixFileAndDirPermissions sets files to 0666, which would allow any user to write to files in the WordPress installation.

    I would recommend a file mask of 0644, which would only allow the owner of the file to write to it, and still allows read access to all other users.

    To Reproduce

    Run wp secure fix-permissions

    Expected behavior

    I suspect the intended behavior of this function would be to set the mask to 0644, which is rw-r--r-- or sets files readable by any user, but writable by only the owner of the file.

    enhancement released 
    opened by rawrly 4
  • X-XSS-Protection is obsolete / deprecated and should be removed

    X-XSS-Protection is obsolete / deprecated and should be removed

    Describe the bug X-XSS-Protection is obsolete for a few years now and not supported by browsers anymore. This header will do nothing and at least caused privacy and security issues in the past.

    To Reproduce

    Expected behavior Remove the X-XSS-Protection header.

    Additional context See also: https://caniuse.com/mdn-http_headers_x-xss-protection https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

    enhancement released 
    opened by DanielRuf 3
  • Implement a CICD workflow for automated testing

    Implement a CICD workflow for automated testing

    Is your feature request related to a problem? Please describe. No

    Describe the solution you'd like We need to develop custom CICD workflow for automated execution of tests using GitHub Actions

    Describe alternatives you've considered None

    Additional context We need to build Docker containers that will use both Apache and nginx to run WordPress. The reason for this is because we are doing integration tests for actual .htaccess and nginx rules that are deployed with our commands.

    So to do so, we probably will have to modify official WordPress containers and add WP CLI and then to make a full workflow for performing tests.

    enhancement released 
    opened by igorhrcek 3
  • Update documentation to include information about Security Headers

    Update documentation to include information about Security Headers

    Is your feature request related to a problem? Please describe. No

    Describe the solution you'd like We need to update the Readme file to include information about managing security headers

    Describe alternatives you've considered None

    Additional context None

    documentation released 
    opened by igorhrcek 2
  • file manger always edits in the current working directory

    file manger always edits in the current working directory

    Describe the bug File manger always edits in the current working directory.

    To Reproduce Steps to reproduce the behavior: run wp secure block-php plugins from the $HOME directory. An .htaccess will be created in the home directory. Even if a --path is specified.

    Expected behavior

    This is a tricky one. I think the default --path should be the default one in 90% of cases. But an .htaccess can also be located above a public folder. Probably the same applies to the nginx config files.

    If the default path is respected a way for an exception should be available. maybe a --config-path flag.

    Not a clear cut solution for this one.

    opened by janw-me 2
  • Refactor existing command that are blocking PHP execution in various places

    Refactor existing command that are blocking PHP execution in various places

    Is your feature request related to a problem? Please describe. There are a few commands that are doing the same thing (blocking PHP execution) on various paths and instead of having 4 separate commands, we might have one.

    Describe the solution you'd like Remove all existing block-php commands and replace it with only one that will accept arguments?

    Describe alternatives you've considered None

    Additional context For example, instead of:

    wp secure block_php_exution_in_uploads

    we should have:

    wp secure blockphp --locations=uploads,themes,plugins,wp-includes
    enhancement released 
    opened by igorhrcek 2
  • Fix linting issues for PHP 7.4

    Fix linting issues for PHP 7.4

    Describe the bug phpcs is reporting a huge amount of code style issues: https://github.com/igorhrcek/wp-cli-secure-command/actions/runs/2155584916

    Expected behavior Try and fix all of the issues if possible

    Additional context None

    enhancement released 
    opened by igorhrcek 1
  • Ask for confirmation before running FixPermissions

    Ask for confirmation before running FixPermissions

    Is your feature request related to a problem? Please describe. No

    Describe the solution you'd like Let's ask for confirmation before executing FixPermissions command.

    Describe alternatives you've considered None

    Additional context Here is the docs for the confirmation implementaion: https://make.wordpress.org/cli/handbook/references/internal-api/wp-cli-confirm/

    We should say something like "This command will change file and folder permissions inside your WordPress installation which might affect the way it works. Are you sure that you want to do this?"

    enhancement 
    opened by igorhrcek 1
  • Code refactoring and updates

    Code refactoring and updates

    Is your feature request related to a problem? Please describe. No

    Describe the solution you'd like TODO:

    1. Refactor the block-access method to allow for custom files and folders
    2. Fix the missing comments and check for PSR12 standardization of a code
    3. Update the Readme file to reflect latest set of changes
    4. Check existing Unit and Feature tests

    Describe alternatives you've considered None

    Additional context None

    enhancement released 
    opened by igorhrcek 1
  • Implement automated testing on nginx

    Implement automated testing on nginx

    Is your feature request related to a problem? Please describe. No

    Describe the solution you'd like Implement a new GHA workflow for automated testing of nginx rules

    Describe alternatives you've considered None

    Additional context In addition to this workflow I also need to build a WordPress container that uses nginx

    enhancement 
    opened by igorhrcek 0
  • Repeated and incorrectly formatted rules in .htaccess causing errors

    Repeated and incorrectly formatted rules in .htaccess causing errors

    Describe the bug Repeated and incorrectly formatted rules in .htacces causing errors.

    To Reproduce Steps to reproduce the behavior:

    1. Run wp secure block-access sensitive-files
    2. Check .htaccess file
    3. Each rule is repeated 4 times

    Screenshots image

    bug 
    opened by rafaucau 1
  • Implement a code that will clean up inline JavaScript from WordPress

    Implement a code that will clean up inline JavaScript from WordPress

    Is your feature request related to a problem? Please describe. If we allow inline JS to exist then having strong CSP policies (https://github.com/igorhrcek/wp-cli-secure-command/issues/27) will have no real purpose.

    Describe the solution you'd like We should find an elegant, sustainable and flexible solution for hooking into any WordPress installation in order to add and execute certain code.

    Describe alternatives you've considered None

    Additional context We should use a MU plugins for this. Practically every time we need to change the behavior of the WordPress we could just copy the PHP file from our codebase to a MU plugin and then update the main plugin file to include the new files. That way we can easily add and remove certain security features and hook into WP.

    enhancement 
    opened by igorhrcek 0
  • Implement a command for managing CSP policies

    Implement a command for managing CSP policies

    Is your feature request related to a problem? Please describe. No

    Describe the solution you'd like We should implement a command that will allow us to manage different CSP policies - apply rules to certain policies, such as style-src, font-src, script-src etc.

    The user should also be able to get information about what is applied as a policy, like "show me what I set as a script-src" and then to either add or remove addresses from it.

    Describe alternatives you've considered None

    Additional context CSP can get really messy, with too many URLs and different types of policies, so parsing them can be a tricky business.

    I think that we should keep a state in a separate file (like in JSON object on FS) and use that to build policy directive and write it into configuration file.

    enhancement 
    opened by igorhrcek 0
Releases(v1.21.0)
Owner
Igor Hrcek
Igor Hrcek
GitHub
This package allows you to send logs to files. based on monolog/monolog. You can use it during your development to make debugging easier. The file are in the var / log folder. This package is recommended for magento 2.This package allows you to send logs to files.

Custom Logger This package allows you to send logs to files. based on monolog/monolog. You can use it during your development to make debugging easier

null 3 Aug 9, 2022
WordPlate is a wrapper around WordPress. It makes developers life easier. It is just like building any other WordPress website with themes and plugins. Just with sprinkles on top.

WordPlate is simply a wrapper around WordPress. It makes developers life easier. It is just like building any other WordPress website with themes and plugins. Just with sprinkles on top.

WordPlate 1.7k Dec 24, 2022
Laravel Blog Package. Easiest way to add a blog to your Laravel website. A package which adds wordpress functionality to your website and is compatible with laravel 8.

Laravel Blog Have you worked with Wordpress? Developers call this package wordpress-like laravel blog. Give our package a Star to support us ⭐ ?? Inst

Binshops 279 Dec 28, 2022
This package was created to provide simple way to manipulate arrays in PHP

PHP Collections This package was created to provide simple way to manipulate arrays in PHP. The package was inspired by the Laravel Collections.

Wojciech Mleczek 13 Jul 26, 2021
Medical Master or "Medic-M" was built to reduce the hassle of buying medicine, provide medicine to the sick in a short time. It is an HTML, CSS, JAVASCRIPT and PHP based system.

Medical Master (Medic-M) | WELCOME TO Medic-M(MEDICAL MASTER) | | Introduction | Medical Master or "Medic-M" was built to reduce the hassle of buying

NILOY KANTI PAUL 5 Oct 8, 2022
A PHP package to make the Chronopost API easier to use.

Chronopost API A PHP package to make the Chronopost API easier to use. Table of Contents Requirements Installation Usage Testing Requirements PHP 7.3,

HOUIS Mathis 9 Oct 27, 2022
A PHP Library To Make Your Work Work Easier/Faster

This Is A Php Library To Make Your Work Easier/Faster,

functionality 2 Dec 30, 2022
A trait to make building your own custom Laravel Model Searches a lot easier.

BrekiTomasson\LaravelModelFinder A simple trait that makes building your own custom Laravel Model Searches a lot easier and safer. It ensures that you

Breki Tomasson 3 Nov 27, 2022
The Phar Installation and Verification Environment (PHIVE)

The Phar Installation and Verification Environment (PHIVE) Installation and verification of phar distributed PHP applications has never been this easy

null 509 Dec 29, 2022
Checks prefer-lowest installation for actually defined min versions in composer.json

Composer Prefer Lowest Validator This validator will strictly compare the specified minimum versions of your composer.json with the ones actually used

Mark Scherer 17 Aug 7, 2022
Composer Repository Manager for selling Magento 2 extension and offering composer installation for ordered packages.

Magento 2 Composer Repository Credits We got inspired by https://github.com/Genmato. Composer Repository for Magento 2 This extension works as a Magen

EAdesign 18 Dec 16, 2021
A composer plugin, to install differenty types of composer packages in custom directories outside the default composer default installation path which is in the vendor folder.

composer-custom-directory-installer A composer plugin, to install differenty types of composer packages in custom directories outside the default comp

Mina Nabil Sami 136 Dec 30, 2022
This composer installer plugin allows for easy installation of PHP_CodeSniffer coding standards

PHP_CodeSniffer Standards Composer Installer Plugin This composer installer plugin allows for easy installation of PHP_CodeSniffer coding standards (r

PHPCSStandards 393 Feb 25, 2022
Secure the data of your sites by encrypting them. They will be decrypted only in your applications

PHP Crypter Secure the data of your sites by encrypting them. They will be decrypted only in your applications How to use ? You just have to include t

Claude Fassinou 7 Nov 26, 2022
Adds a compact "easy-sort" mode to Repeater and Repeater Matrix, making those fields easier to sort when there are a large number of items.

Repeater Easy Sort Adds a compact "easy-sort" mode to Repeater and Repeater Matrix, making those fields easier to sort when there are a large number o

Robin Sallis 3 Oct 10, 2021
Parse DSN strings into value objects to make them easier to use, pass around and manipulate

DSN parser Parse DSN strings into value objects to make them easier to use, pass around and manipulate. Install Via Composer composer require nyholm/d

Tobias Nyholm 77 Dec 13, 2022
A plugin to make life easier for users who need to edit specific functions of a world and also create, rename and delete worlds quickly using commands or the world management menu.

A plugin to make life easier for users who need to edit specific functions of a world and also create, rename and delete worlds quickly using commands or the world management menu.

ImperaZim 0 Nov 6, 2022
WARNING! This software is currently non-functional. - A system which makes installing Jexactyl far, far easier.

Jexactyl Assistant A system which makes installing Jexactyl far, far easier. WARNING ?? This software is currently in heavy alpha testing and WILL NOT

Jexactyl 7 Nov 14, 2022
MOP is a php query handling and manipulation library providing easy and reliable way to manipulate query and get result in a fastest way

Mysql Optimizer mysql optimizer also known as MOP is a php query handling and manipulation library providing easy and reliable way to manipulate query

null 2 Nov 20, 2021