General: make sure Jetpack can't be executed outside of WordPress

[jeherve]

See https://codex.wordpress.org/Writing_a_Plugin#Plugin_Files

Security Note: Consider blocking direct access to your plugin PHP files by adding the following line at the top of each of them, or be sure to refrain from executing sensitive standalone PHP code before calling any WordPress functions.

defined( 'ABSPATH' ) or die( 'No script kiddies please!' );

Suggested here: https://wordpress.org/support/topic/periodic-fatal-error?replies=11&view=all#post-7691891

[mjlodge]

Would love to see this implemented. I am seeing: [20-Feb-2016 14:08:07 UTC] PHP Fatal error: require_once(): Failed opening required 'ABSPATHWPINC/class-IXR.php' (include_path='.:/usr/share/pear:/usr/share/php') in /srv/bindings/5c84195511e242ffbfbba906ab66eb85/code/wp-content/plugins/jetpack/class.jetpack-ixr-client.php on line 3

[jaredatch]

A client is having this exact error show up constantly in his error log. Host is blaming and throwing jetpack under the bus that its likely causing performance issues.

So this error is from the file trying to be accessed directly? Why would anyone try to do that? I don't understand why anyone would try to sniff that?

[kraftbj]

I'm not sure why that file in particular is being referenced. The only place Jetpack calls it is preceded by including the same ixr-client that is failing in the error logs. There's not anything in particular that I would think would make that file attractive. In any case, we can start with that file in our audit of preventing direct access.

[hanasazi]

I can't say I know why someone would be trying to sniff this file, but it might be helpful for you to know that I've been seeing attempts to access this file directly, along with attempts by the same IP to access other files in plugins I do not have installed, reported in the BulletProof Security Pro security log of at least one site since March 3. /wp-content/plugins/jetpack/class.jetpack-ixr-client.php

There's another file they occasionally try to access: /wp-content/plugins/jetpack/scss/organisms/cmds.php?cmd=free

[kraftbj]

Thanks for the details. The last refers to a file that doesn't exist in Jetpack. I've heard of attacks where a hacker gains access to the file system (sometimes via WordPress, sometimes via some totally other vector), then makes changes to files of legit plugins, then exploit it through there. I wonder if this is related—out of the box, we're fine, but we're being "used".

I'll pass this on to our security folks.

[hanasazi]

Glad this helps a little. I see attempts to access files that do not exist on the sites I manage all the time, I'm sure by bots programmed to seek out plugins with known vulnerabilities. Fortunately the security plugin has managed to block all of them up to this point, but I get nervous when it appears to be a plugin/file that DOES exist in an installation, and this was one of them. Thanks for all you do to keep WordPress awesome!

[stevenlinx]

@jeherve

1.) So does the PR of this need to be in parts?

2.) I plan to use notice message: Please execute as part of WP core.. Is this acceptable?

Thanks.

[jeherve]

@stevenlin-x It would be best, yes. Thank you!

[jeherve]

Also reported here: https://wordpress.org/support/topic/fatal-errors-67/

[jeherve]

Also in #18965.