search

littlebizzy / slickstack

Lightning-fast WordPress on Nginx
https://slickstack.io
GNU General Public License v3.0
641 stars 112 forks source link

Scanning WordPress core files to check if intact or broken #203

Closed jessuppi closed 7 months ago

jessuppi commented 1 year ago

Another feature we could probably add to SlickStack is a script that scans core WP files like some premium hosts offer, and then reinstalls WP core if any problems are detected.

jessuppi commented 8 months ago

Related:

https://malware.expert/tutorial/howto-detect-malwares-with-wp-cli/

WP-CLI files checksum is a nice option.

jessuppi commented 7 months ago

The checksum feature in WP-CLI is really the best approach for this... so I'm not sure we could add any value there besides showing a warning in WP Admin if the (automated?) checksum fails or in the ss status overview. Either way, SlickStack does delete a few core WP files like xmlrpc.php so the checksum is always going to fail.

jessuppi commented 7 months ago

sudo -u "${SFTP_USER}" /usr/local/bin/wp --path=/var/www/html core verify-checksums

...has now been added to ss-install-wordpress-packages

Ref: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-install-wordpress-packages.txt

This will let developers confirm that WP Core files are verified during installation... however, if files are corrupted at a later point, they won't know unless they run that command manually in WP-CLI for now. I think probably we should not automated this or include in the SlickStack dashboard or anything, since SlickStack purposefully deletes a few risky files like xmlrpc.php from WordPress anyway which means the checksum will always fail anyways.

For now, this is an improvement at least. Probably good enough for our purposes, so I will close this for now.

icodeforlove commented 7 months ago

sudo -u "${SFTP_USER}" /usr/local/bin/wp --path=/var/www/html core verify-checksums

...has now been added to ss-install-wordpress-packages

Ref: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-install-wordpress-packages.txt

This will let developers confirm that WP Core files are verified during installation... however, if files are corrupted at a later point, they won't know unless they run that command manually in WP-CLI for now. I think probably we should not automated this or include in the SlickStack dashboard or anything, since SlickStack purposefully deletes a few risky files like xmlrpc.php from WordPress anyway which means the checksum will always fail anyways.

For now, this is an improvement at least. Probably good enough for our purposes, so I will close this for now.

Considering the potential issues with checksum integrity, a preferable approach might be to restrict access to those files via NGINX or via file permissions, rather than altering the checksum by deleting files.

This method avoids directly impacting the checksum verification process, which is critical for ensuring the integrity of WordPress Core files.

It's common practice for developers to perform checksum validations periodically (via a cron), especially before and after updates or when installing new plugins.

Tampering with the checksum by intentionally removing or modifying files could be seen as compromising security, given the importance of this verification in detecting unauthorized changes to the software.