Comments (4)
jessuppi
commented on May 28, 2024
1
Related:
https://malware.expert/tutorial/howto-detect-malwares-with-wp-cli/
WP-CLI files checksum is a nice option.
from slickstack.
jessuppi
commented on May 28, 2024
The checksum feature in WP-CLI is really the best approach for this... so I'm not sure we could add any value there besides showing a warning in WP Admin if the (automated?) checksum fails or in the ss status overview. Either way, SlickStack does delete a few core WP files like xmlrpc.php so the checksum is always going to fail.
from slickstack.
jessuppi
commented on May 28, 2024
sudo -u "${SFTP_USER}" /usr/local/bin/wp --path=/var/www/html core verify-checksums
...has now been added to ss-install-wordpress-packages
Ref: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-install-wordpress-packages.txt
This will let developers confirm that WP Core files are verified during installation... however, if files are corrupted at a later point, they won't know unless they run that command manually in WP-CLI for now. I think probably we should not automated this or include in the SlickStack dashboard or anything, since SlickStack purposefully deletes a few risky files like xmlrpc.php from WordPress anyway which means the checksum will always fail anyways.
For now, this is an improvement at least. Probably good enough for our purposes, so I will close this for now.
from slickstack.
icodeforlove
commented on May 28, 2024
sudo -u "${SFTP_USER}" /usr/local/bin/wp --path=/var/www/html core verify-checksums...has now been added to ss-install-wordpress-packages
Ref: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-install-wordpress-packages.txt
This will let developers confirm that WP Core files are verified during installation... however, if files are corrupted at a later point, they won't know unless they run that command manually in WP-CLI for now. I think probably we should not automated this or include in the SlickStack dashboard or anything, since SlickStack purposefully deletes a few risky files like
xmlrpc.phpfrom WordPress anyway which means the checksum will always fail anyways.For now, this is an improvement at least. Probably good enough for our purposes, so I will close this for now.
Considering the potential issues with checksum integrity, a preferable approach might be to restrict access to those files via NGINX or via file permissions, rather than altering the checksum by deleting files.
This method avoids directly impacting the checksum verification process, which is critical for ensuring the integrity of WordPress Core files.
It's common practice for developers to perform checksum validations periodically (via a cron), especially before and after updates or when installing new plugins.
Tampering with the checksum by intentionally removing or modifying files could be seen as compromising security, given the importance of this verification in detecting unauthorized changes to the software.
from slickstack.
Related Issues (20)
- SS_ADMINER_PUBLIC="false" does not work as intended. HOT 9
- Allow tuning of PHP8 JIT settings (opcache.jit options in php.ini) HOT 4
- Cloudflare real visitor IP support in Nginx config HOT 18
- Option to allow only Cloudflare IPs to connect to origin server HOT 2
- OpenVZ PHP-FPM "Unable to set priority for the master process: Permission denied" HOT 8
- Support for custom Permissions Policy HTTP header in Nginx HOT 6
- Improve WP-Cron robustness for Multisite environments HOT 3
- Redirect .php extension to WordPress if not exists HOT 4
- Why deny /wp-admin/load-styles.php and /wp-admin/load-scripts.php? HOT 3
- Nginx access log enabled by default but nginx.conf says not HOT 5
- Spam Content HOT 1
- Expose additional options for ss remote backup HOT 2
- support for local development ? HOT 1
- 403 Error on Static Assets with Query Strings on SlickStack.io HOT 1
- Implement Server-Wide Connection Limit to Mitigate Request Overload HOT 1
- ss-config had a build version update, but ss-update-config didn't HOT 4
- Can't get it to work out of the box? HOT 1
- 403 google bot error
- Consider optional cache warming script that can fire on cron schedules
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from slickstack.