Merge branch 'master' into issue-3

Author: igorhrcek

.github/workflows/tests.yml

@@ -1,135 +1,189 @@
 # wp-cli/secure-command
+Official website: [Hackthewp.com](https://hackthewp.com/)
+
 Manages common security aspects of WordPress. Supports nginx and Apache.
 
 ## Basic Usage
 This package implements the following commands:
 
-**wp secure block_access_to_htaccess**
+### Deploy All Security rules
 
-Blocks access to `.htaccess` and `nginx.conf` files.
+Deploys all above-mentioned rules at once.
 
-```
-wp secure block_access_to_htaccess [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+```bash
+wp secure all
 ```
 
-**wp secure block_access_to_sensitive_directories**
+### Remove All Security Rules
 
-Blocks direct access to sensitive directories - `.git`, `svn`, `cache` and `vendors`
+Removes all security rules.
 
+```bash
+wp secure flush
 ```
-wp secure block_access_to_sensitive_directories [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+
+### Block the access to sensitive files and directories
+```bash
+wp secure block-access <what-to-block>
 ```
 
-**wp secure block_access_to_sensitive_files**
+By default, this command blocks the direct access to sensitive files and directories:
+`readme.txt`, `readme.html`, `xmlrpc.php`, `wp-config.php`, `wp-admin/install.php`, `wp-admin/upgrade.php`, `.git`, `svn`, `cache` and `vendors`
 
-Blocks direct access to sensitive files - `readme.txt`, `readme.html`, `wp-config.php`, `wp-admin/install.php` and `wp-admin/upgrade.php`
+Possible options are:
+- sensitive-files
+- sensitive-directories
+- xmlrpc
+- htaccess
+- custom
+- all (does all the above)
 
-```
-wp secure block_access_to_sensitive_files [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+Examples:
+
+```bash
+wp secure block-access sensitive-files
+wp secure block-access sensitive-directories
+wp secure block-access xmlrpc
+wp secure block-access htaccess
+wp secure block-access all
 ```
 
-**wp secure block_access_to_xmlrpc**
+However, you can also block custom files and/or folders of your choice. To do that you should use `custom` argument
+and pass one of two additional options `--files` and/or `--directories`.
 
-Blocks direct access XML-RPC
+If you want to block custom files, make sure that you pass only file names, not a full file paths. 
 
-```
-wp secure block_access_to_xmlrpc [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
-```
+Examples:
 
-### wp secure block_author_scanning
+````bash
+wp secure block-access custom --files=dump.sql,phpinfo.php,adminer.php
+wp secure block-access custom --directories=wp-content/mu-plugins
+````
 
-Blocks author scanning. Author scanning is a common technique of brute force attacks on WordPress. It is used to crack passwords for the known usernames and to gather additional information about the WordPress itself.
+### Block Author Scanning
 
-```
-wp secure block_author_scanning [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+```bash
+wp secure block-author-scanning
 ```
 
-### wp secure block_php_execution_in_plugins
+Blocks author scanning. Author scanning is a common technique of brute force attacks on WordPress. It is used to crack passwords for the known usernames and to gather additional information about the WordPress itself.
 
-Blocks direct access and execution of PHP files in `wp-content/plugins` directory.
+Examples:
 
+```bash
+wp secure block-author-scanning
 ```
-wp secure block_php_execution_in_plugins [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+
+### Block Direct Access and Execution in certain directories
+
+```bash
+wp secure block-php-execution <where>
 ```
 
-### wp secure block_php_execution_in_uploads
+Blocks direct access and execution of PHP files in `wp-content/plugins`, `wp-content/uploads`, `wp-content/themes` and `wp-includes` directories.
 
-Blocks direct access and execution of PHP files in `wp-content/uploads` directory.
+You need to specify where you want to prevent direct access to PHP files. Possible options are:
+- all
+- plugins
+- uploads
+- themes
+- wp-includes
 
+Examples:
+
+```bash
+wp secure block-php-execution all
+wp secure block-php-execution plugins
+wp secure block-php-execution uploads
+wp secure block-php-execution themes
+wp secure block-php-execution wp-includes
 ```
-wp secure block_php_execution_in_uploads [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+
+### Disable Directory Browsing
+```bash
+wp secure disable-directory-browsing
 ```
 
-### wp secure block_php_execution_in_themes
+Disables directory browsing.
+
+By default, when your web server does not find an index file (i.e. a file like index.php or index.html), it
+automatically displays an index page showing the contents of the directory.
+This could make your site vulnerable to hack attacks by revealing important information needed to exploit a vulnerability in a WordPress plugin, theme, or your server in general.
 
-Blocks direct access and execution of PHP files in `wp-content/themes` directory.
+Examples:
 
-```
-wp secure block_php_execution_in_themes [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+```bash
+wp secure disable-directory-browsing
 ```
 
-### wp secure block_php_execution_in_wp_includes
-Blocks direct access and execution of PHP files in include directories - `wp-admin/includes`, `wp-includes/*.php`, `wp-includes/js/tinymce/langs/*.php`, `wp-includes/theme-compat`
+### Disable WordPress File Editor
 
+Disables the WordPress file editor. It could be used to edit arbitrary files using the web interface.
+This makes it easier for attackers to change files on the server using a web browser.
+
+```bash
+wp secure disable-file-editor
 ```
-wp secure block_php_execution_in_wp_includes [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
+
+### Fix file and directory permissions
+
+```bash
+wp secure fix-permissions
 ```
 
-### wp secure disable_directory_browsing
+Use this command to verify that the permissions of all files and directories are set according the WordPress recommendations.
+This command will set **0666** to all files and **0755** to all folders inside WordPress installation.
 
-Disables directory browsing.
+**IMPORTANT: Don't use this command if you don't know what you are doing here!**
 
-By default when your web server does not find an index file (i.e. a file like index.php or index.html), it
-automatically displays an index page showing the contents of the directory.
-This could make your site vulnerable to hack attacks by revealing important information needed to exploit a vulnerability in a WordPress plugin, theme, or your server in general.
+### Check the integrity of WordPress files
 
-```
-wp secure disable_directory_browsing [--remove] [--file-path=/alternative/path] [--output] [--server=apache|nginx]
-```
+Downloads MD5 checksums for the current version from WordPress.org, and compares those checksums against the currently
+installed files.
 
-### wp secure flush
+It also returns a list of files that shouldn't be part of default WordPress installation, which can be very useful when you are
+looking for a possible injected files.
 
-Removes all security rules.
+Examples:
 
-```
-wp secure flush
+```bash
+wp secure integrity-scan
 ```
 
 ## Global options
 
 ### Remove single security rule
 Using `--remove` with any rule command, you can remove it from configuration.
 
-```
-wp secure block_php_execution_in_wp_includes --remove
+```bash
+wp secure block-access xmlrpc --remove
 ```
 
 ### Get the output instead of writing in configuration files
 Using `--output` option with any rule command, you can see actual rule code which you can inspect or manually copy to any file of your choice.
 
-```
-wp secure block_php_execution_in_wp_includes --output
-wp secure block_php_execution_in_wp_includes --output --server=nginx
+```bash
+wp secure block-access htaccess --output
+wp secure block-access htaccess --output --server=nginx
 ```
 
 ### Specify server type
 By default, all rules are generated for Apache or LiteSpeed web servers that utilize `.htaccess` file. However, you can use `--server` to specify nginx if you want.
 
-```
-wp secure block_php_execution_in_wp_includes --server=nginx
-wp secure block_php_execution_in_wp_includes --server=--file-path=/home/user/mysite.com/nginx.conf
+```bash
+wp secure block-access htaccess --server=nginx
 ```
 
 ### Specify custom file path
 By default, all commands assume that rules should be written in the root of WordPress installation in `.htaccess` and `nginx.conf`, depending on which server you choose.
 However, you can specify a custom file path that is going to be used for storing security rules.
 
 ```
-wp secure block_php_execution_in_plugins --file-path=/home/user/mysite.com/.htaccess
+wp secure block-access htaccess --file-path=/home/user/mysite.com/.htaccess
 ```
 
 ## Important Note for nginx users
-nginx rules are stored in the `nginx.conf` file. However, for rules to actually work, you need to manually include this file in your vhost configuration and then restart nginx server:
+The nginx rules are stored in the `nginx.conf` file. However, for rules to actually work, you need to manually include this file in your vhost configuration and then restart nginx server:
 ```
 systemctl restart nginx
 ```
@@ -160,4 +214,3 @@ These paths and URLs are going to be used during tests, so make sure that they a
 We appreciate you taking the initiative to contribute to this project.
 
 Contributing isn’t limited to just code. We encourage you to contribute in the way that best fits your abilities, by writing tutorials, giving a demo at your local meetup, helping other users with their support questions, or revising our documentation.
-

README.md

@@ -82,7 +82,7 @@ private function setFileContent() : array {
         }
 
         if(!$this->isReadable()) {
-            throw new (FileIsNotReadable::class);
+            throw new FileIsNotReadable();
         }
 
         return $this->read();
@@ -156,7 +156,7 @@ private function fileExist() : bool {
      *
      * @return array|string
      */
-    private static function removeZeroSpace($content): array|string
+    private static function removeZeroSpace($content)
     {
         if(is_array($content)) {
             return array_map([static::class, 'removeZeroSpace'], $content);
@@ -203,9 +203,9 @@ public function extractRuleBlock(string $marker) : array {
      *
      * @param string $needle
      *
-     * @return int|bool
+     * @return bool|int|string
      */
-    private function findInFile(string $needle) : int|bool {
+    private function findInFile(string $needle) {
         return array_search($needle, $this->file);
     }
 
@@ -214,7 +214,7 @@ private function findInFile(string $needle) : int|bool {
      *
      * @return array|bool
      */
-    public function extractSecureBlock(): bool|array {
+    public function extractSecureBlock() {
         $start = $this->findInFile(self::MARKER_GLOBAL_START . self::SPACE_DELIMITER . self::MARKER_WP_CLI_SECURE);
         $end = $this->findInFile(self::MARKER_GLOBAL_END . self::SPACE_DELIMITER . self::MARKER_WP_CLI_SECURE);
 
@@ -330,7 +330,7 @@ private function backup() : bool
     public function add(array $content, string $marker = ''): bool {
         //If the rule block already exist, there is no reason to add it again
         if($this->hasRuleBlock($marker)) {
-            throw new(RuleAlreadyExist::class);
+            throw new RuleAlreadyExist();
         }
 
         //Check if file exist?
@@ -339,7 +339,7 @@ public function add(array $content, string $marker = ''): bool {
         }
 
         if(!$this->isWritable()) {
-            throw new(FileIsNotWritable::class);
+            throw new FileIsNotWritable();
         }
 
         //Wrap the rule block with markers
@@ -450,4 +450,4 @@ private function flattenArray(array $array, int $depth = 1) : array {
 
         return $result;
     }
-}
+}