chesio / bc-security Goto Github PK
View Code? Open in Web Editor NEWHelps keeping WordPress websites secure.
License: The Unlicense
bc-security's Issues
Plugin activation produces WordPress database errors
Implement log table pruning
In general: come up with a way how to keep log table reasonably sized.
Improve compatibility with WP-Cron
Especially when run directly via PHP-CLI.
Implement checksum verification
See https://github.com/pluginkollektiv/checksum-verifier for a good example.
Add "wp-config.php is read-only" check to checklist
Although there are legitimate plugins that need write access to wp-config.php, having wp-config.php that is read-only has some security benefits.
Check if any installed plugin has been removed from WordPress.org plugin repository
This can be really useful sometimes.
Show status, message and last time checked in default view of checklist
Makes sense especially for checks that are monitored.
Events logging
...and make such logs accessible via backend in some way.
Implement checksum verification as checklist check
See #46 for background.
Report (PHP) files inside WordPress directories that do not belong there
Split checklist page in basic and advanced checks section
See #46 for background.
To goal is to make it possible to run just basic or advanced checks separately. Of course the option to run all checks should be retained.
Check whether php files can be accessed/executed from uploads directory
Shared blacklist
Basic idea: let WordPress sites with BC Security installed share their blacklists in order to pre-emptively block attacking IPs.
Make log pruning configurable
Either add an interface to edit existing settings or reimplement configuration to use filters.
Send an email notification when there is a core/plugin/theme update available
Check if debug.log is not publicly visible
Document available filters
Add an option to not log certain request URIs as 404
For example: autodiscover/autodiscover.xml
Rethink the relation of checklist checks and checksum verification
Motivation: Now when checklist checks are executed asynchronously, it could make sense to include checksum verification as yet another check in the checklist.
Notes and questions to be considered:
- Does it make sense to log checksum verification alerts? In general, what check failures (and how) should be logged?
- Does it make sense to have separate cron jobs for checksum verification, when it would be possible to just run it within checklist monitoring?
- It seem that some kind of distinction between simple and complex checks is necessary as some checks (removed plugins, checksum verification) are slow to execute, because they rely on external HTTP requests, so running them asynchronously/in separate cron task is viable. On the other hand, simple checks could be executed within single AJAX request/cron task.
- Checksum verification (but possibly some other checks too) can produce a long error report. If it should be included in checklist, UI has to be adapted to account for this.
Warn users when their PHP version is no longer supported
PHP Notice: Trying to get property of non-object
Trying to get property of non-object in bc-security/classes/BlueChip/Security/Modules/Notifications/Watchman.php on line 250.
Make it possible to programatically mute email notifications
Use case: mute email notifications in certain environments (development, staging, test).
Idea: allow to mute all or specific notifications only.
Do not log 404 events triggered by error log check
Error log check (see #13) can trigger 404 events that subsequently get logged.
A straight-forward solution is to ignore any 404 events, if remote IP address is equal to server IP address. Not sure if there are any drawbacks...
Perform reverse DNS lookup on IP addresses reported via event monitoring
Uninstall fails with fatal error
Error has been introduced in 7ac0c37.
Verify checksums of plugins from WordPress.org repository
There's no official API yet, but there's unofficial API by WPCentral. See WPCentral/WP-CLI-Security for usage example.
Check, if passwords are encrypted using bcrypt
In other words, check whether wp-password-bcrypt is installed.
Unit tests
Maybe some simple ones for start and then more advanced around version 1.0 (when API becomes stable).
Send an email notification when admin user logs in
Remove plugin transients on uninstall
Allow manual additions to IP blacklist
Allow the plugin to be updated via WordPress core update mechanism
Allow sorting of log records by event context columns
Allow cron job execution times to be customized
Leave current values as default, but provide filter to change them.
Correctly handle plugin checksums with multiple md5/sha256 checksums for single file
Password validation via Pwned Passwords
Drop filtering of cron jobs execution time
Raise required PHP version to 7.0
I like scalar type hinting and return type declarations, but there are more interesting new features.
Automatically run checklist checks in background
Also allow to exclude particular check from automatic run (and reporting).
Visually inform about new items in log and IP blacklist
Use the "circled number" indicator to inform about number of new items in log and IP blacklist since last visit.
Unit tests for filters
Add check if display_errors is off by default
Notes:
- Check should be run only in production, as some developers might have errors display on by purpose.
- Check should determine the default PHP value, not the "current one" as set by WordPress or plugins via
ini_set()). The idea is to have this security issue covered.
Add an option to prune IP blacklist by WP-Cron job
All expired entries should be removed.
Stop logging checksum verification alerts
See #46 for background.
The question is how to deal with records that are already in database?
Display hostnames from reverse DNS lookup in logs list
I don't know why I haven't this implemented together with #33...
Fix compatibility with WP-CLI
Undefined index: SERVER_ADDR in [...]/bc-security/classes/BlueChip/Security/Modules/Events/Monitor.php on line 39
Cron job deactivation is reset when plugin is reactivated
Currently this affects only automatic IP blacklist pruning, but should be fixed before #19 is implemented.
Implement "Add to blacklist" action for log records
Should link to the blacklisting form with IP address and comment prefilled. Requires #3 to be implemented first.
Allow filtering of Is::admin() result.
Add an option to disable background monitoring of security checklist
A simple button will do.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.