getastra / wp-security-hardening Goto Github PK

Describe the solution you'd like

Add security fixers to disable comments on different content types such as: posts, pages, media types individually or on all these types.

Why do you think this feature is something we should consider for the WP Hardening plugin?

Spammers crawl sites and routinely submit spam links in the comments box. These can go upto 100-1000 comments a week. Many informational sites do not want anyone to be able to comment on pages/posts. Unless the theme has a way to do this via GUI, it is cumbersome to disable the comments section for each page/post.

Describe the bug

Wrong recommendation is suggested for PHP version 7.4:

Check for active PHP version. Your current PHP version is outdated and can invite hackers.

To Reproduce

Steps to reproduce the behavior:

1. Install and activate the plugin in a site with PHP Version >= 7.4
2. Click the Start a New Audit button from WP Hardening > Hardening Audit

Expected behavior

Check for active PHP version must be shown under Passed Test rather than under Recommendations

Screenshots

Used versions

• PHP Version: 7.4.2
• WordPress version: 5.4.2
• WP Hardening version: 1.1.2

Is your feature request related to a problem? Please describe.

Currently WP Hardening is not detecting the new Website Protection plugin

Describe the bug

With the plugin installed and activated, when you use wp-cli this plugin throws the following error:

Undefined array key "QUERY_STRING" in wp-security-hardening/modules/hooks.php line 201

This is the offending line:

https://github.com/getastra/wp-security-hardening/blob/master/modules/hooks.php#L201

To Reproduce

Steps to reproduce the behavior:

1. Install WordPress with this plugin installed
2. Run a wp-cli command, for example:$ wp option get home

Expected behavior

It should show the home url you have set for the site.

Actual behavior

It errors with:

Undefined array key "QUERY_STRING" in wp-security-hardening/modules/hooks.php line 201

Suggested fix

Add a check to make sure this variable exists in $_SERVER before accessing it.

Technical Details

Desktop (please complete the following information):

• OS: macOS Monterey
• Version: 12.4

Used versions

• WordPress version: 6.0.1
• WP Hardening version: 1.2.5
• WP Cli version: 2.6.0

Additional context

This also causes an issue when serving WordPress with php -S 127.0.0.1:8080 as that also doesn't set the QUERY_STRING variable on $_SERVER.

Describe the bug

[Push to master](https://github.com/getastra/wp-security-hardening/actions/runs/3291454537/jobs/5425624468#step:1:35)
Unable to resolve action `10up/action-wordpress-plugin-asset-update@master`, unable to find version `master`

To Reproduce

Steps to reproduce the behavior:

1. Merge any code

Describe the bug

After changing the login URL using the WP hardening plugin URL change feature, the URL change works but strangely the wp-admin URL is redirecting the new URL instead of showing a 404 error.

To Reproduce

Steps to reproduce the behavior:

1. Open the WP hardening plugin and go to "Security Fixers"
2. Now add the URL slug into which you want to change instead of wp-admin and save it.
3. Open the wp-admin URL and you'll see it redirecting a changed new URL without showing a 404.

Expected behavior

WP-admin must show a 404 page instead of showing the new URL login page.

Screenshots

Desktop (please complete the following information):

• OS: <Windows 10>
• Browser
• Version <88.0.4324.150 (Official Build) (64-bit)>

Used versions

• WordPress version: 5.6.1
• WP Hardening version: 1.2
• Tested with theme: Neve

Describe the bug

After updating to WordPress 6.4.1 with WP Hardening plugin enabled, I couldn't edit a page in WP, when I click on edit it shows a blank page. While troubleshooting I disabled many plugins and I found out that WP Hardening is the one causing this issue.

To Reproduce

Steps to reproduce the behavior:

1. Have WordPress 6.4.1
2. Have WP Hardening plugin v1.2.6 (Latest to this date) enabled
3. Click on edit a page in WordPress
4. That is it

Expected behavior

When clicking on edit it should shows page settings and theme edit options.

Screenshots

N/A

Technical Details

Desktop (please complete the following information):

• OS: Windows 11
• Browser : Microsoft Edge
• Version : 119.0.2151.44

Used versions

• WordPress version: 6.4.1
• WP Hardening version: 1.2.6
• Relevant plugins in case of a bug: None, I encountered the same issue with the default theme Twenty Twenty-Three
• Tested with theme: Divi 4.23.1

Additional context

N/A

Describe the bug

Undefined method 'prepare_array'

Technical Details

Function 'prepare_array' is called(in issuesScanClass::check_php_version function) but never defined in the class issuesScanClass.

PHP Class: issuesScanClass
File: modules/functions.php

Used versions

• WP Hardening version: 1.1.2

Hey, quick question. I use a custom wordpress folder. The modules/hooks.php starts the plugin with:

<?php
require_once(dirname(__FILE__, 3) . "/../../wp-includes/pluggable.php");
require_once(dirname(__FILE__, 3) . "/../../wp-load.php");
if (!defined('ABSPATH')) exit ('Peekaboo!');

This creates an error if wordpress isn't in the default folder. Is that on purpose? This code fixes it:

if (!defined('ABSPATH')) exit ('Peekaboo!');
require_once(ABSPATH."/wp-includes/pluggable.php");
require_once(ABSPATH."/wp-load.php");`

If needed i can create a pull request 😄

There is inconsistency in php version detection.

Describe the bug

After performing the hardening audit, in recommendations, it is saying to update the PHP version to 7.4 even the PHP version is on 8.

To Reproduce

Steps to reproduce the behavior:

1. Run the hardening audit inside the hardening plugin and check the recommendations.
2. Even if the PHP version is on 8, it'll show to upgrade to 7.4.

Expected behavior

If the PHP version is on 7.4 or above it shouldn't report that it's outdated.

Technical Details

Desktop (please complete the following information):

• OS: Windows 10
• Browser: Chrome
• Version: 88.0.4324.182 (Official Build) (64-bit)

Used versions

• WordPress version: 5.6.2
• WP Hardening version: 1.2
• Tested with theme: mts_schema

Describe the bug

Plugin settings do not work due to dependency on jQuery UI

Describe the bug

Enabling the plugin adds a load of additional scripts and styles to the frontend website.

These include enqueueing jQuery and a number of other assets that are not required or contain no content.

This adds page bloat, reducing page performance and also presents a new vulnerability vector adding frameworks that are not otherwise needed by the website.

Could you either not enqueue these assets or provide a way to filter what is enqueued so we have the option to opt out?

To Reproduce

Steps to reproduce the behavior:

1. Install and enable plugin

Expected behavior

No additional frontend assets enqueued on the frontend

Used versions

• WordPress version: 6.0.3
• WP Hardening version: 1.2.6

Describe the bug

Following PHP error is encountered when the score is 100%.

count() : Parameter musy be an array or an object that implements Countable in modules/functions.php on lines 638, 648

To Reproduce

Steps to reproduce the behavior:

1. Run a Hardening Audit on a site where the security score is 100%

Technical Details

Used versions

• WP Hardening version: 1.1.1
• PHP version: 7.2

Describe the bug

WP Touch mobile plugin is no longer working properly when the hardening plugin is enabled. The menu function on the mobile version is getting disabled.

To Reproduce

Steps to reproduce the behavior:
open birthingwithoutfear.com and discover that the menu is not clickable.

Expected behavior

The menu must be openable even after enabling the hardening plugin.

Screenshots

The 3 lines on the top left are not opening the menu as they should, this is a screenshot of the preview of the mobile version.
https://www.dropbox.com/s/2xs3gwa2b61ql79/Bildschirmfoto%202021-03-09%20um%2021.43.24.png?dl=0

Technical Details

Desktop (please complete the following information):

• OS: Android
• Browser: Chrome
• Version: 89.0.4389.86

Used versions

• WordPress version: 5.6.2
• WP Hardening version: 1.2
• Tested with theme: suffusion

Describe the bug

Currently the bootstrap assets (/wp-content/plugins/wp-security-hardening/modules/inc/assets/css/tw-bs4.css) are loaded on front-end pages too where it is not required.

Expected behavior

Load the resources only for the WP Hardening pages in the WordPress admin area.

New option:
Add a settings link in the plugins list under WP Hardening.

Describe the bug

The plugin calls wp_enqueue_media() to load the resources required for the media JS APIs - which is adding additional JS code to websites. Since we're not utilizing the media JS APIs, currently, this can be removed.