igorhrcek / wp-cli-secure-command Goto Github PK
View Code? Open in Web Editor NEWSecure package for WP CLI, built to provide an easier way of securing your WordPress installation
Secure package for WP CLI, built to provide an easier way of securing your WordPress installation
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
We need to implement a command that will allow us to search for certain security headers, output the result of the search and allow user to set most frequently used security headers
Describe alternatives you've considered
None
Additional context
Because of the complexity of this command we are going to do implementation in two steps:
We haven't agreed really on the list of headers that we want to scan for (and provide rules for) but I think that we should go with:
I propose that the command for this should be something like:
wp secure securityheaders --scan
wp secure securityheaders --deploy=hsts
wp secure securityheaders --remove=hsts
For scan
I prefer to use a table output with the following columns:
Describe the bug
Cannot install WP-CLI package
To Reproduce
Steps to reproduce the behavior:
wp package install [email protected]:igorhrcek/wp-cli-secure-command.git
Expected behavior
I expected for the package to be installed
Desktop (please complete the following information):
Additional context
Error that I recieve is:
Warning: Couldn't fetch default branch for package 'https://github.com:igorhrcek/wp-cli-secure-command.git' (HTTP code 403). Presuming default branch is 'master'.
Warning: Package name mismatch...Updating from git name 'igorhrcek/wp-cli-secure-command' to composer.json name 'igor/wp_cli_secure_command'.
Installing package igor/wp_cli_secure_command (dev-master)
Updating /home/nvsn/.wp-cli/packages/composer.json to require the package...
Registering https://github.com:igorhrcek/wp-cli-secure-command.git as a VCS repository...
Using Composer to install the package...
---
Loading composer repositories with package information
Warning: Failed to execute git clone --mirror -- 'https://github.com:igorhrcek/wp-cli-secure-command.git' '/home/nvsn/.cache/composer/vcs/https---github.com-igorhrcek-wp-cli-secure-command.git/'
Cloning into bare repository '/home/nvsn/.cache/composer/vcs/https---github.com-igorhrcek-wp-cli-secure-command.git'...
remote: Not Found
fatal: repository 'https://github.com:igorhrcek/wp-cli-secure-command.git/' not found
---
Error: Package installation failed.
Reverted composer.json.
Automatically identify the owner and reset it correctly please
Describe the bug
File manger always edits in the current working directory.
To Reproduce
Steps to reproduce the behavior:
run wp secure block-php plugins
from the $HOME directory.
An .htaccess
will be created in the home directory.
Even if a --path
is specified.
Expected behavior
This is a tricky one. I think the default --path
should be the default one in 90% of cases.
But an .htaccess
can also be located above a public folder. Probably the same applies to the nginx config files.
If the default path is respected a way for an exception should be available. maybe a --config-path
flag.
Not a clear cut solution for this one.
Is your feature request related to a problem? Please describe.
If we allow inline JS to exist then having strong CSP policies (#27) will have no real purpose.
Describe the solution you'd like
We should find an elegant, sustainable and flexible solution for hooking into any WordPress installation in order to add and execute certain code.
Describe alternatives you've considered
None
Additional context
We should use a MU plugins for this. Practically every time we need to change the behavior of the WordPress we could just copy the PHP file from our codebase to a MU plugin and then update the main plugin file to include the new files. That way we can easily add and remove certain security features and hook into WP.
master
branch failed. π¨I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.
You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. Iβm sure you can fix this πͺ.
Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.
Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master
branch. You can also manually restart the failed CI job that runs semantic-release.
If you are not sure how to resolve this, here are some links that can help you:
If those donβt help, or if this issue is reporting something you think isnβt right, you can always ask the humans behind semantic-release.
package.json
file.A package.json file at the root of your project is required to release on npm.
Please follow the npm guideline to create a valid package.json
file.
Good luck with your project β¨
Your semantic-release bot π¦π
Describe the bug
I tried to install the package, just copied the line wp package install [email protected]:igorhrcek/wp-cli-secure-command.git
and inserted it into iTerm. The error i got was:
Loading composer repositories with package information
Warning: The 'https://api.github.com/repos/igorhrcek/wp-cli-secure-command' URL could not be accessed: HTTP/1.1 400 Bad Request
Error: Package installation failed.
Reverted composer.json.`
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
We need to update the Readme file to include information about managing security headers
Describe alternatives you've considered
None
Additional context
None
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
We should implement a command that will allow us to manage different CSP policies - apply rules to certain policies, such as style-src, font-src, script-src etc.
The user should also be able to get information about what is applied as a policy, like "show me what I set as a script-src" and then to either add or remove addresses from it.
Describe alternatives you've considered
None
Additional context
CSP can get really messy, with too many URLs and different types of policies, so parsing them can be a tricky business.
I think that we should keep a state in a separate file (like in JSON object on FS) and use that to build policy directive and write it into configuration file.
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
File Editor is a huge security risk in the dashboard and it should be disabled, so we need to implement a command for that.
Describe alternatives you've considered
None
Additional context
This is just setting the DISALLOW_FILE_EDIT
to true, so we can do it using existing wp config set
command.
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
There is an official recommendation about permission masks for files and folders in WP, so we should implement a command to do all that for us
Describe alternatives you've considered
No
Additional context
WP recommends 666 for files, 755 for folders and I think that this should be a default:
https://wordpress.org/support/article/changing-file-permissions/
Now, someone might want a more permissive system for folders, like 775 instead of 755, so I think there should be an option to pass an additional arguments for files and folders separately, like:
wp secure fixpermissions
wp secure fixpermissions --files=644 --folders=775
We should also forbid setting 777 for either files and folders.
Is your feature request related to a problem? Please describe.
There are a few commands that are doing the same thing (blocking PHP execution) on various paths and instead of having 4 separate commands, we might have one.
Describe the solution you'd like
Remove all existing block-php commands and replace it with only one that will accept arguments?
Describe alternatives you've considered
None
Additional context
For example, instead of:
wp secure block_php_exution_in_uploads
we should have:
wp secure blockphp --locations=uploads,themes,plugins,wp-includes
Describe the bug
X-XSS-Protection
is obsolete for a few years now and not supported by browsers anymore. This header will do nothing and at least caused privacy and security issues in the past.
To Reproduce
Expected behavior
Remove the X-XSS-Protection
header.
Additional context
See also:
https://caniuse.com/mdn-http_headers_x-xss-protection
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Describe the bug
phpcs
is reporting a huge amount of code style issues:
https://github.com/igorhrcek/wp-cli-secure-command/actions/runs/2155584916
Expected behavior
Try and fix all of the issues if possible
Additional context
None
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
Implement a command that will allow us to block public access to custom files and/or folders
Describe alternatives you've considered
None
Additional context
For this command we need to define a new rule template that is going to be used as a placeholder for adding custom files names, folders and/or file extensions as well.
User should be able to add files, extensions and folders all at the same time. Something like:
wp secure block_access --files=file1,file2,file3 --extensions=exe,py,sql --folders=/home/something/something,otherfolder
It's not going to be possible to append files or folders if rule already exist.
When called with the --remove
parameter we will remove this rule altogether.
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
Implement a new GHA workflow for automated testing of nginx rules
Describe alternatives you've considered
None
Additional context
In addition to this workflow I also need to build a WordPress container that uses nginx
Describe the bug
The Default permission mask used in FixFileAndDirPermissions sets files to 0666, which would allow any user to write to files in the WordPress installation.
I would recommend a file mask of 0644, which would only allow the owner of the file to write to it, and still allows read access to all other users.
To Reproduce
Run wp secure fix-permissions
Expected behavior
I suspect the intended behavior of this function would be to set the mask to 0644, which is rw-r--r-- or sets files readable by any user, but writable by only the owner of the file.
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
We need to develop custom CICD workflow for automated execution of tests using GitHub Actions
Describe alternatives you've considered
None
Additional context
We need to build Docker containers that will use both Apache and nginx to run WordPress. The reason for this is because we are doing integration tests for actual .htaccess and nginx rules that are deployed with our commands.
So to do so, we probably will have to modify official WordPress containers and add WP CLI and then to make a full workflow for performing tests.
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
Let's ask for confirmation before executing FixPermissions command.
Describe alternatives you've considered
None
Additional context
Here is the docs for the confirmation implementaion:
https://make.wordpress.org/cli/handbook/references/internal-api/wp-cli-confirm/
We should say something like "This command will change file and folder permissions inside your WordPress installation which might affect the way it works. Are you sure that you want to do this?"
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
TODO:
block-access
method to allow for custom files and foldersDescribe alternatives you've considered
None
Additional context
None
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
Add a call for adding security headers in wp secure all
Describe alternatives you've considered
None
Additional context
None
Is your feature request related to a problem? Please describe.
No
Describe the solution you'd like
We should implement a command that will allow us to deploy all security rules at once
Describe alternatives you've considered
No
Additional context
Command should be something like:
wp secure all
and it should practically call all other sub-commands to deploy all the rules we have built.
PHP Parse error: syntax error, unexpected '|', expecting variable (T_VARIABLE) in /.wp-cli/packages/vendor/igor/wp_cli_secure_command/src/SubCommands/SubCommand.php on line 109
PHP 7.4.28
WP-CLI 2.6.0
Is your feature request related to a problem? Please describe.
Existing command used in tests is fixed to only one type of environment so tests will not run if executed in a different setup
Describe the solution you'd like
We need to move the restart command from test files to .env file or to find a better way of restarting nginx containers during tests
Describe alternatives you've considered
Not aware that there are any
Additional context
We should also try to implement the official WP CLI Testing process
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.