}

[500] Fix | Delete

[501] Fix | Delete

$ignoredText = '';

[502] Fix | Delete

if ($this->i->totalIgnoredIssues > 0) {

[503] Fix | Delete

$ignoredText = ' ' . sprintf(

[504] Fix | Delete

/* translators: Number of scan results. */

[505] Fix | Delete

_n(

[506] Fix | Delete

'%d ignored issue was also detected.',

[507] Fix | Delete

'%d ignored issues were also detected.',

[508] Fix | Delete

$this->i->totalIgnoredIssues,

[509] Fix | Delete

'wordfence'

[510] Fix | Delete

), $this->i->totalIgnoredIssues);

[511] Fix | Delete

}

[512] Fix | Delete

[513] Fix | Delete

if ($this->i->totalIssues > 0) {

[514] Fix | Delete

$this->status(10, 'info', "SUM_FINAL:" . sprintf(

[515] Fix | Delete

/* translators: Number of scan results. */

[516] Fix | Delete

_n(

[517] Fix | Delete

"Scan complete. You have %d new issue to fix.",

[518] Fix | Delete

"Scan complete. You have %d new issues to fix.",

[519] Fix | Delete

$this->i->totalIssues,

[520] Fix | Delete

'wordfence'),

[521] Fix | Delete

$this->i->totalIssues

[522] Fix | Delete

) .

[523] Fix | Delete

$ignoredText . ' ' .

[524] Fix | Delete

__('See below.', 'wordfence')

[525] Fix | Delete

);

[526] Fix | Delete

} else {

[527] Fix | Delete

$this->status(10, 'info', "SUM_FINAL:" . __('Scan complete. Congratulations, no new problems found.', 'wordfence') . $ignoredText);

[528] Fix | Delete

}

[529] Fix | Delete

return;

[530] Fix | Delete

}

[531] Fix | Delete

[532] Fix | Delete

public function getCurrentJob() {

[533] Fix | Delete

return $this->jobList[0];

[534] Fix | Delete

}

[535] Fix | Delete

[536] Fix | Delete

private function scan_checkSpamIP() {

[537] Fix | Delete

if ($this->scanController->isPremiumScan()) {

[538] Fix | Delete

$this->statusIDX['checkSpamIP'] = wfIssues::statusStart(__("Checking if your site IP is generating spam", 'wordfence'));

[539] Fix | Delete

$this->scanController->startStage(wfScanner::STAGE_SPAM_CHECK);

[540] Fix | Delete

$result = $this->api->call('check_spam_ip', array(), array(

[541] Fix | Delete

'siteURL' => site_url()

[542] Fix | Delete

));

[543] Fix | Delete

$haveIssues = wfIssues::STATUS_SECURE;

[544] Fix | Delete

if (!empty($result['haveIssues']) && is_array($result['issues'])) {

[545] Fix | Delete

foreach ($result['issues'] as $issue) {

[546] Fix | Delete

$added = $this->addIssue($issue['type'], wfIssues::SEVERITY_HIGH, $issue['ignoreP'], $issue['ignoreC'], $issue['shortMsg'], $issue['longMsg'], $issue['data']);

[547] Fix | Delete

if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) {

[548] Fix | Delete

$haveIssues = wfIssues::STATUS_PROBLEM;

[549] Fix | Delete

} else if ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC) {

[550] Fix | Delete

$haveIssues = wfIssues::STATUS_IGNORED;

[551] Fix | Delete

}

[552] Fix | Delete

}

[553] Fix | Delete

}

[554] Fix | Delete

wfIssues::statusEnd($this->statusIDX['checkSpamIP'], $haveIssues);

[555] Fix | Delete

$this->scanController->completeStage(wfScanner::STAGE_SPAM_CHECK, $haveIssues);

[556] Fix | Delete

} else {

[557] Fix | Delete

wfIssues::statusPaidOnly(__("Checking if your IP is generating spam is for paid members only", 'wordfence'));

[558] Fix | Delete

sleep(2);

[559] Fix | Delete

}

[560] Fix | Delete

}

[561] Fix | Delete

[562] Fix | Delete

private function scan_checkGSB_init() {

[563] Fix | Delete

if ($this->scanController->isPremiumScan()) {

[564] Fix | Delete

$this->statusIDX['checkGSB'] = wfIssues::statusStart(__("Checking if your site is on a domain blocklist", 'wordfence'));

[565] Fix | Delete

$this->scanController->startStage(wfScanner::STAGE_BLACKLIST_CHECK);

[566] Fix | Delete

$h = new wordfenceURLHoover($this->apiKey, $this->wp_version);

[567] Fix | Delete

$h->cleanup();

[568] Fix | Delete

} else {

[569] Fix | Delete

wfIssues::statusPaidOnly(__("Checking if your site is on a domain blocklist is for paid members only", 'wordfence'));

[570] Fix | Delete

sleep(2);

[571] Fix | Delete

}

[572] Fix | Delete

}

[573] Fix | Delete

[574] Fix | Delete

private function scan_checkGSB_main() {

[575] Fix | Delete

if ($this->scanController->isPremiumScan()) {

[576] Fix | Delete

if (is_multisite()) {

[577] Fix | Delete

global $wpdb;

[578] Fix | Delete

$h = new wordfenceURLHoover($this->apiKey, $this->wp_version, false, true);

[579] Fix | Delete

$blogIDs = $wpdb->get_col($wpdb->prepare("SELECT blog_id FROM {$wpdb->blogs} WHERE blog_id > %d ORDER BY blog_id ASC", $this->gsbMultisiteBlogOffset)); //Can't use wp_get_sites or get_sites because they return empty at 10k sites

[580] Fix | Delete

foreach ($blogIDs as $id) {

[581] Fix | Delete

$homeURL = get_home_url($id);

[582] Fix | Delete

$h->hoover($id, $homeURL);

[583] Fix | Delete

$this->scanController->incrementSummaryItem(wfScanner::SUMMARY_SCANNED_URLS);

[584] Fix | Delete

$siteURL = get_site_url($id);

[585] Fix | Delete

if ($homeURL != $siteURL) {

[586] Fix | Delete

$h->hoover($id, $siteURL);

[587] Fix | Delete

$this->scanController->incrementSummaryItem(wfScanner::SUMMARY_SCANNED_URLS);

[588] Fix | Delete

}

[589] Fix | Delete

[590] Fix | Delete

if ($this->shouldFork()) {

[591] Fix | Delete

$this->gsbMultisiteBlogOffset = $id;

[592] Fix | Delete

$this->forkIfNeeded();

[593] Fix | Delete

}

[594] Fix | Delete

}

[595] Fix | Delete

}

[596] Fix | Delete

}

[597] Fix | Delete

}

[598] Fix | Delete

[599] Fix | Delete

private function scan_checkGSB_finish() {

[600] Fix | Delete

if ($this->scanController->isPremiumScan()) {

[601] Fix | Delete

if (is_multisite()) {

[602] Fix | Delete

$h = new wordfenceURLHoover($this->apiKey, $this->wp_version, false, true);

[603] Fix | Delete

$badURLs = $h->getBaddies();

[604] Fix | Delete

if ($h->errorMsg) {

[605] Fix | Delete

$this->status(4, 'info', sprintf(/* translators: Error message. */ __("Error checking domain blocklists: %s", 'wordfence'), $h->errorMsg));

[606] Fix | Delete

wfIssues::statusEnd($this->statusIDX['checkGSB'], wfIssues::STATUS_FAILED);

[607] Fix | Delete

$this->scanController->completeStage(wfScanner::STAGE_BLACKLIST_CHECK, wfIssues::STATUS_FAILED);

[608] Fix | Delete

return;

[609] Fix | Delete

}

[610] Fix | Delete

$h->cleanup();

[611] Fix | Delete

} else {

[612] Fix | Delete

$urlsToCheck = array(array(wfUtils::wpHomeURL(), wfUtils::wpSiteURL()));

[613] Fix | Delete

$badURLs = $this->api->call('check_bad_urls', array(), array('toCheck' => json_encode($urlsToCheck))); //Skipping the separate prefix check since there are just two URLs

[614] Fix | Delete

$finalResults = array();

[615] Fix | Delete

foreach ($badURLs as $file => $badSiteList) {

[616] Fix | Delete

if (!isset($finalResults[$file])) {

[617] Fix | Delete

$finalResults[$file] = array();

[618] Fix | Delete

}

[619] Fix | Delete

foreach ($badSiteList as $badSite) {

[620] Fix | Delete

$finalResults[$file][] = array(

[621] Fix | Delete

'URL' => $badSite[0],

[622] Fix | Delete

'badList' => $badSite[1]

[623] Fix | Delete

);

[624] Fix | Delete

}

[625] Fix | Delete

}

[626] Fix | Delete

$badURLs = $finalResults;

[627] Fix | Delete

}

[628] Fix | Delete

[629] Fix | Delete

$haveIssues = wfIssues::STATUS_SECURE;

[630] Fix | Delete

if (is_array($badURLs) && count($badURLs) > 0) {

[631] Fix | Delete

foreach ($badURLs as $id => $badSiteList) {

[632] Fix | Delete

foreach ($badSiteList as $badSite) {

[633] Fix | Delete

$url = $badSite['URL'];

[634] Fix | Delete

$badList = $badSite['badList'];

[635] Fix | Delete

$data = array('badURL' => $url);

[636] Fix | Delete

[637] Fix | Delete

if ($badList == 'goog-malware-shavar') {

[638] Fix | Delete

if (is_multisite()) {

[639] Fix | Delete

$shortMsg = sprintf(/* translators: WordPress site ID. */ __('The multisite blog with ID %d is listed on Google\'s Safe Browsing malware list.', 'wordfence'), intval($id));

[640] Fix | Delete

$data['multisite'] = intval($id);

[641] Fix | Delete

} else {

[642] Fix | Delete

$shortMsg = __('Your site is listed on Google\'s Safe Browsing malware list.', 'wordfence');

[643] Fix | Delete

}

[644] Fix | Delete

$longMsg = sprintf(

[645] Fix | Delete

/* translators: 1. URL. 2. URL. */

[646] Fix | Delete

__('The URL %1$s is on the malware list. More info available at <a href="http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=%2$s&client=googlechrome&hl=en-US" target="_blank" rel="noopener noreferrer">Google Safe Browsing diagnostic page<span class="screen-reader-text"> (' . esc_html__('opens in new tab', 'wordfence') . ')</span></a>.', 'wordfence'), esc_html($url), urlencode($url));

[647] Fix | Delete

$data['gsb'] = $badList;

[648] Fix | Delete

} else if ($badList == 'googpub-phish-shavar') {

[649] Fix | Delete

if (is_multisite()) {

[650] Fix | Delete

$shortMsg = sprintf(

[651] Fix | Delete

/* translators: WordPress site ID. */

[652] Fix | Delete

__('The multisite blog with ID %d is listed on Google\'s Safe Browsing phishing list.', 'wordfence'), intval($id));

[653] Fix | Delete

$data['multisite'] = intval($id);

[654] Fix | Delete

} else {

[655] Fix | Delete

$shortMsg = __('Your site is listed on Google\'s Safe Browsing phishing list.', 'wordfence');

[656] Fix | Delete

}

[657] Fix | Delete

$longMsg = sprintf(

[658] Fix | Delete

/* translators: 1. URL. 2. URL. */

[659] Fix | Delete

__('The URL %1$s is on the phishing list. More info available at <a href="http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=%2$s&client=googlechrome&hl=en-US" target="_blank" rel="noopener noreferrer">Google Safe Browsing diagnostic page<span class="screen-reader-text"> (' . esc_html__('opens in new tab', 'wordfence') . ')</span></a>.', 'wordfence'), esc_html($url), urlencode($url));

[660] Fix | Delete

$data['gsb'] = $badList;

[661] Fix | Delete

} else if ($badList == 'wordfence-dbl') {

[662] Fix | Delete

if (is_multisite()) {

[663] Fix | Delete

$shortMsg = sprintf(

[664] Fix | Delete

/* translators: WordPress site ID. */

[665] Fix | Delete

__('The multisite blog with ID %d is listed on the Wordfence domain blocklist.', 'wordfence'), intval($id));

[666] Fix | Delete

$data['multisite'] = intval($id);

[667] Fix | Delete

} else {

[668] Fix | Delete

$shortMsg = __('Your site is listed on the Wordfence domain blocklist.', 'wordfence');

[669] Fix | Delete

}

[670] Fix | Delete

$longMsg = sprintf(

[671] Fix | Delete

/* translators: URL. */

[672] Fix | Delete

__("The URL %s is on the blocklist.", 'wordfence'), esc_html($url));

[673] Fix | Delete

$data['gsb'] = $badList;

[674] Fix | Delete

} else {

[675] Fix | Delete

if (is_multisite()) {

[676] Fix | Delete

$shortMsg = sprintf(

[677] Fix | Delete

/* translators: WordPress site ID. */

[678] Fix | Delete

__('The multisite blog with ID %d is listed on a domain blocklist.', 'wordfence'), intval($id));

[679] Fix | Delete

$data['multisite'] = intval($id);

[680] Fix | Delete

} else {

[681] Fix | Delete

$shortMsg = __('Your site is listed on a domain blocklist.', 'wordfence');

[682] Fix | Delete

}

[683] Fix | Delete

$longMsg = sprintf(/* translators: URL. */ __("The URL is: %s", 'wordfence'), esc_html($url));

[684] Fix | Delete

$data['gsb'] = 'unknown';

[685] Fix | Delete

}

[686] Fix | Delete

[687] Fix | Delete

$added = $this->addIssue('checkGSB', wfIssues::SEVERITY_CRITICAL, 'checkGSB', 'checkGSB' . $url, $shortMsg, $longMsg, $data);

[688] Fix | Delete

if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) {

[689] Fix | Delete

$haveIssues = wfIssues::STATUS_PROBLEM;

[690] Fix | Delete

} else if ($haveIssues != wfIssues::STATUS_PROBLEM && ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC)) {

[691] Fix | Delete

$haveIssues = wfIssues::STATUS_IGNORED;

[692] Fix | Delete

}

[693] Fix | Delete

}

[694] Fix | Delete

}

[695] Fix | Delete

}

[696] Fix | Delete

[697] Fix | Delete

wfIssues::statusEnd($this->statusIDX['checkGSB'], $haveIssues);

[698] Fix | Delete

$this->scanController->completeStage(wfScanner::STAGE_BLACKLIST_CHECK, $haveIssues);

[699] Fix | Delete

}

[700] Fix | Delete

}

[701] Fix | Delete

[702] Fix | Delete

private function scan_checkHowGetIPs_init() {

[703] Fix | Delete

$this->statusIDX['checkHowGetIPs'] = wfIssues::statusStart(__("Checking for the most secure way to get IPs", 'wordfence'));

[704] Fix | Delete

$this->scanController->startStage(wfScanner::STAGE_SERVER_STATE);

[705] Fix | Delete

$this->checkHowGetIPsRequestTime = time();

[706] Fix | Delete

wfUtils::requestDetectProxyCallback();

[707] Fix | Delete

}

[708] Fix | Delete

[709] Fix | Delete

private function scan_checkHowGetIPs_main() {

[710] Fix | Delete

if (!defined('WORDFENCE_CHECKHOWGETIPS_TIMEOUT')) {

[711] Fix | Delete

define('WORDFENCE_CHECKHOWGETIPS_TIMEOUT', 30);

[712] Fix | Delete

}

[713] Fix | Delete

[714] Fix | Delete

$haveIssues = wfIssues::STATUS_SECURE;

[715] Fix | Delete

$existing = wfConfig::get('howGetIPs', '');

[716] Fix | Delete

$recommendation = wfConfig::get('detectProxyRecommendation', '');

[717] Fix | Delete

while (empty($recommendation) && (time() - $this->checkHowGetIPsRequestTime) < WORDFENCE_CHECKHOWGETIPS_TIMEOUT) {

[718] Fix | Delete

sleep(1);

[719] Fix | Delete

$this->forkIfNeeded();

[720] Fix | Delete

$recommendation = wfConfig::get('detectProxyRecommendation', '');

[721] Fix | Delete

}

[722] Fix | Delete

[723] Fix | Delete

if ($recommendation == 'DEFERRED') {

[724] Fix | Delete

//Do nothing

[725] Fix | Delete

$haveIssues = wfIssues::STATUS_SKIPPED;

[726] Fix | Delete

} else if (empty($recommendation)) {

[727] Fix | Delete

$haveIssues = wfIssues::STATUS_FAILED;

[728] Fix | Delete

} else if ($recommendation == 'UNKNOWN') {

[729] Fix | Delete

$added = $this->addIssue('checkHowGetIPs', wfIssues::SEVERITY_HIGH, 'checkHowGetIPs', 'checkHowGetIPs' . $recommendation . WORDFENCE_VERSION,

[730] Fix | Delete

__("Unable to accurately detect IPs", 'wordfence'),

[731] Fix | Delete

sprintf(/* translators: Support URL. */ __('Wordfence was unable to validate a test request to your website. This can happen if your website is behind a proxy that does not use one of the standard ways to convey the IP of the request or it is unreachable publicly. IP blocking and live traffic information may not be accurate. <a href="%s" target="_blank" rel="noopener noreferrer">Get More Information<span class="screen-reader-text"> (' . esc_html__('opens in new tab', 'wordfence') . ')</span></a>', 'wordfence'), wfSupportController::esc_supportURL(wfSupportController::ITEM_NOTICE_MISCONFIGURED_HOW_GET_IPS))

[732] Fix | Delete

, array());

[733] Fix | Delete

if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) {

[734] Fix | Delete

$haveIssues = wfIssues::STATUS_PROBLEM;

[735] Fix | Delete

} else if ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC) {

[736] Fix | Delete

$haveIssues = wfIssues::STATUS_IGNORED;

[737] Fix | Delete

}

[738] Fix | Delete

} else if (!empty($existing) && $existing != $recommendation) {

[739] Fix | Delete

$extraMsg = '';

[740] Fix | Delete

if ($recommendation == 'REMOTE_ADDR') {

[741] Fix | Delete

$extraMsg = ' ' . __('For maximum security use PHP\'s built in REMOTE_ADDR.', 'wordfence');

[742] Fix | Delete

} else if ($recommendation == 'HTTP_X_FORWARDED_FOR') {

[743] Fix | Delete

$extraMsg = ' ' . __('This site appears to be behind a front-end proxy, so using the X-Forwarded-For HTTP header will resolve to the correct IPs.', 'wordfence');

[744] Fix | Delete

} else if ($recommendation == 'HTTP_X_REAL_IP') {

[745] Fix | Delete

$extraMsg = ' ' . __('This site appears to be behind a front-end proxy, so using the X-Real-IP HTTP header will resolve to the correct IPs.', 'wordfence');

[746] Fix | Delete

} else if ($recommendation == 'HTTP_CF_CONNECTING_IP') {

[747] Fix | Delete

$extraMsg = ' ' . __('This site appears to be behind Cloudflare, so using the Cloudflare "CF-Connecting-IP" HTTP header will resolve to the correct IPs.', 'wordfence');

[748] Fix | Delete

}

[749] Fix | Delete

[750] Fix | Delete

$added = $this->addIssue('checkHowGetIPs', wfIssues::SEVERITY_HIGH, 'checkHowGetIPs', 'checkHowGetIPs' . $recommendation . WORDFENCE_VERSION,

[751] Fix | Delete

__("'How does Wordfence get IPs' is misconfigured", 'wordfence'),

[752] Fix | Delete

sprintf(

[753] Fix | Delete

/* translators: Support URL. */

[754] Fix | Delete

__('A test request to this website was detected on a different value for this setting. IP blocking and live traffic information may not be accurate. <a href="%s" target="_blank" rel="noopener noreferrer">Get More Information<span class="screen-reader-text"> (' . esc_html__('opens in new tab', 'wordfence') . ')</span></a>', 'wordfence'),

[755] Fix | Delete

wfSupportController::esc_supportURL(wfSupportController::ITEM_NOTICE_MISCONFIGURED_HOW_GET_IPS)

[756] Fix | Delete

) . $extraMsg,

[757] Fix | Delete

array('recommendation' => $recommendation));

[758] Fix | Delete

if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) {

[759] Fix | Delete

$haveIssues = wfIssues::STATUS_PROBLEM;

[760] Fix | Delete

} else if ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC) {

[761] Fix | Delete

$haveIssues = wfIssues::STATUS_IGNORED;

[762] Fix | Delete

}

[763] Fix | Delete

}

[764] Fix | Delete

[765] Fix | Delete

wfIssues::statusEnd($this->statusIDX['checkHowGetIPs'], $haveIssues);

[766] Fix | Delete

$this->scanController->completeStage(wfScanner::STAGE_SERVER_STATE, $haveIssues);

[767] Fix | Delete

}

[768] Fix | Delete

[769] Fix | Delete

private function scan_checkHowGetIPs_finish() {

[770] Fix | Delete

/* Do nothing */

[771] Fix | Delete

}

[772] Fix | Delete

[773] Fix | Delete

private function scan_checkReadableConfig() {

[774] Fix | Delete

$haveIssues = wfIssues::STATUS_SECURE;

[775] Fix | Delete

$status = wfIssues::statusStart(__("Check for publicly accessible configuration files, backup files and logs", 'wordfence'));

[776] Fix | Delete

$this->scanController->startStage(wfScanner::STAGE_PUBLIC_FILES);

[777] Fix | Delete

[778] Fix | Delete

$backupFileTests = array(

[779] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('.env'),

[780] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('.user.ini'),

[781] Fix | Delete

// wfCommonBackupFileTest::createFromRootPath('.htaccess'),

[782] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.php.bak'),

[783] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.php.bak.a2'),

[784] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.php.swo'),

[785] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.php.save'),

[786] Fix | Delete

new wfCommonBackupFileTest(home_url('%23wp-config.php%23'), ABSPATH . '#wp-config.php#'),

[787] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.php~'),

[788] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.old'),

[789] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('.wp-config.php.swp'),

[790] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.bak'),

[791] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.save'),

[792] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.php_bak'),

[793] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.php.swp'),

[794] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.php.old'),

[795] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.php.original'),

[796] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.php.orig'),

[797] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.txt'),

[798] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.original'),

[799] Fix | Delete

wfCommonBackupFileTest::createFromRootPath('wp-config.orig'),

[800] Fix | Delete

new wfCommonBackupFileTest(content_url('/debug.log'), WP_CONTENT_DIR . '/debug.log', array(

[801] Fix | Delete

'headers' => array(

[802] Fix | Delete

'Range' => 'bytes=0-700',

[803] Fix | Delete

),

[804] Fix | Delete

)),

[805] Fix | Delete

);

[806] Fix | Delete

$backupFileTests = array_merge($backupFileTests, wfCommonBackupFileTest::createAllForFile('searchreplacedb2.php', wfCommonBackupFileTest::MATCH_REGEX, '/<title>Search and replace DB/i'));

[807] Fix | Delete

[808] Fix | Delete

$userIniFilename = ini_get('user_ini.filename');

[809] Fix | Delete

if ($userIniFilename && $userIniFilename !== '.user.ini') {

[810] Fix | Delete

$backupFileTests[] = wfCommonBackupFileTest::createFromRootPath($userIniFilename);

[811] Fix | Delete

}

[812] Fix | Delete

[813] Fix | Delete

[814] Fix | Delete

/** @var wfCommonBackupFileTest $test */

[815] Fix | Delete

foreach ($backupFileTests as $test) {

[816] Fix | Delete

$pathFromRoot = (strpos($test->getPath(), ABSPATH) === 0) ? substr($test->getPath(), strlen(ABSPATH)) : $test->getPath();

[817] Fix | Delete

wordfence::status(4, 'info', "Testing {$pathFromRoot}");

[818] Fix | Delete

if ($test->fileExists() && $test->isPubliclyAccessible()) {

[819] Fix | Delete

$key = "configReadable" . bin2hex($test->getUrl());

[820] Fix | Delete

$added = $this->addIssue(

[821] Fix | Delete

'configReadable',

[822] Fix | Delete

wfIssues::SEVERITY_CRITICAL,

[823] Fix | Delete

$key,

[824] Fix | Delete

$key,

[825] Fix | Delete

sprintf(

[826] Fix | Delete

/* translators: File path. */

[827] Fix | Delete

__('Publicly accessible config, backup, or log file found: %s', 'wordfence'), esc_html($pathFromRoot)),

[828] Fix | Delete

sprintf(

[829] Fix | Delete

/* translators: 1. URL to publicly accessible file. 2. Support URL. */

[830] Fix | Delete

__('<a href="%1$s" target="_blank" rel="noopener noreferrer">%1$s</a> is publicly accessible and may expose source code or sensitive information about your site. Files such as this one are commonly checked for by scanners and should be made inaccessible. Alternately, some can be removed if you are certain your site does not need them. Sites using the nginx web server may need manual configuration changes to protect such files. <a href="%2$s" target="_blank" rel="noopener noreferrer">Learn more<span class="screen-reader-text"> (' . esc_html__('opens in new tab', 'wordfence') . ')</span></a>', 'wordfence'),

[831] Fix | Delete

$test->getUrl(),

[832] Fix | Delete

wfSupportController::esc_supportURL(wfSupportController::ITEM_SCAN_RESULT_PUBLIC_CONFIG)

[833] Fix | Delete

),

[834] Fix | Delete

array(

[835] Fix | Delete

'url' => $test->getUrl(),

[836] Fix | Delete

'file' => $pathFromRoot,

[837] Fix | Delete

'realFile' => $test->getPath(),

[838] Fix | Delete

'canDelete' => true,

[839] Fix | Delete

)

[840] Fix | Delete

);

[841] Fix | Delete

if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) {

[842] Fix | Delete

$haveIssues = wfIssues::STATUS_PROBLEM;

[843] Fix | Delete

} else if ($haveIssues != wfIssues::STATUS_PROBLEM && ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC)) {

[844] Fix | Delete

$haveIssues = wfIssues::STATUS_IGNORED;

[845] Fix | Delete

}

[846] Fix | Delete

}

[847] Fix | Delete

}

[848] Fix | Delete

[849] Fix | Delete

wfIssues::statusEnd($status, $haveIssues);

[850] Fix | Delete

$this->scanController->completeStage(wfScanner::STAGE_PUBLIC_FILES, $haveIssues);

[851] Fix | Delete

}

[852] Fix | Delete

[853] Fix | Delete

private function scan_wpscan_fullPathDisclosure() {

[854] Fix | Delete

$file = realpath(ABSPATH . WPINC . "/rss-functions.php");

[855] Fix | Delete

if (!$file) {

[856] Fix | Delete

return;

[857] Fix | Delete

}

[858] Fix | Delete

[859] Fix | Delete

$haveIssues = wfIssues::STATUS_SECURE;

[860] Fix | Delete

$status = wfIssues::statusStart(__("Checking if your server discloses the path to the document root", 'wordfence'));

[861] Fix | Delete

$testPage = includes_url() . basename($file);

[862] Fix | Delete

[863] Fix | Delete

if (self::testForFullPathDisclosure($testPage, $file)) {

[864] Fix | Delete

$key = 'wpscan_fullPathDisclosure' . $testPage;

[865] Fix | Delete

$added = $this->addIssue(

[866] Fix | Delete

'wpscan_fullPathDisclosure',

[867] Fix | Delete

wfIssues::SEVERITY_HIGH,

[868] Fix | Delete

$key,

[869] Fix | Delete

$key,

[870] Fix | Delete

__('Web server exposes the document root', 'wordfence'),

[871] Fix | Delete

__('Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/user/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.', 'wordfence'),

[872] Fix | Delete

array('url' => $testPage)

[873] Fix | Delete

);

[874] Fix | Delete

if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) {

[875] Fix | Delete

$haveIssues = wfIssues::STATUS_PROBLEM;

[876] Fix | Delete

} else if ($haveIssues != wfIssues::STATUS_PROBLEM && ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC)) {

[877] Fix | Delete

$haveIssues = wfIssues::STATUS_IGNORED;

[878] Fix | Delete

}

[879] Fix | Delete

}

[880] Fix | Delete

[881] Fix | Delete

wfIssues::statusEnd($status, $haveIssues);

[882] Fix | Delete

}

[883] Fix | Delete

[884] Fix | Delete

private function scan_wpscan_directoryListingEnabled() {

[885] Fix | Delete

$this->statusIDX['wpscan_directoryListingEnabled'] = wfIssues::statusStart("Checking to see if directory listing is enabled");

[886] Fix | Delete

[887] Fix | Delete

$uploadPaths = wp_upload_dir();

[888] Fix | Delete

$enabled = self::isDirectoryListingEnabled($uploadPaths['baseurl']);

[889] Fix | Delete

[890] Fix | Delete

$haveIssues = wfIssues::STATUS_SECURE;

[891] Fix | Delete

if ($enabled) {

[892] Fix | Delete

$added = $this->addIssue(

[893] Fix | Delete

'wpscan_directoryListingEnabled',

[894] Fix | Delete

wfIssues::SEVERITY_HIGH,

[895] Fix | Delete

'wpscan_directoryListingEnabled',

[896] Fix | Delete

'wpscan_directoryListingEnabled',

[897] Fix | Delete

__("Directory listing is enabled", 'wordfence'),

[898] Fix | Delete

__("Directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible, but it is recommended that you disable it unless it is needed.", 'wordfence'),

[899] Fix | Delete

array(

[900] Fix | Delete

'url' => $uploadPaths['baseurl'],

[901] Fix | Delete

)

[902] Fix | Delete

);

[903] Fix | Delete

if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) {

[904] Fix | Delete

$haveIssues = wfIssues::STATUS_PROBLEM;

[905] Fix | Delete

} else if ($haveIssues != wfIssues::STATUS_PROBLEM && ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC)) {

[906] Fix | Delete

$haveIssues = wfIssues::STATUS_IGNORED;

[907] Fix | Delete

}

[908] Fix | Delete

}

[909] Fix | Delete

wfIssues::statusEnd($this->statusIDX['wpscan_directoryListingEnabled'], $haveIssues);

[910] Fix | Delete

}

[911] Fix | Delete

[912] Fix | Delete

private function scan_checkSpamvertized() {

[913] Fix | Delete

if ($this->scanController->isPremiumScan()) {

[914] Fix | Delete

$this->statusIDX['spamvertizeCheck'] = wfIssues::statusStart(__("Checking if your site is being Spamvertised", 'wordfence'));

[915] Fix | Delete

$this->scanController->startStage(wfScanner::STAGE_SPAMVERTISING_CHECKS);

[916] Fix | Delete

$result = $this->api->call('spamvertize_check', array(), array(

[917] Fix | Delete

'siteURL' => site_url()

[918] Fix | Delete

));

[919] Fix | Delete

$haveIssues = wfIssues::STATUS_SECURE;

[920] Fix | Delete

if ($result['haveIssues'] && is_array($result['issues'])) {

[921] Fix | Delete

foreach ($result['issues'] as $issue) {

[922] Fix | Delete

$added = $this->addIssue($issue['type'], wfIssues::SEVERITY_CRITICAL, $issue['ignoreP'], $issue['ignoreC'], $issue['shortMsg'], $issue['longMsg'], $issue['data']);

[923] Fix | Delete

if ($added == wfIssues::ISSUE_ADDED || $added == wfIssues::ISSUE_UPDATED) {

[924] Fix | Delete

$haveIssues = wfIssues::STATUS_PROBLEM;

[925] Fix | Delete

} else if ($haveIssues != wfIssues::STATUS_PROBLEM && ($added == wfIssues::ISSUE_IGNOREP || $added == wfIssues::ISSUE_IGNOREC)) {

[926] Fix | Delete

$haveIssues = wfIssues::STATUS_IGNORED;

[927] Fix | Delete

}

[928] Fix | Delete

}

[929] Fix | Delete

}

[930] Fix | Delete

wfIssues::statusEnd($this->statusIDX['spamvertizeCheck'], $haveIssues);

[931] Fix | Delete

$this->scanController->completeStage(wfScanner::STAGE_SPAMVERTISING_CHECKS, $haveIssues);

[932] Fix | Delete

} else {

[933] Fix | Delete

wfIssues::statusPaidOnly(__("Check if your site is being Spamvertized is for paid members only", 'wordfence'));

[934] Fix | Delete

sleep(2);

[935] Fix | Delete

}

[936] Fix | Delete

}

[937] Fix | Delete

[938] Fix | Delete

private function _scannedSkippedPaths() {

[939] Fix | Delete

static $_cache = null;

[940] Fix | Delete

if ($_cache === null) {

[941] Fix | Delete

$scanPaths = array();

[942] Fix | Delete

$directoryConstants = array(

[943] Fix | Delete

'WP_PLUGIN_DIR' => '/wp-content/plugins',

[944] Fix | Delete

'UPLOADS' => '/wp-content/uploads',

[945] Fix | Delete

'WP_CONTENT_DIR' => '/wp-content',

[946] Fix | Delete

);

[947] Fix | Delete

foreach ($directoryConstants as $constant => $wordpressPath) {

[948] Fix | Delete

if (!defined($constant))

[949] Fix | Delete

continue;

[950] Fix | Delete

$path = constant($constant);

[951] Fix | Delete

if (!empty($path)) {

[952] Fix | Delete

if ($constant === 'UPLOADS')

[953] Fix | Delete

$path = ABSPATH . $path;

[954] Fix | Delete

try {

[955] Fix | Delete

$scanPaths[] = new wfScanPath(

[956] Fix | Delete

ABSPATH,

[957] Fix | Delete

$path,

[958] Fix | Delete

$wordpressPath

[959] Fix | Delete

);

[960] Fix | Delete

}

[961] Fix | Delete

catch (wfInvalidPathException $e) {

[962] Fix | Delete

//Ignore invalid scan paths

[963] Fix | Delete

wordfence::status(4, 'info', sprintf(__("Ignoring invalid scan path: %s", 'wordfence'), $e->getPath()));

[964] Fix | Delete

}

[965] Fix | Delete

}

[966] Fix | Delete

}

[967] Fix | Delete

$scanPaths[] = new wfScanPath(

[968] Fix | Delete

ABSPATH,

[969] Fix | Delete

ABSPATH,

[970] Fix | Delete

'/',

[971] Fix | Delete

array('.htaccess', 'index.php', 'license.txt', 'readme.html', 'wp-activate.php', 'wp-admin', 'wp-app.php', 'wp-blog-header.php', 'wp-comments-post.php', 'wp-config-sample.php', 'wp-content', 'wp-cron.php', 'wp-includes', 'wp-links-opml.php', 'wp-load.php', 'wp-login.php', 'wp-mail.php', 'wp-pass.php', 'wp-register.php', 'wp-settings.php', 'wp-signup.php', 'wp-trackback.php', 'xmlrpc.php', '.well-known', 'cgi-bin')

[972] Fix | Delete

);

[973] Fix | Delete

if (WF_IS_FLYWHEEL && !empty($_SERVER['DOCUMENT_ROOT'])) {

[974] Fix | Delete

$scanPaths[] = new wfScanPath(

[975] Fix | Delete

ABSPATH,

[976] Fix | Delete

$_SERVER['DOCUMENT_ROOT'],

[977] Fix | Delete

'/../'

[978] Fix | Delete

);

[979] Fix | Delete

}

[980] Fix | Delete

$scanOutside = $this->scanController->scanOutsideWordPress();

[981] Fix | Delete

$entrypoints = array();

[982] Fix | Delete

foreach ($scanPaths as $scanPath) {

[983] Fix | Delete

if (!$scanOutside && $scanPath->hasExpectedFiles()) {

[984] Fix | Delete

try {

[985] Fix | Delete

foreach ($scanPath->getContents() as $fileName) {

[986] Fix | Delete

try {

[987] Fix | Delete

$file = $scanPath->createScanFile($fileName);

[988] Fix | Delete

if (wfUtils::fileTooBig($file->getRealPath()))

[989] Fix | Delete

continue;

[990] Fix | Delete

$entrypoint = new wfScanEntrypoint($file);

[991] Fix | Delete

if ($scanPath->expectsFile($fileName) || wfFileUtils::isReadableFile($file->getRealPath())) {

[992] Fix | Delete

$entrypoint->setIncluded();

[993] Fix | Delete

}

[994] Fix | Delete

$entrypoint->addTo($entrypoints);

[995] Fix | Delete

}

[996] Fix | Delete

catch (wfInvalidPathException $e) {

[997] Fix | Delete

wordfence::status(4, 'info', sprintf(__("Ignoring invalid expected scan file: %s", 'wordfence'), $e->getPath()));

[998] Fix | Delete

}

[999] Fix | Delete