WordPress.org
Get WordPress

Plugin Directory

Changeset 3203450


Ignore:
Timestamp:
12/06/2024 08:12:30 AM (15 months ago)
Author:
developer1998
Message:

Tested with 6.7.2 WordPress version

Location:
security-checker-for-themes/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • security-checker-for-themes/trunk/readme.txt

    r3146343 r3203450  
    33Tags: security, code analysis, WordPress themes, coding standards, vulnerabilities
    44Requires at least: 5.0
    5 Tested up to: 6.6
     5Tested up to: 6.7.2
    66Requires PHP: 7.2
    7 Stable tag: 1.0.0
     7Stable tag: 1.1.0
    88License: GPLv2 or later
    99License URI: https://www.gnu.org/licenses/gpl-2.0.html
     
    6464== Changelog ==
    6565
    66 = 1.0.0 =
    67 * Initial release
     66= 1.1.0 2024-12-06 =
    6867
    69 == Upgrade Notice ==
     68**Security Checker for Themes**
    7069
    71 = 1.0.0 =
    72 * Initial release. No upgrade required.
     70* Added - Detection for hardcoded URLs, recommending using dynamic WordPress functions like `home_url()` or `site_url()`. 
     71* Added - Enhanced security checks for potential issues like insecure file handling and weak encryption methods. 
     72* Added - Exclusion of external resources from unnecessary warning triggers. 
     73* Improved - Scoring system and visual reports to provide clearer insights into code quality.
     74
     75= 1.0.0 2024-09-06 =
     76
     77**Security Checker for Themes**
     78
     79* Initial release of the plugin to analyze themes for coding standards, security vulnerabilities, and best practices.

  • security-checker-for-themes/trunk/security-checker-for-themes.php

    r3146343 r3203450  
    33Plugin Name: Security Checker for Themes
    44Description: Analyze your WordPress theme's code for issues, security vulnerabilities, and adherence to coding standards with a detailed report and score.
    5 Version: 1.0.0
     5Version: 1.1.0
    66Author: Harpalsinh Parmar
    77Author URI: https://profiles.wordpress.org/developer1998/
     
    3737            wp_enqueue_style( 'wpcode-plugin-styles', plugins_url( 'assets/css/styles.css', __FILE__ ), array(), '1.0.0' );
    3838            wp_enqueue_script('wpcode-plugin-js', plugin_dir_url(__FILE__) . 'assets/js/scripts.js', array('jquery'), '1.0.0', true);
    39             //wp_enqueue_script('wpcode-chart-js', plugin_dir_url(__FILE__) . 'assets/js/Chart.js', array('jquery'), '4.4.4', false);
    4039        }
    4140    }
     
    505504                ];
    506505            }
     506            if (preg_match('/\bsession_start\b/', $line) || preg_match('/\bsession_destroy\b/', $line)) {
     507                $issues[] = [
     508                    'type' => 'Warning',
     509                    'line' => $line_number + 1,
     510                    'message' => "Warning: Direct use of sessions found. Use WordPress transients or options API for state management."
     511                ];
     512            }
     513            if (preg_match('/<script>.*<\/script>/i', $line) && !preg_match('/wp_localize_script|wp_enqueue_script/', $line)) {
     514                $issues[] = [
     515                    'type' => 'Warning',
     516                    'line' => $line_number + 1,
     517                    'message' => "Warning: Inline JavaScript found. Use wp_enqueue_script() and wp_localize_script() to output scripts safely."
     518                ];
     519            }
     520            if (preg_match('/\$wpdb->query\b/', $line) && !preg_match('/prepare\(/', $line)) {
     521                $issues[] = [
     522                    'type' => 'Error',
     523                    'line' => $line_number + 1,
     524                    'message' => "Error: Unprepared database query using \$wpdb->query() found. Use \$wpdb->prepare() to prevent SQL injection."
     525                ];
     526            }
     527            if (preg_match('/\bchmod\b/', $line) || preg_match('/\bchown\b/', $line)) {
     528                $issues[] = [
     529                    'type' => 'Warning',
     530                    'line' => $line_number + 1,
     531                    'message' => "Warning: Direct file permission modification found. Use WordPress filesystem API for handling file permissions."
     532                ];
     533            }
     534            if (preg_match('/\bsleep\b/', $line)) {
     535                $issues[] = [
     536                    'type' => 'Suggestion',
     537                    'line' => $line_number + 1,
     538                    'message' => "Suggestion: Avoid using sleep(). Use WP-Cron for scheduled tasks."
     539                ];
     540            }
     541            if (preg_match('/https?:\/\/[^\s\'"]+/', $line) &&
     542                !preg_match('/get_bloginfo\(|home_url\(|site_url\(|cdn\.|ajax\.googleapis\.com/', $line)) {
     543                $issues[] = [
     544                    'type' => 'Warning',
     545                    'line' => $line_number + 1,
     546                    'message' => "Warning: Hardcoded URL found. Use home_url() or site_url() for dynamic URLs."
     547                ];
     548            }
     549            if (preg_match('/\bwp_ajax_\b/', $line) && !preg_match('/check_ajax_referer\(/', $line)) {
     550                $issues[] = [
     551                    'type' => 'Warning',
     552                    'line' => $line_number + 1,
     553                    'message' => "Warning: Missing nonce validation in AJAX requests. Use check_ajax_referer() to secure requests."
     554                ];
     555            }
     556            if (preg_match('/\/wp-content\/|\/wp-includes\/|\/wp-admin\//', $line) && !preg_match('/ABSPATH|WP_CONTENT_DIR/', $line)) {
     557                $issues[] = [
     558                    'type' => 'Warning',
     559                    'line' => $line_number + 1,
     560                    'message' => "Warning: Hardcoded paths found. Use WordPress constants like ABSPATH or WP_CONTENT_DIR."
     561                ];
     562            }                                                                                               
    507563        }
    508564
     
    515571            'is_user_admin' => 'Use current_user_can(\'manage_options\') instead.',
    516572            'wp_get_sites' => 'Use get_sites() instead.',
     573            'bwp_register_sidebar_widget' => 'Use wp_register_widget_control() instead.',
    517574            'user_can_create_post' => 'Use current_user_can(\'publish_posts\') instead.',
    518575            'get_currentuserinfo' => 'Use wp_get_current_user() instead.',
     
    594651        if (array_key_exists($errno, $error_types)) {
    595652            $message = "{$error_types[$errno]}: $errstr in $errfile on line $errline";
    596             error_log($message);
    597653            return true;
    598654        }
Note: See TracChangeset for help on using the changeset viewer.