Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3381342

Timestamp:

10/20/2025 01:48:45 PM (4 months ago)

Author:

wpfixit

Message:

Improved scanner performance

Location:

folder-auditor

Files:

: 74 added
: 9 edited

tags/4.7 (added)
tags/4.7/assets (added)
tags/4.7/assets/admin.js (added)
tags/4.7/assets/brand-banner.webp (added)
tags/4.7/assets/dark-icon.png (added)
tags/4.7/assets/email.jpg (added)
tags/4.7/assets/icon.png (added)
tags/4.7/assets/style.css (added)
tags/4.7/folder-auditor.php (added)
tags/4.7/includes (added)
tags/4.7/includes/bridge (added)
tags/4.7/includes/bridge/class-wpfa-mainwp-bridge.php (added)
tags/4.7/includes/bridge/unlock-relock.php (added)
tags/4.7/includes/class-wp-folder-auditor.php (added)
tags/4.7/includes/handlers (added)
tags/4.7/includes/handlers/handler-actions.php (added)
tags/4.7/includes/handlers/handler-content.php (added)
tags/4.7/includes/handlers/handler-htaccess.php (added)
tags/4.7/includes/handlers/handler-plugins.php (added)
tags/4.7/includes/handlers/handler-root.php (added)
tags/4.7/includes/handlers/handler-scanner.php (added)
tags/4.7/includes/handlers/handler-settings.php (added)
tags/4.7/includes/handlers/handler-themes.php (added)
tags/4.7/includes/handlers/handler-uploads.php (added)
tags/4.7/includes/helpers (added)
tags/4.7/includes/helpers/admin.php (added)
tags/4.7/includes/helpers/health-score (added)
tags/4.7/includes/helpers/health-score/health-score-display.php (added)
tags/4.7/includes/helpers/health-score/health-score-functions.php (added)
tags/4.7/includes/helpers/html-export.php (added)
tags/4.7/includes/helpers/lock-system (added)
tags/4.7/includes/helpers/lock-system/folder-locker.php (added)
tags/4.7/includes/helpers/lock-system/traits (added)
tags/4.7/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Actions.php (added)
tags/4.7/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Assets.php (added)
tags/4.7/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Cache.php (added)
tags/4.7/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_FS.php (added)
tags/4.7/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_FSModal.php (added)
tags/4.7/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_NoticesBar.php (added)
tags/4.7/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Request.php (added)
tags/4.7/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Status.php (added)
tags/4.7/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Targets.php (added)
tags/4.7/includes/helpers/reports (added)
tags/4.7/includes/helpers/reports/index.html (added)
tags/4.7/includes/helpers/safe-paths.php (added)
tags/4.7/includes/helpers/scanner (added)
tags/4.7/includes/helpers/scanner/patterns.php (added)
tags/4.7/includes/helpers/scanner/scanner.php (added)
tags/4.7/includes/helpers/security-headers.php (added)
tags/4.7/includes/helpers/user-security.php (added)
tags/4.7/includes/summaries (added)
tags/4.7/includes/summaries/summary-content.php (added)
tags/4.7/includes/summaries/summary-htaccess.php (added)
tags/4.7/includes/summaries/summary-plugins.php (added)
tags/4.7/includes/summaries/summary-root.php (added)
tags/4.7/includes/summaries/summary-themes.php (added)
tags/4.7/includes/summaries/summary-totals.php (added)
tags/4.7/includes/summaries/summary-uploads.php (added)
tags/4.7/includes/views (added)
tags/4.7/includes/views/view-audit.php (added)
tags/4.7/includes/views/view-content.php (added)
tags/4.7/includes/views/view-dashboard.php (added)
tags/4.7/includes/views/view-header.php (added)
tags/4.7/includes/views/view-htaccess-files.php (added)
tags/4.7/includes/views/view-html-export.php (added)
tags/4.7/includes/views/view-plugins.php (added)
tags/4.7/includes/views/view-root.php (added)
tags/4.7/includes/views/view-scanner.php (added)
tags/4.7/includes/views/view-security.php (added)
tags/4.7/includes/views/view-settings.php (added)
tags/4.7/includes/views/view-themes.php (added)
tags/4.7/includes/views/view-uploads.php (added)
tags/4.7/readme.txt (added)
trunk/folder-auditor.php (modified) (1 diff)
trunk/includes/handlers/handler-htaccess.php (modified) (1 diff)
trunk/includes/helpers/scanner/patterns.php (added)
trunk/includes/helpers/scanner/scanner.php (modified) (1 diff)
trunk/includes/summaries/summary-htaccess.php (modified) (1 diff)
trunk/includes/summaries/summary-plugins.php (modified) (1 diff)
trunk/includes/summaries/summary-uploads.php (modified) (1 diff)
trunk/includes/views/view-htaccess-files.php (modified) (1 diff)
trunk/includes/views/view-plugins.php (modified) (1 diff)
trunk/includes/views/view-uploads.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

folder-auditor/trunk/folder-auditor.php

r3380575	r3381342
3	3	* Plugin Name: Guard Dog Security & Site Lock
4	4	* Description: Helps WordPress administrators take full control of their site. It scans critical areas including the root directory, wp-content, plugins, themes, uploads, and .htaccess files to detect anything suspicious such as orphaned folders, leftover files, or hidden PHP in uploads. From the WordPress dashboard, you can safely review, download, or remove items that don’t belong, with built-in protection to ensure required resources remain untouched. In addition, Guard Dog Security lets you lock all files and folders as read-only, preventing unauthorized changes, additions, or deletions to your WordPress installation.
5		* Version: 4.6
	5	* Version: 4.7
6	6	* Author: WP Fix It
7	7	* Author URI: https://www.wpfixit.com

folder-auditor/trunk/includes/handlers/handler-htaccess.php

-                      r3374418
+                      r3381342
 <?php
 /**
  * .htaccess Handlers for Folder Auditor
+ *
  * Manages ignore/include, download, and delete operations for .htaccess files.
  * Includes bulk operations with nonce & capability checks, plus safe-path resolution.
+ *
  * Note: This trait expects the class to provide fa_require_filesystem()
  * (e.g., via WPFA_content_handler_functions).
  */
 if ( ! defined( 'ABSPATH' ) ) { exit; } // No direct access 👮
 trait WPFA_htaccess_handler_functions {
 // AJAX: view a single .htaccess file's contents in a modal.
 // Action: wp_ajax_folder_auditor_htaccess_view
 public function handle_htaccess_view_ajax() {
     if ( ! $this->can_manage() ) {
         wp_send_json_error( array( 'message' => __( 'You do not have permission to do this.', 'folder-auditor' ) ), 403 );
+    }
     $rel = (string) ( filter_input( INPUT_POST, 'rel', FILTER_UNSAFE_RAW ) ?? '' );
     $rel = sanitize_text_field( $rel );
     // Row-specific nonce: 'fa_htaccess_view_' . md5($rel)
     if ( ! check_ajax_referer( 'fa_htaccess_view_' . md5( $rel ), '_wpnonce', false ) ) {
         wp_send_json_error( array( 'message' => __( 'Invalid or expired nonce.', 'folder-auditor' ) ), 400 );
+    }
     $abs = $this->get_safe_htaccess_file( $rel );
     if ( ! $abs ) {
         wp_send_json_error( array( 'message' => __( 'Invalid file.', 'folder-auditor' ) ), 400 );
+    }
     // Read via WP_Filesystem if available
     $wp_filesystem = $this->fa_require_filesystem();
     $contents      = false;
     if ( $wp_filesystem && method_exists( $wp_filesystem, 'get_contents' ) ) {
         $contents = $wp_filesystem->get_contents( $abs );
     } else {
         // Fallback
         $contents = @file_get_contents( $abs );
+    }
     if ( false === $contents ) {
         wp_send_json_error( array( 'message' => __( 'Unable to read file (permissions?).', 'folder-auditor' ) ), 500 );
+    }
     // Safety limits: truncate large files (e.g., 200KB)
     $max_bytes = 200 * 1024;
     $truncated = false;
     if ( strlen( $contents ) > $max_bytes ) {
         $contents  = substr( $contents, 0, $max_bytes );
         $truncated = true;
+    }
     // Return plain text (do not escape here; consumer will display in <pre>)
     wp_send_json_success( array(
         'rel'       => $rel,
         'size'      => (int) @filesize( $abs ),
         'mtime'     => (int) @filemtime( $abs ),
         'truncated' => $truncated,
         'content'   => $contents,
     ) );
+}
     /**
  * Try to delete a single .htaccess file robustly:
  * 1) Attempt delete
  * 2) If fail: chmod file, try again
  * 3) If still fail: chmod parent dir, try again
+ *
  * @param string            $abs_file     Normalized absolute path to .htaccess
  * @param WP_Filesystem_Base $fs          Filesystem API (Direct)
  * @return bool
  */
 private function try_delete_htaccess( string $abs_file, $fs ) : bool {
     $ok = true;
     // 1) Straight delete
     if ( method_exists( $fs, 'delete' ) ) {
         $ok = $fs->delete( $abs_file, false, 'f' );
     } else {
         $ok = (bool) wp_delete_file( $abs_file );
+    }
     if ( $ok ) { return true; }
     // 2) Make file writable and retry
     if ( method_exists( $fs, 'chmod' ) ) { @ $fs->chmod( $abs_file, 0644 ); }
     if ( method_exists( $fs, 'delete' ) ) {
         $ok = $fs->delete( $abs_file, false, 'f' );
     } else {
         $ok = (bool) wp_delete_file( $abs_file );
+    }
     if ( $ok ) { return true; }
     // 3) Loosen parent dir perms (read/execute for owner at least), retry
     $parent = wp_normalize_path( dirname( $abs_file ) );
     if ( $parent && is_dir( $parent ) && method_exists( $fs, 'chmod' ) ) {
         @ $fs->chmod( $parent, 0755 );
+    }
     if ( method_exists( $fs, 'delete' ) ) {
         $ok = $fs->delete( $abs_file, false, 'f' );
     } else {
         $ok = (bool) wp_delete_file( $abs_file );
+    }
     return (bool) $ok;
+}
     /**
      * Ignore all discovered .htaccess files (adds every relative path to the ignore set).
+     *
      * Nonce: 'fa_htaccess_ignore_all'
      */
     public function handle_htaccess_ignore_all() {
         if ( ! $this->can_manage() ) {
             wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
+        }
         check_admin_referer( 'fa_htaccess_ignore_all' );
         $base = realpath( ABSPATH );
         if ( ! $base || ! is_dir( $base ) ) {
             wp_safe_redirect( admin_url( 'admin.php?page=' . self::MENU_SLUG . '&tab=htaccess' ) );
             exit;
+        }
+        }
         // 1) Scan absolute paths
         $all_abs = $this->scan_htaccess_for_bulk( $base );
         // 2) Convert to view-friendly relative paths
         $added = 0;
         $total = 0;
         $sets = $this->get_ignored(); // Full ignore sets
         if ( ! isset( $sets['htaccess'] ) || ! is_array( $sets['htaccess'] ) ) {
             $sets['htaccess'] = [];
+        }
+        }
 foreach ( (array) $all_abs as $abs ) {
     $total++;
     // Ensure normalized/contained, then compute rel
     $abs_norm = wp_normalize_path( realpath( $abs ) ?: $abs );
     if ( strpos( $abs_norm, wp_normalize_path( $base ) ) !== 0 ) { continue; }
     $rel = ltrim( str_replace( wp_normalize_path( $base ), '', $abs_norm ), '/\\' );
     if ( $rel === '' ) { continue; }
     if ( empty( $sets['htaccess'][ $rel ] ) ) {
         $sets['htaccess'][ $rel ] = true;
         $added++;
+    }
+}
         // 3) Persist
         $this->save_ignored( $sets );
         // 4) Back to the tab with a summary
         $redirect = add_query_arg(
+            [
                 'page'                    => self::MENU_SLUG,
                 'tab'                     => 'htaccess',
                 'fa_htaccess_ignored_all' => (int) $added,
                 'fa_htaccess_ignored_tot' => (int) $total,
             ],
             admin_url( 'admin.php' )
         );
         wp_safe_redirect( $redirect );
         exit;
+    }
     /**
      * Bulk action handler for .htaccess rows (delete | ignore | include).
+     *
      * Nonce: 'fa_htaccess_bulk'
      * POST: bulk[row_key]={delete|ignore|include}, rel[row_key]={relative path}
      */
     public function handle_htaccess_bulk() {
         if ( ! $this->can_manage() ) {
             wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
+        }
         // CSRF (do not touch $_POST['_wpnonce'] directly)
         check_admin_referer( 'fa_htaccess_bulk' );
 // Fetch arrays from POST without touching superglobals (avoids WPCS warnings).
 $bulk_raw = (array) ( filter_input( INPUT_POST, 'bulk', FILTER_DEFAULT, FILTER_REQUIRE_ARRAY ) ?: array() );
 $rels_raw = (array) ( filter_input( INPUT_POST, 'rel',  FILTER_DEFAULT, FILTER_REQUIRE_ARRAY ) ?: array() );
 // Sanitize into new arrays (both keys and values).
 $bulk = array();
 foreach ( $bulk_raw as $k => $v ) {
     $bulk[ sanitize_text_field( (string) $k ) ] = sanitize_text_field( (string) $v );
+}
 $rels = array();
 foreach ( $rels_raw as $k => $v ) {
     $rels[ sanitize_text_field( (string) $k ) ] = sanitize_text_field( (string) $v );
+}
         $deleted         = 0;
         $ignored_added   = 0;
         $ignored_removed = 0;
         $wp_filesystem = $this->fa_require_filesystem();
         foreach ( $rels as $row_key => $rel ) {
             $choice = isset( $bulk[ $row_key ] ) ? $bulk[ $row_key ] : '';
             if ( ! in_array( $choice, array( 'delete', 'ignore', 'include' ), true ) ) {
                 continue; // skip unknown/no-op
+            }
             if ( 'delete' === $choice ) {
                 $abs = $this->get_safe_htaccess_file( $rel );
                 if ( $abs && is_file( $abs ) && basename( $abs ) === '.htaccess' ) {
                     // Prefer Filesystem API; fallback to wp_delete_file (no raw unlink/chmod)
                     $ok = true;
                     if ( method_exists( $wp_filesystem, 'delete' ) ) {
                         if ( method_exists( $wp_filesystem, 'chmod' ) ) {
                             @$wp_filesystem->chmod( $abs, FS_CHMOD_FILE );
+                        }
                         $ok = $wp_filesystem->delete( $abs, false, 'f' );
                     } else {
                         $ok = (bool) wp_delete_file( $abs );
+                    }
                     if ( $ok ) {
                         $deleted++;
                         // Remove from ignore set if it was tracked
                         $this->ignore_remove( 'htaccess', $rel );
+                    }
+                }
             } elseif ( 'ignore' === $choice ) {
                 $this->ignore_add( 'htaccess', $rel );
                 $ignored_added++;
             } elseif ( 'include' === $choice ) {
                 $this->ignore_remove( 'htaccess', $rel );
                 $ignored_removed++;
+            }
+        }
+        }
         // UX: bounce back with a summary; preserve pagination if present
         $args = array(
             'page'         => self::MENU_SLUG,
             'tab'          => 'htaccess',
             'fa_bulk_done' => 1,
             'fa_deleted'   => $deleted,
             'fa_ignored'   => $ignored_added,
             'fa_included'  => $ignored_removed,
         );
         if ( isset( $_GET['fa_paged'] ) ) {
             $args['fa_paged'] = (int) $_GET['fa_paged'];
+        }
+        }
         wp_safe_redirect( add_query_arg( $args, admin_url( 'admin.php' ) ) );
         exit;
+    }
     /**
      * Count .htaccess files under ABSPATH (skips common heavy/vendor dirs).
      */
     private function count_htaccess_files() : int {
         $base = realpath( ABSPATH );
         if ( ! $base || ! is_dir( $base ) ) { return 0; }
         $skip  = array( '.git', '.svn', 'node_modules', 'vendor', 'cache', 'backups', 'backup' );
         $count = 0;
         try {
             $it = new RecursiveIteratorIterator(
                 new RecursiveDirectoryIterator( $base, FilesystemIterator::SKIP_DOTS ),
                 RecursiveIteratorIterator::SELF_FIRST
             );
             foreach ( $it as $fi ) {
                 if ( $fi->isDir() ) {
                     if ( in_array( $fi->getBasename(), $skip, true ) ) { $it->next(); continue; }
                 } elseif ( $fi->isFile() && $fi->getBasename() === '.htaccess' ) {
                     $real = realpath( $fi->getPathname() );
                     if ( $real && strpos( $real, $base ) === 0 ) { $count++; }
+                }
+            }
         } catch ( \Exception $e ) { /* ignore */ }
         return $count;
+    }
     /**
+     * Build a summary for the .htaccess metric card (raw vs effective, honoring "ignored").
+     * Delete ALL .htaccess files under ABSPATH (2-pass attempt for robustness).
+     *
+     * @return array {
+     *   @type string key
+     *   @type string label
+     *   @type string tab
+     *   @type int    count            Raw total
+     *   @type int    count_effective  Total minus ignored
+     * }
+     * Nonce: 'fa_htaccess_delete_all'
      */
+    private function summary_htaccess() : array {
+        $base    = realpath( ABSPATH );
+        $all_abs = [];
+        $all_rel = [];
+        if ( $base && is_dir( $base ) && is_readable( $base ) ) {
+            try {
+                $it = new RecursiveIteratorIterator(
+                    new RecursiveDirectoryIterator( $base, FilesystemIterator::SKIP_DOTS ),
+                    RecursiveIteratorIterator::SELF_FIRST
+                );
+                $skip = [ '.git', '.svn', 'node_modules', 'vendor', 'cache', 'backups', 'backup' ];
+                foreach ( $it as $fi ) {
+                    if ( $fi->isDir() ) {
+                        if ( in_array( $fi->getBasename(), $skip, true ) ) { $it->next(); }
+                        continue;
+                    }
+                    if ( ! $fi->isFile() ) { continue; }
+                    if ( $fi->getBasename() !== '.htaccess' ) { continue; }
+                    $abs = realpath( $fi->getPathname() );
+                    if ( ! $abs ) { continue; }
+                    if ( strpos( $abs, $base ) !== 0 ) { continue; }
+                    $all_abs[] = $abs;
+                    $all_rel[] = ltrim( str_replace( $base, '', $abs ), '/\\' ); // same rel format as view
+public function handle_htaccess_delete_all() {
+    if ( ! $this->can_manage() ) { wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) ); }
+    check_admin_referer( 'fa_htaccess_delete_all' );
+    if ( function_exists( 'ignore_user_abort' ) ) { ignore_user_abort( true ); }
+    if ( function_exists( 'set_time_limit' ) ) { @set_time_limit( 0 ); } // phpcs:ignore
+    if ( function_exists( 'ini_set' ) ) { @ini_set( 'max_execution_time', '0' ); } // phpcs:ignore
+    $abs_root = realpath( ABSPATH );
+    if ( ! $abs_root || ! is_dir( $abs_root ) || ! is_readable( $abs_root ) ) {
+        wp_safe_redirect( admin_url( 'admin.php?page=' . self::MENU_SLUG . '&tab=htaccess' ) );
+        exit;
+    }
+    $root_norm     = wp_normalize_path( $abs_root );
+    $wp_filesystem = $this->fa_require_filesystem();
+    $scan          = function() use ( $abs_root ) { return $this->scan_htaccess_for_bulk( $abs_root ); };
+    $total_deleted = 0;
+    $total_failed  = 0;
+    // ---- progress-driven loop with time budget ----
+    $deadline_sec  = 30;                               // adjust if you want
+    $deadline_at   = microtime( true ) + $deadline_sec;
+    $stable_scans  = 0;                                // need 2 consecutive stable scans to stop
+    $last_left     = null;
+    while ( microtime( true ) < $deadline_at ) {
+        $files = $scan();
+        $left  = count( $files );
+        // Already stable?
+        if ( $left === 0 ) { break; }
+        if ( $last_left !== null && $left === $last_left ) {
+            $stable_scans++;
+            if ( $stable_scans >= 2 ) { break; }       // nothing is changing anymore
+        } else {
+            $stable_scans = 0;
+            $last_left    = $left;
+        }
+        // Depth-first: longer paths first
+        usort( $files, static function( $a, $b ){ return strlen( $b ) <=> strlen( $a ); });
+        $deleted_this_pass = 0;
+        foreach ( $files as $abs ) {
+            $real = realpath( $abs );
+            if ( ! $real ) { $total_failed++; continue; }
+            $real_norm = wp_normalize_path( $real );
+            if ( strpos( $real_norm, $root_norm ) !== 0 || basename( $real_norm ) !== '.htaccess' || ! is_file( $real_norm ) ) {
+                $total_failed++; continue;
+            }
+            $ok = $this->try_delete_htaccess( $real_norm, $wp_filesystem );
+            if ( $ok ) {
+                $deleted_this_pass++; $total_deleted++;
+                if ( method_exists( $this, 'ignore_remove' ) ) {
+                    $rel = ltrim( str_replace( $root_norm, '', $real_norm ), '/\\' );
+                    $this->ignore_remove( 'htaccess', $rel );
+                }
+            } catch ( \Exception $e ) { /* ignore */ }
+        }
+        $raw_count = count( $all_rel );
+        // Apply ignore set (bucket: 'htaccess'; keys are REL paths like "wp-content/uploads/.htaccess")
+        $ignored        = method_exists( $this, 'get_ignored' ) ? (array) $this->get_ignored() : [];
+        $ignored_keys   = array_keys( (array) ( $ignored['htaccess'] ?? [] ) );
+        $ignored_in_set = count( array_intersect( $all_rel, $ignored_keys ) );
+        $count_effective = max( 0, $raw_count - $ignored_in_set );
+        return [
+            'key'             => 'htaccess',
+            'label'           => __( '.htaccess Files', 'folder-auditor' ),
+            'tab'             => 'htaccess',
+            'count'           => (int) $raw_count,         // raw total for display
+            'count_effective' => (int) $count_effective,   // excludes ignored (for health score)
+        ];
+            } else {
+                $total_failed++;
+            }
+        }
+        // Make sure PHP/FS caches are flushed and give the FS a breath
+        if ( function_exists( 'clearstatcache' ) ) { clearstatcache( true ); }
+        usleep( 150000 ); // 150ms; helps on NFS/slow FS
+        // If nothing deleted in this pass, mark stability (second check happens at loop head)
+        if ( $deleted_this_pass === 0 ) { /* no-op - stability logic above will catch this */ }
+    }
+    $remaining = count( $scan() );
+    $args = array(
+        'page'             => self::MENU_SLUG,
+        'tab'              => 'htaccess',
+        'fa_htaccess_bulk' => (int) $total_deleted,
+        'fa_htaccess_fail' => (int) $total_failed,
+        'fa_htaccess_left' => (int) $remaining,
+    );
+    wp_safe_redirect( add_query_arg( $args, admin_url( 'admin.php' ) ) );
+    exit;
+}
     /**
+     * Delete ALL .htaccess files under ABSPATH (2-pass attempt for robustness).
+     * Utility: scan for .htaccess files under a root (absolute paths).
+     *
+     * Nonce: 'fa_htaccess_delete_all'
+     * @param string $root
+     * @return string[] absolute paths
      */
+public function handle_htaccess_delete_all() {
+    if ( ! $this->can_manage() ) { wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) ); }
+    check_admin_referer( 'fa_htaccess_delete_all' );
+    if ( function_exists( 'ignore_user_abort' ) ) { ignore_user_abort( true ); }
+    if ( function_exists( 'set_time_limit' ) ) { @set_time_limit( 0 ); } // phpcs:ignore
+    if ( function_exists( 'ini_set' ) ) { @ini_set( 'max_execution_time', '0' ); } // phpcs:ignore
+    $abs_root = realpath( ABSPATH );
+    if ( ! $abs_root || ! is_dir( $abs_root ) || ! is_readable( $abs_root ) ) {
+        wp_safe_redirect( admin_url( 'admin.php?page=' . self::MENU_SLUG . '&tab=htaccess' ) );
+private function scan_htaccess_for_bulk( $root ) {
+    $found = [];
+    if ( ! $root || ! is_dir( $root ) ) { return $found; }
+    $root_real = realpath( $root );
+    if ( ! $root_real ) { return $found; }
+    $root_norm = wp_normalize_path( $root_real );
+    // Keep this list in sync with other scanners
+    $skip = array( '.git', '.svn', 'node_modules', 'vendor', 'cache', 'backups', 'backup' );
+    try {
+        $dirFlags = FilesystemIterator::SKIP_DOTS;
+        // Prevent UnexpectedValueException from aborting traversal on unreadable dirs
+        if ( defined('RecursiveDirectoryIterator::CATCH_GET_CHILD') ) {
+            $dirFlags |= RecursiveDirectoryIterator::CATCH_GET_CHILD;
+        }
+        $it = new RecursiveIteratorIterator(
+            new RecursiveDirectoryIterator( $root_real, $dirFlags ),
+            RecursiveIteratorIterator::SELF_FIRST
+        );
+        foreach ( $it as $fi ) {
+            // Skip heavy/vendor dirs early
+            if ( $fi->isDir() ) {
+                if ( in_array( $fi->getBasename(), $skip, true ) ) {
+                    $it->next();
+                }
+                continue;
+            }
+            if ( ! $fi->isFile() ) { continue; }
+            if ( $fi->getBasename() !== '.htaccess' ) { continue; }
+            // Normalize & safety-check (avoid symlink escapes)
+            $real = realpath( $fi->getPathname() );
+            if ( ! $real ) { continue; }
+            $real_norm = wp_normalize_path( $real );
+            if ( strpos( $real_norm, $root_norm ) !== 0 ) { continue; }
+            $found[] = $real_norm;
+        }
+    } catch ( \Exception $e ) {
+        // Swallow to keep bulk op resilient
+    }
+    return $found;
+}
+    /**
+     * Resolve a safe absolute path for a relative path under ABSPATH,
+     * restricted strictly to files literally named ".htaccess".
+     *
+     * @param string $rel Relative path (e.g., 'wp-content/uploads/.htaccess')
+     * @return string|false Absolute path if valid and safe, false otherwise
+     */
+    private function get_safe_htaccess_file( string $rel ) {
+        $rel = wp_normalize_path( sanitize_text_field( $rel ) );
+        // Deny traversal / absolute paths
+        if ( $rel === '' || strpos( $rel, '..' ) !== false || preg_match( '#^[\\/]|[a-zA-Z]:[\\\\/]#', $rel ) ) {
+            return false;
+        }
+        $base = wp_normalize_path( realpath( ABSPATH ) );
+        if ( ! $base ) { return false; }
+        $abs  = wp_normalize_path( $base . '/' . ltrim( $rel, '/\\' ) );
+        $real = realpath( $abs );
+        if ( ! $real ) { return false; }
+        $real = wp_normalize_path( $real );
+        // Must live under ABSPATH and be literally ".htaccess"
+        if ( strpos( $real, $base ) !== 0 || basename( $real ) !== '.htaccess' || ! is_file( $real ) ) {
+            return false;
+        }
+        return $real;
+    }
+    /**
+     * Download a single .htaccess file as a tiny ZIP (named "htaccess.zip").
+     *
+     * Nonce: 'fa_htaccess_download_' . md5($rel)
+     * POST:  rel
+     */
+    public function handle_htaccess_download() {
+        if ( ! $this->can_manage() ) {
+            wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
+        $rel = (string) ( filter_input( INPUT_POST, 'rel', FILTER_UNSAFE_RAW ) ?? '' );
+    $rel = sanitize_text_field( $rel );
+    check_admin_referer( 'fa_htaccess_download_' . md5( $rel ) );
+        $abs = $this->get_safe_htaccess_file( $rel );
+        if ( ! $abs ) {
+            wp_die( esc_html__( 'Invalid file.', 'folder-auditor' ) );
+        }
+        if ( ! class_exists( 'ZipArchive' ) ) {
+            wp_die( esc_html__( 'ZipArchive is not available on this server.', 'folder-auditor' ) );
+        }
+        // Build one-file ZIP (keeps filename exactly ".htaccess" inside)
+        $zip_file = wp_tempnam( 'fa-htaccess-' ) . '.zip';
+        $zip = new ZipArchive();
+        if ( true !== $zip->open( $zip_file, ZipArchive::CREATE | ZipArchive::OVERWRITE ) ) {
+            // Safe cleanup via WP helper
+            wp_delete_file( $zip_file );
+            wp_die( esc_html__( 'Failed to build ZIP.', 'folder-auditor' ) );
+        }
+        $zip->addFile( $abs, '.htaccess' );
+        $zip->close();
+        if ( function_exists( 'ob_get_level' ) ) {
+            while ( ob_get_level() ) { ob_end_clean(); }
+        }
+        // Use Filesystem API to read + echo; avoid readfile()
+        $wp_filesystem = $this->fa_require_filesystem();
+        $size          = is_file( $zip_file ) ? (int) filesize( $zip_file ) : 0;
+        $contents      = $wp_filesystem->get_contents( $zip_file );
+        nocache_headers();
+        header( 'Content-Type: application/zip' );
+        if ( $size > 0 ) {
+            header( 'Content-Length: ' . $size );
+        }
+        header( 'Content-Disposition: attachment; filename="htaccess.zip"; filename*=UTF-8\'\'htaccess.zip' );
+        if ( false !== $contents ) {
+            echo $contents; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- sending raw file bytes
+        }
+        // Remove temp file via WP helper (no unlink()).
+        wp_delete_file( $zip_file );
         exit;
+    }
+    $root_norm     = wp_normalize_path( $abs_root );
+    $wp_filesystem = $this->fa_require_filesystem();
+    $scan          = function() use ( $abs_root ) { return $this->scan_htaccess_for_bulk( $abs_root ); };
+    $total_deleted = 0;
+    $total_failed  = 0;
+    // ---- progress-driven loop with time budget ----
+    $deadline_sec  = 30;                               // adjust if you want
+    $deadline_at   = microtime( true ) + $deadline_sec;
+    $stable_scans  = 0;                                // need 2 consecutive stable scans to stop
+    $last_left     = null;
+    while ( microtime( true ) < $deadline_at ) {
+        $files = $scan();
+        $left  = count( $files );
+        // Already stable?
+        if ( $left === 0 ) { break; }
+        if ( $last_left !== null && $left === $last_left ) {
+            $stable_scans++;
+            if ( $stable_scans >= 2 ) { break; }       // nothing is changing anymore
+    /**
+     * Delete a single .htaccess file.
+     *
+     * Nonce: 'fa_htaccess_delete_' . md5($rel)
+     * POST:  rel
+     */
+    public function handle_htaccess_delete() {
+        if ( ! $this->can_manage() ) {
+            wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
+        $rel = (string) ( filter_input( INPUT_POST, 'rel', FILTER_UNSAFE_RAW ) ?? '' );
+    $rel = sanitize_text_field( $rel );
+    check_admin_referer( 'fa_htaccess_delete_' . md5( $rel ) );
+        $abs = $this->get_safe_htaccess_file( $rel );
+        if ( ! $abs ) {
+            wp_die( esc_html__( 'Invalid file.', 'folder-auditor' ) );
+        }
+        $wp_filesystem = $this->fa_require_filesystem();
+        // Prefer FS API; fallback to wp_delete_file
+        $ok = true;
+        if ( method_exists( $wp_filesystem, 'delete' ) ) {
+            $ok = $wp_filesystem->delete( $abs, false, 'f' );
         } else {
+            $stable_scans = 0;
+            $last_left    = $left;
+        }
+        // Depth-first: longer paths first
+        usort( $files, static function( $a, $b ){ return strlen( $b ) <=> strlen( $a ); });
+        $deleted_this_pass = 0;
+        foreach ( $files as $abs ) {
+            $real = realpath( $abs );
+            if ( ! $real ) { $total_failed++; continue; }
+            $real_norm = wp_normalize_path( $real );
+            if ( strpos( $real_norm, $root_norm ) !== 0 || basename( $real_norm ) !== '.htaccess' || ! is_file( $real_norm ) ) {
+                $total_failed++; continue;
+            }
+            $ok = $this->try_delete_htaccess( $real_norm, $wp_filesystem );
+            if ( $ok ) {
+                $deleted_this_pass++; $total_deleted++;
+                if ( method_exists( $this, 'ignore_remove' ) ) {
+                    $rel = ltrim( str_replace( $root_norm, '', $real_norm ), '/\\' );
+                    $this->ignore_remove( 'htaccess', $rel );
+                }
+            } else {
+                $total_failed++;
+            }
+        }
+        // Make sure PHP/FS caches are flushed and give the FS a breath
+        if ( function_exists( 'clearstatcache' ) ) { clearstatcache( true ); }
+        usleep( 150000 ); // 150ms; helps on NFS/slow FS
+        // If nothing deleted in this pass, mark stability (second check happens at loop head)
+        if ( $deleted_this_pass === 0 ) { /* no-op - stability logic above will catch this */ }
+            $ok = (bool) wp_delete_file( $abs );
+        }
+        if ( ! $ok ) {
+            wp_die( esc_html__( 'Failed to delete the file (permissions?).', 'folder-auditor' ) );
+        }
+        // Back to the tab with a success context
+        $redirect = add_query_arg(
+            array(
+                'page'            => self::MENU_SLUG,
+                'tab'             => 'htaccess',
+                'fa_htaccess_msg' => rawurlencode( $rel ),
+            ),
+            admin_url( 'admin.php' )
+        );
+        wp_safe_redirect( $redirect );
+        exit;
+    }
-    $remaining = count( $scan() );
-    $args = array(
-        'page'             => self::MENU_SLUG,
-        'tab'              => 'htaccess',
-        'fa_htaccess_bulk' => (int) $total_deleted,
-        'fa_htaccess_fail' => (int) $total_failed,
-        'fa_htaccess_left' => (int) $remaining,
-    );
-    wp_safe_redirect( add_query_arg( $args, admin_url( 'admin.php' ) ) );
-    exit;
+}
-    /**
-     * Utility: scan for .htaccess files under a root (absolute paths).
+     *
-     * @param string $root
-     * @return string[] absolute paths
-     */
-private function scan_htaccess_for_bulk( $root ) {
-    $found = [];
-    if ( ! $root || ! is_dir( $root ) ) { return $found; }
-    $root_real = realpath( $root );
-    if ( ! $root_real ) { return $found; }
-    $root_norm = wp_normalize_path( $root_real );
-    // Keep this list in sync with other scanners
-    $skip = array( '.git', '.svn', 'node_modules', 'vendor', 'cache', 'backups', 'backup' );
-    try {
-        $dirFlags = FilesystemIterator::SKIP_DOTS;
-        // Prevent UnexpectedValueException from aborting traversal on unreadable dirs
-        if ( defined('RecursiveDirectoryIterator::CATCH_GET_CHILD') ) {
-            $dirFlags |= RecursiveDirectoryIterator::CATCH_GET_CHILD;
+        }
-        $it = new RecursiveIteratorIterator(
-            new RecursiveDirectoryIterator( $root_real, $dirFlags ),
-            RecursiveIteratorIterator::SELF_FIRST
-        );
-        foreach ( $it as $fi ) {
-            // Skip heavy/vendor dirs early
-            if ( $fi->isDir() ) {
-                if ( in_array( $fi->getBasename(), $skip, true ) ) {
-                    $it->next();
+                }
-                continue;
+            }
-            if ( ! $fi->isFile() ) { continue; }
-            if ( $fi->getBasename() !== '.htaccess' ) { continue; }
-            // Normalize & safety-check (avoid symlink escapes)
-            $real = realpath( $fi->getPathname() );
-            if ( ! $real ) { continue; }
-            $real_norm = wp_normalize_path( $real );
-            if ( strpos( $real_norm, $root_norm ) !== 0 ) { continue; }
-            $found[] = $real_norm;
+        }
-    } catch ( \Exception $e ) {
-        // Swallow to keep bulk op resilient
+    }
-    return $found;
+}
-    /**
-     * Resolve a safe absolute path for a relative path under ABSPATH,
-     * restricted strictly to files literally named ".htaccess".
+     *
-     * @param string $rel Relative path (e.g., 'wp-content/uploads/.htaccess')
-     * @return string|false Absolute path if valid and safe, false otherwise
-     */
-    private function get_safe_htaccess_file( string $rel ) {
-        $rel = wp_normalize_path( sanitize_text_field( $rel ) );
-        // Deny traversal / absolute paths
-        if ( $rel === '' || strpos( $rel, '..' ) !== false || preg_match( '#^[\\/]|[a-zA-Z]:[\\\\/]#', $rel ) ) {
-            return false;
+        }
-        $base = wp_normalize_path( realpath( ABSPATH ) );
-        if ( ! $base ) { return false; }
-        $abs  = wp_normalize_path( $base . '/' . ltrim( $rel, '/\\' ) );
-        $real = realpath( $abs );
-        if ( ! $real ) { return false; }
-        $real = wp_normalize_path( $real );
-        // Must live under ABSPATH and be literally ".htaccess"
-        if ( strpos( $real, $base ) !== 0 || basename( $real ) !== '.htaccess' || ! is_file( $real ) ) {
-            return false;
+        }
-        return $real;
+    }
-    /**
-     * Download a single .htaccess file as a tiny ZIP (named "htaccess.zip").
+     *
-     * Nonce: 'fa_htaccess_download_' . md5($rel)
-     * POST:  rel
-     */
-    public function handle_htaccess_download() {
-        if ( ! $this->can_manage() ) {
-            wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
-        $rel = (string) ( filter_input( INPUT_POST, 'rel', FILTER_UNSAFE_RAW ) ?? '' );
-    $rel = sanitize_text_field( $rel );
-    check_admin_referer( 'fa_htaccess_download_' . md5( $rel ) );
-        $abs = $this->get_safe_htaccess_file( $rel );
-        if ( ! $abs ) {
-            wp_die( esc_html__( 'Invalid file.', 'folder-auditor' ) );
+        }
-        if ( ! class_exists( 'ZipArchive' ) ) {
-            wp_die( esc_html__( 'ZipArchive is not available on this server.', 'folder-auditor' ) );
+        }
-        // Build one-file ZIP (keeps filename exactly ".htaccess" inside)
-        $zip_file = wp_tempnam( 'fa-htaccess-' ) . '.zip';
-        $zip = new ZipArchive();
-        if ( true !== $zip->open( $zip_file, ZipArchive::CREATE | ZipArchive::OVERWRITE ) ) {
-            // Safe cleanup via WP helper
-            wp_delete_file( $zip_file );
-            wp_die( esc_html__( 'Failed to build ZIP.', 'folder-auditor' ) );
+        }
-        $zip->addFile( $abs, '.htaccess' );
-        $zip->close();
-        if ( function_exists( 'ob_get_level' ) ) {
-            while ( ob_get_level() ) { ob_end_clean(); }
+        }
-        // Use Filesystem API to read + echo; avoid readfile()
-        $wp_filesystem = $this->fa_require_filesystem();
-        $size          = is_file( $zip_file ) ? (int) filesize( $zip_file ) : 0;
-        $contents      = $wp_filesystem->get_contents( $zip_file );
-        nocache_headers();
-        header( 'Content-Type: application/zip' );
-        if ( $size > 0 ) {
-            header( 'Content-Length: ' . $size );
+        }
-        header( 'Content-Disposition: attachment; filename="htaccess.zip"; filename*=UTF-8\'\'htaccess.zip' );
-        if ( false !== $contents ) {
-            echo $contents; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- sending raw file bytes
+        }
-        // Remove temp file via WP helper (no unlink()).
-        wp_delete_file( $zip_file );
-        exit;
+    }
-    /**
-     * Delete a single .htaccess file.
+     *
-     * Nonce: 'fa_htaccess_delete_' . md5($rel)
-     * POST:  rel
-     */
-    public function handle_htaccess_delete() {
-        if ( ! $this->can_manage() ) {
-            wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
-        $rel = (string) ( filter_input( INPUT_POST, 'rel', FILTER_UNSAFE_RAW ) ?? '' );
-    $rel = sanitize_text_field( $rel );
-    check_admin_referer( 'fa_htaccess_delete_' . md5( $rel ) );
-        $abs = $this->get_safe_htaccess_file( $rel );
-        if ( ! $abs ) {
-            wp_die( esc_html__( 'Invalid file.', 'folder-auditor' ) );
+        }
-        $wp_filesystem = $this->fa_require_filesystem();
-        // Prefer FS API; fallback to wp_delete_file
-        $ok = true;
-        if ( method_exists( $wp_filesystem, 'delete' ) ) {
-            $ok = $wp_filesystem->delete( $abs, false, 'f' );
-        } else {
-            $ok = (bool) wp_delete_file( $abs );
+        }
-        if ( ! $ok ) {
-            wp_die( esc_html__( 'Failed to delete the file (permissions?).', 'folder-auditor' ) );
+        }
-        // Back to the tab with a success context
-        $redirect = add_query_arg(
-            array(
-                'page'            => self::MENU_SLUG,
-                'tab'             => 'htaccess',
-                'fa_htaccess_msg' => rawurlencode( $rel ),
-            ),
-            admin_url( 'admin.php' )
-        );
-        wp_safe_redirect( $redirect );
-        exit;
+    }
+}

folder-auditor/trunk/includes/helpers/scanner/scanner.php

-                      r3380575
+                      r3381342
         return [ $raw, $norm ];
+    }
+protected function wpfa_get_raw_patterns() : array {
+    return [
+        'socketapiupdates\\.com',
+        'adolescent_deployment',
+        'decent[-_ ]follower',
+        'Farrell\\s*-\\s*Herzog',
+        'decent_follower\\.php|class\\/pick\\.php',
+        'sneaky_arrange_calculating\\.php',
+        'fatally_unsightly_quirkily\\s*\\(|verbally_concrete\\s*\\(|indelible_ethyl\\s*\\(|eyebrow_gracefully_whitewash\\s*\\(|harp_passionate\\s*\\(',
+        '^\x7fELF',
+        '^MZ',
+        '^\xCF\xFA\xED',
+        '\b(?:require|require_once|include|include_once)\s*\(?\s*(?:@?\s*)?(?:base64_decode|str_rot13|gzinflate|gzuncompress)\s*\(',
+        'error_reporting\\s*\\(\\s*0\\s*\\)\\s*;\\s*\\$LlCam\\s*=\\s*array\\(\\s*\"\\\\x5f\\\\107\\\\x45\\\\x54\"\\s*\\)\\s*;',
+        '\\$\\{\\s*\\$LlCam\\s*\\[\\s*0\\s*\\]\\s*\\}',
+        '@?require_once\\s*[\'"](?:\\\\x7a\\\\x69\\\\x70)[^\'"]*[\'"]',
+        '\\\\x65\\\\x64\\\\x31\\\\x31\\\\x30\\\\x62\\\\x65\\\\x62\\\\x63\\\\x65\\\\x39\\\\x2e\\\\x74\\\\x6d\\\\x70',
+        'ycycsUnT3uBLqyUrzfdIDg23r',
+        '\beval\s*\(\s*base64_decode\s*\(',
+        '\bpreg_replace\s*\(\s*([\'"])\s*([^\w\s\\])(?:\\.|(?!\2).)*\2(?=[A-Za-z]*e[A-Za-z]*\1)',
+        '\b(?:include|require|include_once|require_once)\s*(?:\(\s*)?[\'"]https?:\/\/',
+        '\b(?:exec|shell_exec|system|passthru|proc_open|popen|pcntl_exec)\s*\([^)]*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\b',
+        'shell_exec\s*\([^)]*\$_REQUEST',
+        '\b(?:file_put_contents|fopen|fwrite|fputs)\s*\(\s*\$[A-Za-z_]\w*\s*,\s*base64_decode\s*\(',
+        '[\'"]\s*e\s*[\'"]\s*\.\s*[\'"]\s*val\s*[\'"]',
+        '[\'"]\s*base\s*[\'"]\s*\.\s*[\'"]\s*64\s*[\'"]\s*\.\s*[\'"]\s*decode\s*[\'"]',
+        '\$\w+\s*=\s*[\'"][a-z]{1,3}[\'"]\s*;\s*\$\w+\s*=\s*[\'"][a-z]{1,3}[\'"]\s*;\s*\$\w+\s*=\s*\$\w+\s*\.\s*\$\w+\s*\.\s*[\'"](tem|val|sert)[\'"]\s*;',
+        'ob_implicit_flush\s*\(\s*true\s*\)\s*;[\s\S]{0,160}\bob_end_flush\s*\(',
+        '(?s)(?:OPENSSL_RAW_DATA.*substr\s*\(\s*hash\s*\(\s*[\'"]sha256[\'"]|substr\s*\(\s*hash\s*\(\s*[\'"]sha256[\'"].*OPENSSL_RAW_DATA|[\'"]<\s*\/?\s*scr?\s*[\'"]\s*\.\s*[\'"]r?ipt\s*>[\'"])',
+        '(?s)\$[A-Za-z_]\w*\s*=\s*\$_(?:POST|REQUEST)\s*;.*?isset\s*\(\s*\$[A-Za-z_]\w*\s*\[[\'"][a-z0-9_]{3,}[\'"]\]\s*\).*?\$\w+\s*\(\s*\.\.\.\$\w+\s*\)',
+        '(?s)readfile\s*\(\s*base64_decode\s*\(\s*["\'][^"\']{8,}["\']\s*\)\s*\)\s*;.*?eval\s*\(\s*.*?ob_get_clean\s*\(\s*\)\s*\)\s*;',
+        'function\s*uPqmvR\s*\(',
+        'function\s*yh1\s*\(',
+        '\bUpVwwHRQ\s*\(',
+        'array_map\(\s*[\'"]md5[\'"]\s*,\s*\$_COOKIE',
+        '\$gi6\[\d+\]\s*\(\s*\$_(?:COOKIE|POST|REQUEST)',
+        'include\s*\(\s*base64_decode\s*\(\s*\$[A-Za-z_]\w*\s*\)\s*(?:\.\s*)?\)\s*;',
+        'call_user_func\s*\(\s*new\s+LiteSpeedMetaDataStore'
+    ];
+    protected function wpfa_get_raw_patterns(): array {
+        $patterns = include __DIR__ . '/patterns.php';
+        return $patterns['raw'];
+    }
+    protected function wpfa_get_patterns(): array {
+        $patterns = include __DIR__ . '/patterns.php';
+        return $patterns['scan'];
+    }
+}
-protected function wpfa_get_patterns() : array {
-    return [
-        'socketapiupdates\\.com',
-        'adolescent_deployment',
-        'decent[-_ ]follower',
-        'Farrell\\s*-\\s*Herzog',
-        'decent_follower\\.php|class\\/pick\\.php',
-        'sneaky_arrange_calculating\\.php',
-        'fatally_unsightly_quirkily\\s*\\(|verbally_concrete\\s*\\(|indelible_ethyl\\s*\\(|eyebrow_gracefully_whitewash\\s*\\(|harp_passionate\\s*\\(',
-        '^\x7fELF',
-        '^MZ',
-        '^\xCF\xFA\xED',
-        '\b(?:require|require_once|include|include_once)\s*\(?\s*(?:@?\s*)?(?:base64_decode|str_rot13|gzinflate|gzuncompress)\s*\(',
-        'error_reporting\\s*\\(\\s*0\\s*\\)\\s*;\\s*\\$LlCam\\s*=\\s*array\\s*\\(',
-        '\\$\\{\\s*\\$LlCam\\s*\\[\\s*0\\s*\\]\\s*\\}',
-        '@?require_once\\s*[\\\'\\"][^\\\'\\\"]{3,256}[\\\'\\"]',
-        'ed110bebce9\\.tmp',
-        'ycycsUnT3uBLqyUrzfdIDg23r',
-        '\b(?:fopen|fwrite|fputs|file_put_contents|file_get_contents|fclose|chmod|unlink)\s*\([^)]*base64_decode\s*\(',
-        'basename\s*\(\s*__FILE__\s*,\s*base64_decode\s*\(',
-        '\b(?:exec|shell_exec|system|passthru|proc_open|popen|pcntl_exec)\s*\([^)]*base64_decode\s*\(',
-        '\b(?:exec|shell_exec|system|passthru|proc_open|popen|pcntl_exec)\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\b',
-        '>\s*\/dev\/null\s*2>\s*\/dev\/null\s*&',
-        '(?:base64_encode\s*\(\s*){2,}[^)]*\)',
-        '(?:base64_decode\s*\(\s*){2,}[^)]*\)',
-        'openssl_(?:en|de)crypt\s*\([^,]+,\s*[\'"]?\s*aes\s*[-_ ]?(?:128|192|256)\s*[-_ ]?cbc[\'"]?\s*,[^)]*hash\s*\(\s*[\'"]sha256[\'"]\s*,\s*[\'"][^\'"]{8,}[\'"]\s*,\s*true\s*\)[^)]*\)',
-        'substr\s*\(\s*hash\s*\(\s*[\'"]sha256[\'"]\s*,\s*[\'"][^\'"]{8,}[\'"]\s*,\s*true\s*\)\s*,\s*0\s*,\s*16\s*\)',
-        '\b(?:include|require|include_once|require_once)\s*\(\s*base64_decode\s*\(',
-        '\b(?:include|require|include_once|require_once|file_get_contents|fopen)\s*\([^)]*(?:php:\/\/input|php:\/\/filter|data:\/\/)',
-        'md5\s*\(\s*uniqid\s*\([^)]*\)\s*\)\s*\.\s*[\'"]\.(?:php|phtml)\b',
-        'curl_init\s*\([^)]*\)\s*;[^;]*CURLOPT_(?:HTTPHEADER|COOKIE)[^;]*(?:Authorization|Cookie)[^;]*token\s*=\s*',
-        'wp_remote_request\s*\([^)]*\bheaders\b[^)]*(?:Authorization|Cookie)[\'"]\s*=>\s*[\'"][^\'"]*token=',
-        '`[^`]{1,200}`',
-        '[\'"]<\s*sc[\'"]\s*\.\s*[\'"]ript\s*>[\'"]',
-        '[\'"]<\/\s*scr[\'"]\s*\.\s*[\'"]ipt\s*>[\'"]',
-        'array\s*\(\s*(?:\s*[\'"][a-z0-9][\'"]\s*,){3,}\s*[\'"][a-z0-9][\'"]\s*\)',
-        '\$[A-Za-z_]\w*\s*=\s*\$\w+\s*\.\s*\$\w+\s*\.\s*[\'"](tem|xec)[\'"]',
-        '(?s)readfile\s*\(\s*base64_decode\s*\(.*?\)\s*\).*?eval\s*\(\s*.*?ob_get_clean\s*\(\s*\).*?\)',
-        '\$[A-Za-z_]\w*\s*=\s*\$[A-Za-z_]\w*\s*\[[\'"][a-z0-9_]{3,}[\'"]\]\s*;.*\$\w+\s*\(\s*\.\.\.\$\w+\s*\)',
-        'function\s*uPqmvR\s*\(',
-        'function\s*yh1\s*\(',
-        '\bUpVwwHRQ\s*\(',
-        'array_map\(\s*[\'"]md5[\'"]\s*,\s*\$_COOKIE',
-        '\$gi6\[\d+\]\s*\(\s*\$_(?:COOKIE|POST|REQUEST)',
-        'include\s*\(\s*base64_decode\s*\(\s*\$[A-Za-z_]\w*\s*\)\s*(?:\.\s*)?\)\s*;',
-        'call_user_func\s*\(\s*new\s+LiteSpeedMetaDataStore'
-    ];
+}
+}

folder-auditor/trunk/includes/summaries/summary-htaccess.php

-                      r3368707
+                      r3381342
 trait WPFA_htaccess_summary_functions {
+    /**
+     * Build a summary for the .htaccess metric card (raw vs effective, honoring "ignored").
+     *
+     * @return array {
+     *   @type string key
+     *   @type string label
+     *   @type string tab
+     *   @type int    count            Raw total
+     *   @type int    count_effective  Total minus ignored
+     * }
+     */
+private function summary_htaccess() : array {
+    $base    = realpath( ABSPATH );
+    $all_abs = [];
+    $all_rel = [];
+    if ( $base && is_dir( $base ) && is_readable( $base ) ) {
+        try {
+            $it = new RecursiveIteratorIterator(
+                new RecursiveDirectoryIterator( $base, FilesystemIterator::SKIP_DOTS ),
+                RecursiveIteratorIterator::SELF_FIRST
+            );
+            $skip = [ '.git', '.svn', 'node_modules', 'vendor', 'cache', 'backups', 'backup' ];
+            foreach ( $it as $fi ) {
+                if ( $fi->isDir() ) {
+                    if ( in_array( $fi->getBasename(), $skip, true ) ) { $it->next(); }
+                    continue;
+                }
+                if ( ! $fi->isFile() ) { continue; }
+                if ( $fi->getBasename() !== '.htaccess' ) { continue; }
+                $abs = realpath( $fi->getPathname() );
+                if ( ! $abs ) { continue; }
+                if ( strpos( $abs, $base ) !== 0 ) { continue; }
+                // ✅ Exclude specific file: wp-content/plugins/mainwp-child/.htaccess
+                $rel = str_replace('\\', '/', ltrim( str_replace( $base, '', $abs ), '/\\' ));
+                if ( strtolower( $rel ) === 'wp-content/plugins/mainwp-child/.htaccess' ) {
+                    continue;
+                }
+                $all_abs[] = $abs;
+                $all_rel[] = $rel; // same rel format as view
+            }
+        } catch ( \Exception $e ) { /* ignore */ }
+    }
+    $raw_count = count( $all_rel );
+    // Apply ignore set (bucket: 'htaccess'; keys are REL paths like "wp-content/uploads/.htaccess")
+    $ignored          = method_exists( $this, 'get_ignored' ) ? (array) $this->get_ignored() : [];
+    $ignored_keys     = array_keys( (array) ( $ignored['htaccess'] ?? [] ) );
+    $ignored_in_set   = count( array_intersect( $all_rel, $ignored_keys ) );
+    $count_effective  = max( 0, $raw_count - $ignored_in_set );
+    return [
+        'key'             => 'htaccess',
+        'label'           => __( '.htaccess Files', 'folder-auditor' ),
+        'tab'             => 'htaccess',
+        'count'           => (int) $raw_count,         // raw total for display
+        'count_effective' => (int) $count_effective,   // excludes ignored (for health score)
+    ];
+}
+}

folder-auditor/trunk/includes/summaries/summary-plugins.php

r3367997	r3381342
15	15	// Skip specific plugin folders entirely (e.g., "support-wpfi")
16	16
17		$skip_slugs = apply_filters( 'folder_auditor_plugin_skip_slugs', array( 'support-wpfi' ) );
	17	$skip_slugs = apply_filters( 'folder_auditor_plugin_skip_slugs', array( 'support-wpfi', 'mainwp-child', 'mainwp-child-reports' ) );
18	18
19	19	$skip_lc = array();

folder-auditor/trunk/includes/summaries/summary-uploads.php

-                      r3367997
+                      r3381342
+    }
+    // ── scan uploads recursively for any *.php (for health score / card)
+// ── scan uploads recursively for any *.php (for health score / card)
+if ( is_dir( $base ) && is_readable( $base ) ) {
+    try {
+        $rii = new RecursiveIteratorIterator(
+            new RecursiveDirectoryIterator( $base, FilesystemIterator::SKIP_DOTS )
+        );
+    if ( is_dir( $base ) && is_readable( $base ) ) {
+        foreach ( $rii as $fi ) {
+            if ( $fi->isFile() && preg_match( '/\.php$/i', $fi->getFilename() ) ) {
+        try {
+                // relative path like "2024/08/shell.php" or "file.php"
+                $full = $fi->getPathname();
+                $rel  = ltrim( str_replace('\\','/', substr( $full, strlen( $base ) ) ), '/' );
+            $rii = new RecursiveIteratorIterator(
+                new RecursiveDirectoryIterator( $base, FilesystemIterator::SKIP_DOTS )
+            );
+            foreach ( $rii as $fi ) {
+                if ( $fi->isFile() && preg_match( '/\.php$/i', $fi->getFilename() ) ) {
+                    // relative path like "2024/08/shell.php" or "file.php"
+                    $full = $fi->getPathname();
+                    $rel  = ltrim( str_replace('\\','/', substr( $full, strlen( $base ) ) ), '/' );
+                    $php_any_rel[] = $rel;
+                // ✅ Exclude "mainwp/index.php"
+                if ( strtolower( $rel ) === 'mainwp/index.php' ) {
+                    continue;
+                }
+                $php_any_rel[] = $rel;
+            }
+        }
+        } catch ( \Exception $e ) { /* ignore */ }
+    }
+    } catch ( \Exception $e ) { /* ignore */ }
+}
     // ── apply “Ignore” (if user has marked items to exclude)

folder-auditor/trunk/includes/views/view-htaccess-files.php

-                      r3374418
+                      r3381342
               if ( ! $fi->isFile() ) { continue; }
+              if ( $fi->getBasename() !== '.htaccess' ) { continue; }
+              $real = realpath( $fi->getPathname() );
+              if ( ! $real ) { continue; }
+        if ( $fi->getBasename() !== '.htaccess' ) { continue; }
+        $real = realpath( $fi->getPathname() );
+        if ( ! $real ) { continue; }
+        // ✅ Exclude the specific file wp-content/plugins/mainwp-child/.htaccess
+        $rel = str_replace('\\', '/', ltrim( str_replace( realpath( ABSPATH ), '', $real ), '/' ));
+        if ( strtolower( $rel ) === 'wp-content/plugins/mainwp-child/.htaccess' ) {
+            continue;
+        }
               if ( strpos( $real, $base ) !== 0 ) { continue; }

folder-auditor/trunk/includes/views/view-plugins.php

-                      r3374418
+                      r3381342
 <?php
+// Ignore 'support-wpfi' everywhere (counts + tables)
+$fa_ignore_slug = 'support-wpfi';
+$fa_eq = static function($a,$b){ return strtolower((string)$a) === strtolower((string)$b); };
+// Ignore these slugs everywhere (counts + tables)
+$fa_ignore_slugs = array_map('strtolower', [
+    'support-wpfi',
+    'mainwp-child',
+    'mainwp-child-reports',
+]);
+$fa_is_ignored = static function( $s ) use ( $fa_ignore_slugs ) {
+    $s = strtolower( (string) $s );
+    return in_array( $s, $fa_ignore_slugs, true );
+};
 // Remove from the disk map used for lookups/existence checks
+if (isset($folders_map) && is_array($folders_map)) {
+    foreach (array_keys($folders_map) as $k) {
+        if ($fa_eq($k, $fa_ignore_slug)) { unset($folders_map[$k]); }
+if ( isset( $folders_map ) && is_array( $folders_map ) ) {
+    foreach ( array_keys( $folders_map ) as $k ) {
+        if ( $fa_is_ignored( $k ) ) { unset( $folders_map[ $k ] ); }
+    }
+}
 // Remove from the simple list of disk slugs (used in cards/counts)
+if (isset($disk_slugs) && is_array($disk_slugs)) {
+    $disk_slugs = array_values(array_filter($disk_slugs, function($s) use ($fa_eq,$fa_ignore_slug){
+        return ! $fa_eq($s, $fa_ignore_slug);
+    }));
+if ( isset( $disk_slugs ) && is_array( $disk_slugs ) ) {
+    $disk_slugs = array_values( array_filter( $disk_slugs, function( $s ) use ( $fa_is_ignored ) {
+        return ! $fa_is_ignored( $s );
+    } ) );
+}
 // Remove from orphan list (used in the “not showing as installed” table/card)
+if (isset($orphan_folders) && is_array($orphan_folders)) {
+    $orphan_folders = array_values(array_filter($orphan_folders, function($s) use ($fa_eq,$fa_ignore_slug){
+        return ! $fa_eq($s, $fa_ignore_slug);
+    }));
+if ( isset( $orphan_folders ) && is_array( $orphan_folders ) ) {
+    $orphan_folders = array_values( array_filter( $orphan_folders, function( $s ) use ( $fa_is_ignored ) {
+        return ! $fa_is_ignored( $s );
+    } ) );
+}
 // Remove from installed-plugins table rows and update count
+if (isset($plugin_rows) && is_array($plugin_rows)) {
+    $plugin_rows = array_values(array_filter($plugin_rows, function($row) use ($fa_eq,$fa_ignore_slug){
+        return empty($row['folder_slug']) || ! $fa_eq($row['folder_slug'], $fa_ignore_slug);
+    }));
+    $total_plugins = count($plugin_rows);
+if ( isset( $plugin_rows ) && is_array( $plugin_rows ) ) {
+    $plugin_rows = array_values( array_filter( $plugin_rows, function( $row ) use ( $fa_is_ignored ) {
+        return empty( $row['folder_slug'] ) || ! $fa_is_ignored( $row['folder_slug'] );
+    } ) );
+    $total_plugins = count( $plugin_rows );
+}
 // Put active plugins at the top, then sort A→Z by name (then folder slug)
 if ( ! empty( $plugin_rows ) && is_array( $plugin_rows ) ) {
     // Build a fast lookup of active plugins (site + network)
     $active_site     = (array) get_option( 'active_plugins', array() );
     $network_active  = is_multisite() ? array_keys( (array) get_site_option( 'active_sitewide_plugins', array() ) ) : array();
     $active_lookup   = array_fill_keys( array_merge( $active_site, $network_active ), true );
     usort( $plugin_rows, function( $a, $b ) use ( $active_lookup ) {
+        $a_key = isset( $a['plugin_file'] ) ? (string) $a['plugin_file'] : '';
+        $b_key = isset( $b['plugin_file'] ) ? (string) $b['plugin_file'] : '';
+        $a_key    = isset( $a['plugin_file'] ) ? (string) $a['plugin_file'] : '';
+        $b_key    = isset( $b['plugin_file'] ) ? (string) $b['plugin_file'] : '';
         $a_active = isset( $active_lookup[ $a_key ] );
         $b_active = isset( $active_lookup[ $b_key ] );
         // Active first
         if ( $a_active !== $b_active ) {
             return $a_active ? -1 : 1;
+        }
         // Then by display name (A→Z)
+        $an = isset( $a['name'] ) ? (string) $a['name'] : '';
+        $bn = isset( $b['name'] ) ? (string) $b['name'] : '';
+        $an  = isset( $a['name'] ) ? (string) $a['name'] : '';
+        $bn  = isset( $b['name'] ) ? (string) $b['name'] : '';
         $cmp = strcasecmp( $an, $bn );
         if ( 0 !== $cmp ) {
             return $cmp;
+        }
         // Stable fallback by folder slug
         $aslug = isset( $a['folder_slug'] ) ? (string) $a['folder_slug'] : '';
         $bslug = isset( $b['folder_slug'] ) ? (string) $b['folder_slug'] : '';
         return strcasecmp( $aslug, $bslug );
+    });
+    } );
+}
 // Build list of files directly in plugins root that are NOT registered as plugins
 if ( ! isset( $plugins_root_files ) ) {
     $plugins_root_files = [];
     try {
         if ( is_dir( WP_PLUGIN_DIR ) && is_readable( WP_PLUGIN_DIR ) ) {
             $it = new DirectoryIterator( WP_PLUGIN_DIR );
             foreach ( $it as $fi ) {
                 if ( $fi->isFile() ) { // root-only files
                     $plugins_root_files[] = $fi->getFilename();
+                }
+            }
+        }
     } catch ( Exception $e ) {}
     // Remove any single-file plugins WP already knows about
     if ( ! empty( $plugin_rows ) ) {
         foreach ( $plugin_rows as $row ) {
             if ( isset( $row['folder_slug'] ) && $row['folder_slug'] === '.' ) {
                 $plugins_root_files = array_values(
                     array_diff( $plugins_root_files, [ basename( $row['plugin_file'] ) ] )
                 );
+            }
+        }
+    }
+}
 // Count for the card
 $plugins_root_files_count = is_array( $plugins_root_files ) ? count( $plugins_root_files ) : 0;

folder-auditor/trunk/includes/views/view-uploads.php

-                      r3374418
+                      r3381342
+    }
+    // Filter out a specific file so it never shows up anywhere downstream
+$uploads_php_hits = array_values(array_filter(
+    (array) $uploads_php_hits,
+    function( $hit ) {
+        // Normalize path like "mainwp/index.php"
+        $rel = isset($hit['path']) ? ltrim(str_replace('\\','/',$hit['path']), '/'): '';
+        // Only skip this exact file
+        return strtolower($rel) !== 'mainwp/index.php';
+    }
+));
+}

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory

Context Navigation

Changeset 3381342

Legend:

folder-auditor/trunk/folder-auditor.php

folder-auditor/trunk/includes/handlers/handler-htaccess.php

folder-auditor/trunk/includes/helpers/scanner/scanner.php

folder-auditor/trunk/includes/summaries/summary-htaccess.php

folder-auditor/trunk/includes/summaries/summary-plugins.php

folder-auditor/trunk/includes/summaries/summary-uploads.php

folder-auditor/trunk/includes/views/view-htaccess-files.php

folder-auditor/trunk/includes/views/view-plugins.php

folder-auditor/trunk/includes/views/view-uploads.php

Download in other formats: