Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3395335

Timestamp:

11/13/2025 09:17:41 PM (3 months ago)

Author:

wpfixit

Message:

Can now exclude single plugins from Site Lock

Location:

folder-auditor

Files:

: 73 added
: 6 edited

tags/4.9.2 (added)
tags/4.9.2/assets (added)
tags/4.9.2/assets/admin.js (added)
tags/4.9.2/assets/brand-banner.webp (added)
tags/4.9.2/assets/dark-icon.png (added)
tags/4.9.2/assets/email.jpg (added)
tags/4.9.2/assets/icon.png (added)
tags/4.9.2/assets/style.css (added)
tags/4.9.2/folder-auditor.php (added)
tags/4.9.2/includes (added)
tags/4.9.2/includes/bridge (added)
tags/4.9.2/includes/bridge/class-wpfa-mainwp-bridge.php (added)
tags/4.9.2/includes/bridge/unlock-relock.php (added)
tags/4.9.2/includes/class-wp-folder-auditor.php (added)
tags/4.9.2/includes/handlers (added)
tags/4.9.2/includes/handlers/handler-actions.php (added)
tags/4.9.2/includes/handlers/handler-content.php (added)
tags/4.9.2/includes/handlers/handler-htaccess.php (added)
tags/4.9.2/includes/handlers/handler-plugins.php (added)
tags/4.9.2/includes/handlers/handler-root.php (added)
tags/4.9.2/includes/handlers/handler-scanner.php (added)
tags/4.9.2/includes/handlers/handler-settings.php (added)
tags/4.9.2/includes/handlers/handler-themes.php (added)
tags/4.9.2/includes/handlers/handler-uploads.php (added)
tags/4.9.2/includes/helpers (added)
tags/4.9.2/includes/helpers/admin.php (added)
tags/4.9.2/includes/helpers/health-score (added)
tags/4.9.2/includes/helpers/health-score/health-score-display.php (added)
tags/4.9.2/includes/helpers/health-score/health-score-functions.php (added)
tags/4.9.2/includes/helpers/html-export.php (added)
tags/4.9.2/includes/helpers/lock-system (added)
tags/4.9.2/includes/helpers/lock-system/folder-locker.php (added)
tags/4.9.2/includes/helpers/lock-system/traits (added)
tags/4.9.2/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Actions.php (added)
tags/4.9.2/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Assets.php (added)
tags/4.9.2/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Cache.php (added)
tags/4.9.2/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_FS.php (added)
tags/4.9.2/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_FSModal.php (added)
tags/4.9.2/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_NoticesBar.php (added)
tags/4.9.2/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Request.php (added)
tags/4.9.2/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Status.php (added)
tags/4.9.2/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Targets.php (added)
tags/4.9.2/includes/helpers/reports (added)
tags/4.9.2/includes/helpers/reports/index.html (added)
tags/4.9.2/includes/helpers/safe-paths.php (added)
tags/4.9.2/includes/helpers/scanner (added)
tags/4.9.2/includes/helpers/scanner/patterns.php (added)
tags/4.9.2/includes/helpers/scanner/scanner.php (added)
tags/4.9.2/includes/helpers/security-headers.php (added)
tags/4.9.2/includes/helpers/user-security.php (added)
tags/4.9.2/includes/summaries (added)
tags/4.9.2/includes/summaries/summary-content.php (added)
tags/4.9.2/includes/summaries/summary-htaccess.php (added)
tags/4.9.2/includes/summaries/summary-plugins.php (added)
tags/4.9.2/includes/summaries/summary-root.php (added)
tags/4.9.2/includes/summaries/summary-themes.php (added)
tags/4.9.2/includes/summaries/summary-totals.php (added)
tags/4.9.2/includes/summaries/summary-uploads.php (added)
tags/4.9.2/includes/views (added)
tags/4.9.2/includes/views/view-audit.php (added)
tags/4.9.2/includes/views/view-content.php (added)
tags/4.9.2/includes/views/view-dashboard.php (added)
tags/4.9.2/includes/views/view-header.php (added)
tags/4.9.2/includes/views/view-htaccess-files.php (added)
tags/4.9.2/includes/views/view-html-export.php (added)
tags/4.9.2/includes/views/view-plugins.php (added)
tags/4.9.2/includes/views/view-root.php (added)
tags/4.9.2/includes/views/view-scanner.php (added)
tags/4.9.2/includes/views/view-security.php (added)
tags/4.9.2/includes/views/view-settings.php (added)
tags/4.9.2/includes/views/view-themes.php (added)
tags/4.9.2/includes/views/view-uploads.php (added)
tags/4.9.2/readme.txt (added)
trunk/folder-auditor.php (modified) (1 diff)
trunk/includes/handlers/handler-actions.php (modified) (1 diff)
trunk/includes/handlers/handler-plugins.php (modified) (1 diff)
trunk/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_FS.php (modified) (1 diff)
trunk/includes/views/view-plugins.php (modified) (4 diffs)
trunk/readme.txt (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

folder-auditor/trunk/folder-auditor.php

r3395071	r3395335
3	3	* Plugin Name: Guard Dog Security & Site Lock
4	4	* Description: Helps WordPress administrators take full control of their site. It scans critical areas including the root directory, wp-content, plugins, themes, uploads, and .htaccess files to detect anything suspicious such as orphaned folders, leftover files, or hidden PHP in uploads. From the WordPress dashboard, you can safely review, download, or remove items that don’t belong, with built-in protection to ensure required resources remain untouched. In addition, Guard Dog Security lets you lock all files and folders as read-only, preventing unauthorized changes, additions, or deletions to your WordPress installation.
5		* Version: 4.9.1
	5	* Version: 4.9.2
6	6	* Author: WP Fix It
7	7	* Author URI: https://www.wpfixit.com

folder-auditor/trunk/includes/handlers/handler-actions.php

-                      r3374720
+                      r3395335
         add_action( 'wp_ajax_folder_auditor_plugin_file_view',  [ $this, 'handle_plugin_file_view_ajax' ] );
         add_action( 'admin_post_folder_auditor_plugins_root_bulk', [ $this, 'handle_plugins_root_bulk' ] );
+    add_action( 'admin_post_folder_auditor_plugin_never_lock', array( $this, 'handle_plugin_never_lock' ) );
+    add_action( 'admin_post_folder_auditor_plugin_allow_lock', array( $this, 'handle_plugin_allow_lock' ) );
         // === Theme Folder Actions ===

folder-auditor/trunk/includes/handlers/handler-plugins.php

-                      r3374418
+                      r3395335
 <?php
 /**
  * Plugin Handlers for Folder Auditor
+ *
  * - Secure download/delete of arbitrary root files (as resolved by get_safe_root_file()).
  * - Plugin folder ZIP downloads and recursive deletes.
  * - Helpers to mirror the Plugins screen and list top-level plugin folders.
  */
 if ( ! defined( 'ABSPATH' ) ) { exit; } // No direct access 👮
 trait WPFA_plugins_handler_functions {
+/**
+ * Toggle: mark a plugin folder as "Never Lock" (and unlock it right now).
+ * Nonce action: 'fa_plugin_toggle_' . $slug
+ * POST: slug
+ */
+public function handle_plugin_never_lock() {
+    if ( ! $this->can_manage() ) {
+        wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+    }
+    $slug = (string) ( filter_input( INPUT_POST, 'slug', FILTER_UNSAFE_RAW ) ?? '' );
+    $slug = sanitize_text_field( $slug );
+    check_admin_referer( 'fa_plugin_toggle_' . $slug );
+    // Reuse the same safe folder resolver you already use for plugin actions
+    $folder = $this->get_safe_folder_path( $slug );
+    if ( ! $folder ) {
+        wp_die( esc_html__( 'Invalid folder.', 'folder-auditor' ) );
+    }
+    $list = (array) get_option( 'wpfa_never_lock_plugins', array() );
+    if ( ! in_array( $slug, $list, true ) ) {
+        $list[] = $slug;
+        update_option( 'wpfa_never_lock_plugins', array_values( array_unique( $list ) ), true );
+    }
+    // Immediately unlock this plugin folder and contents (same helper used for uploads)
+    if ( method_exists( $this, 'fa_unlock_path_now' ) ) {
+        $this->fa_unlock_path_now( $folder );
+    }
+    $redirect = wp_get_referer();
+    if ( ! $redirect ) {
+        $redirect = admin_url( 'admin.php?page=guard-dog-security&tab=plugins' );
+    }
+    wp_safe_redirect( $redirect );
+    exit;
+}
+/**
+ * Toggle: remove "Never Lock" so global locks can include it again.
+ * Nonce action: 'fa_plugin_toggle_' . $slug
+ * POST: slug
+ */
+public function handle_plugin_allow_lock() {
+    if ( ! $this->can_manage() ) {
+        wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+    }
+    $slug = (string) ( filter_input( INPUT_POST, 'slug', FILTER_UNSAFE_RAW ) ?? '' );
+    $slug = sanitize_text_field( $slug );
+    check_admin_referer( 'fa_plugin_toggle_' . $slug );
+    $list = (array) get_option( 'wpfa_never_lock_plugins', array() );
+    $new  = array();
+    foreach ( $list as $s ) {
+        if ( (string) $s !== $slug ) {
+            $new[] = (string) $s;
+        }
+    }
+    update_option( 'wpfa_never_lock_plugins', $new, true );
+    $redirect = wp_get_referer();
+    if ( ! $redirect ) {
+        $redirect = admin_url( 'admin.php?page=guard-dog-security&tab=plugins' );
+    }
+    wp_safe_redirect( $redirect );
+    exit;
+}
+/**
+ * Bulk actions for files directly under wp-content/plugins.
+ * POST fields mirror the .htaccess bulk UI:
+ *   bulk[row_key] = { delete | ignore | include }
+ *   file[row_key] = { file basename in wp-content/plugins }
+ *
+ * Nonce: 'fa_plugins_root_bulk'
+ * Action: admin_post_folder_auditor_plugins_root_bulk
+ */
+public function handle_plugins_root_bulk() {
+    if ( ! $this->can_manage() ) {
+        wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+    }
+    // CSRF
+    check_admin_referer( 'fa_plugins_root_bulk' );
+    // Fetch arrays safely
+    $bulk_raw = (array) ( filter_input( INPUT_POST, 'bulk', FILTER_DEFAULT, FILTER_REQUIRE_ARRAY ) ?: array() );
+    $file_raw = (array) ( filter_input( INPUT_POST, 'file', FILTER_DEFAULT, FILTER_REQUIRE_ARRAY ) ?: array() );
+    // Sanitize into new arrays
+    $bulk = array();
+    foreach ( $bulk_raw as $k => $v ) {
+        $bulk[ sanitize_text_field( (string) $k ) ] = sanitize_text_field( (string) $v );
+    }
+    $files = array();
+    foreach ( $file_raw as $k => $v ) {
+        $files[ sanitize_text_field( (string) $k ) ] = sanitize_file_name( (string) $v );
+    }
+    // Tally
+    $deleted = 0;
+    $ignored_added = 0;
+    $ignored_removed = 0;
+    // FS helper (if available)
+    $wp_filesystem = $this->fa_require_filesystem();
+    foreach ( $bulk as $row_key => $choice ) {
+        $file = isset( $files[ $row_key ] ) ? (string) $files[ $row_key ] : '';
+        if ( '' === $file ) { continue; }
+        if ( ! in_array( $choice, array( 'delete', 'ignore', 'include' ), true ) ) {
+            continue;
+        }
+        if ( 'delete' === $choice ) {
+            $abs = $this->get_safe_plugin_file( $file ); // only returns files in wp-content/plugins
+            if ( $abs && is_file( $abs ) ) {
+                // Prefer WP_Filesystem; fallback to wp_delete_file
+                $ok = true;
+                if ( $wp_filesystem && method_exists( $wp_filesystem, 'delete' ) ) {
+                    if ( method_exists( $wp_filesystem, 'chmod' ) ) {
+                        // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
+                        @$wp_filesystem->chmod( $abs, FS_CHMOD_FILE );
+                    }
+                    $ok = (bool) $wp_filesystem->delete( $abs, false, 'f' );
+                } else {
+                    $ok = (bool) wp_delete_file( $abs );
+                }
+                if ( $ok ) {
+                    $deleted++;
+                    // If it was ignored, untrack it now
+                    $this->ignore_remove( 'plugins_root', $file );
+                }
+            }
+        } elseif ( 'ignore' === $choice ) {
+            $this->ignore_add( 'plugins_root', $file );
+            $ignored_added++;
+        } elseif ( 'include' === $choice ) {
+            $this->ignore_remove( 'plugins_root', $file );
+            $ignored_removed++;
+        }
+    }
+    // Redirect back to Plugins tab with a compact summary
+    $args = array(
+        'page'                          => self::MENU_SLUG,
+        'tab'                           => 'plugins',
+        'fa_plugins_root_deleted'       => (int) $deleted,
+        'fa_plugins_root_ignored'       => (int) $ignored_added,
+        'fa_plugins_root_included'      => (int) $ignored_removed,
+        // jump straight to the section
+        );
+    $args['#'] = 'plugins-root-files'; // anchor
+    wp_safe_redirect( add_query_arg( $args, admin_url( 'admin.php' ) ) );
+    exit;
+}
+/**
+ * Bulk actions for files directly under wp-content/plugins.
+ * POST fields mirror the .htaccess bulk UI:
+ *   bulk[row_key] = { delete | ignore | include }
+ *   file[row_key] = { file basename in wp-content/plugins }
+ *
+ * Nonce: 'fa_plugins_root_bulk'
+ * Action: admin_post_folder_auditor_plugins_root_bulk
+ */
+public function handle_plugins_root_bulk() {
+private function get_safe_plugin_file( string $file ) {
+    // Only allow files directly in wp-content/plugins (no subfolders)
+    $file = trim($file);
+    // Basic invalid checks
+    if ($file === '' || strpos($file, '..') !== false || strpbrk($file, "/\\")) {
+        return '';
+    }
+    // Build absolute path and resolve
+    $abs        = trailingslashit(WP_PLUGIN_DIR) . $file;
+    $realBase   = realpath(WP_PLUGIN_DIR);
+    $realTarget = ($abs && file_exists($abs)) ? realpath($abs) : '';
+    // Must be a readable file inside wp-content/plugins
+    if ($realBase && $realTarget && strpos($realTarget, $realBase) === 0 && is_file($realTarget) && is_readable($realTarget)) {
+        return $realTarget;
+    }
+    return '';
+}
+public function handle_plugin_file_view_ajax() {
     if ( ! $this->can_manage() ) {
+        wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+    }
+    // CSRF
+    check_admin_referer( 'fa_plugins_root_bulk' );
+    // Fetch arrays safely
+    $bulk_raw = (array) ( filter_input( INPUT_POST, 'bulk', FILTER_DEFAULT, FILTER_REQUIRE_ARRAY ) ?: array() );
+    $file_raw = (array) ( filter_input( INPUT_POST, 'file', FILTER_DEFAULT, FILTER_REQUIRE_ARRAY ) ?: array() );
+    // Sanitize into new arrays
+    $bulk = array();
+    foreach ( $bulk_raw as $k => $v ) {
+        $bulk[ sanitize_text_field( (string) $k ) ] = sanitize_text_field( (string) $v );
+    }
+    $files = array();
+    foreach ( $file_raw as $k => $v ) {
+        $files[ sanitize_text_field( (string) $k ) ] = sanitize_file_name( (string) $v );
+    }
+    // Tally
+    $deleted = 0;
+    $ignored_added = 0;
+    $ignored_removed = 0;
+    // FS helper (if available)
+    $wp_filesystem = $this->fa_require_filesystem();
+    foreach ( $bulk as $row_key => $choice ) {
+        $file = isset( $files[ $row_key ] ) ? (string) $files[ $row_key ] : '';
+        if ( '' === $file ) { continue; }
+        if ( ! in_array( $choice, array( 'delete', 'ignore', 'include' ), true ) ) {
+            continue;
+        }
+        if ( 'delete' === $choice ) {
+            $abs = $this->get_safe_plugin_file( $file ); // only returns files in wp-content/plugins
+            if ( $abs && is_file( $abs ) ) {
+                // Prefer WP_Filesystem; fallback to wp_delete_file
+                $ok = true;
+                if ( $wp_filesystem && method_exists( $wp_filesystem, 'delete' ) ) {
+                    if ( method_exists( $wp_filesystem, 'chmod' ) ) {
+                        // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
+                        @$wp_filesystem->chmod( $abs, FS_CHMOD_FILE );
+        wp_send_json_error( array( 'message' => __( 'You do not have permission to do this.', 'folder-auditor' ) ), 403 );
+    }
+    $file = (string) ( filter_input( INPUT_POST, 'file', FILTER_UNSAFE_RAW ) ?? '' );
+    $file = sanitize_text_field( $file );
+    if ( ! check_ajax_referer( 'fa_plugin_file_view_' . md5( $file ), '_wpnonce', false ) ) {
+        wp_send_json_error( array( 'message' => __( 'Invalid or expired nonce.', 'folder-auditor' ) ), 400 );
+    }
+    // Use your existing safe resolver inside plugins directory:
+    $abs = $this->get_safe_plugin_file( $file ); // or your equivalent helper
+    if ( ! $abs ) {
+        wp_send_json_error( array( 'message' => __( 'Invalid file.', 'folder-auditor' ) ), 400 );
+    }
+    $fs = $this->fa_require_filesystem();
+    $contents = $fs && method_exists( $fs, 'get_contents' )
+        ? $fs->get_contents( $abs )
+        : @file_get_contents( $abs );
+    if ( false === $contents ) {
+        wp_send_json_error( array( 'message' => __( 'Unable to read file (permissions?).', 'folder-auditor' ) ), 500 );
+    }
+    $max = 200 * 1024;
+    $truncated = false;
+    if ( strlen( $contents ) > $max ) {
+        $contents  = substr( $contents, 0, $max );
+        $truncated = true;
+    }
+    wp_send_json_success( array(
+        'file'      => $file,
+        'size'      => (int) @filesize( $abs ),
+        'mtime'     => (int) @filemtime( $abs ),
+        'truncated' => $truncated,
+        'content'   => $contents,
+    ) );
+}
+    // ============================
+    // Root File Handlers (generic)
+    // ============================
+    /**
+     * Download a single file from the site root (validated via get_safe_root_file()).
+     *
+     * Nonce: 'folder_auditor_file_download_{file}'
+     * POST:  file
+     */
+    public function handle_file_download() {
+        if ( ! $this->can_manage() ) {
+            wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
+        $file = isset( $_POST['file'] ) ? sanitize_text_field( wp_unslash( $_POST['file'] ) ) : '';
+        check_admin_referer( 'folder_auditor_file_download_' . $file );
+        $abs = $this->get_safe_root_file( $file );
+        if ( ! $abs ) {
+            wp_die( esc_html__( 'Invalid file.', 'folder-auditor' ) );
+        }
+        // Clean output buffers to prevent corruption
+        if ( function_exists( 'ob_get_level' ) ) {
+            while ( ob_get_level() ) { ob_end_clean(); }
+        }
+        $wp_filesystem = $this->fa_require_filesystem();
+        $size          = is_file( $abs ) ? (int) filesize( $abs ) : 0;
+        $bytes         = $wp_filesystem->get_contents( $abs );
+        $download_name = sanitize_file_name( basename( $abs ) );
+        nocache_headers();
+        header( 'Content-Type: application/octet-stream' );
+        if ( $size > 0 ) {
+            header( 'Content-Length: ' . $size );
+        }
+        header( 'Content-Disposition: attachment; filename="' . rawurlencode( $download_name ) . '"' );
+        if ( false !== $bytes ) {
+            echo $bytes; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- sending raw file bytes
+        }
+        exit;
+    }
+    /**
+     * Delete a single file from the site root (validated via get_safe_root_file()).
+     *
+     * Nonce: 'folder_auditor_file_delete_{file}'
+     * POST:  file
+     */
+    public function handle_file_delete() {
+        if ( ! $this->can_manage() ) {
+            wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
+        $file = isset( $_POST['file'] ) ? sanitize_text_field( wp_unslash( $_POST['file'] ) ) : '';
+        check_admin_referer( 'folder_auditor_file_delete_' . $file );
+        $abs = $this->get_safe_root_file( $file );
+        if ( ! $abs ) {
+            wp_die( esc_html__( 'Invalid file.', 'folder-auditor' ) );
+        }
+        $wp_filesystem = $this->fa_require_filesystem();
+        $ok = true;
+        if ( method_exists( $wp_filesystem, 'delete' ) ) {
+            $ok = $wp_filesystem->delete( $abs );
+        } else {
+            // Safe fallback for single files only
+            $ok = (bool) wp_delete_file( $abs );
+        }
+        if ( ! $ok ) {
+            wp_die( esc_html__( 'Failed to delete the file (permissions?).', 'folder-auditor' ) );
+        }
+        // Redirect back to the Guard Dog Security page (keep ‘plugins’ tab)
+        $redirect = add_query_arg(
+            array(
+                'page'                   => self::MENU_SLUG,
+                'tab'                    => 'plugins',
+                'folder_auditor_deleted' => rawurlencode( $file ), // reuse notice
+            ),
+            admin_url( 'admin.php' )
+        );
+        wp_safe_redirect( $redirect );
+        exit;
+    }
+    // ======================
+    // Plugin List Utilities
+    // ======================
+    /**
+     * Retrieve installed plugins (mirrors Plugins screen after filters).
+     *
+     * @return array
+     */
+    private function get_installed_plugins() : array {
+        if ( ! function_exists( 'get_plugins' ) ) {
+            require_once ABSPATH . 'wp-admin/includes/plugin.php';
+        }
+        $plugins = get_plugins();
+        // Match Plugins screen exactly
+        $plugins = apply_filters( 'all_plugins', $plugins );
+        return $plugins;
+    }
+    /**
+     * Map of top-level plugin folders in wp-content/plugins → slug => absolute path.
+     *
+     * @return array
+     */
+    private function get_plugin_folders() : array {
+        $map = [];
+        if ( is_dir( WP_PLUGIN_DIR ) && is_readable( WP_PLUGIN_DIR ) ) {
+            try {
+                $it = new DirectoryIterator( WP_PLUGIN_DIR );
+                foreach ( $it as $fileinfo ) {
+                    if ( $fileinfo->isDot() ) { continue; }
+                    if ( $fileinfo->isDir() ) {
+                        $slug = $fileinfo->getFilename();
+                        $map[ $slug ] = $fileinfo->getPathname();
+                    }
-                    $ok = (bool) $wp_filesystem->delete( $abs, false, 'f' );
-                } else {
-                    $ok = (bool) wp_delete_file( $abs );
+                }
+                if ( $ok ) {
+                    $deleted++;
+                    // If it was ignored, untrack it now
+                    $this->ignore_remove( 'plugins_root', $file );
+            } catch ( Exception $e ) {
+                // Fallback scan if DirectoryIterator fails
+                $dirs = glob( WP_PLUGIN_DIR . '/*', GLOB_ONLYDIR );
+                if ( is_array( $dirs ) ) {
+                    foreach ( $dirs as $dir ) { $map[ basename( $dir ) ] = $dir; }
+                }
+            }
+        } elseif ( 'ignore' === $choice ) {
+            $this->ignore_add( 'plugins_root', $file );
+            $ignored_added++;
+        } elseif ( 'include' === $choice ) {
+            $this->ignore_remove( 'plugins_root', $file );
+            $ignored_removed++;
+        }
+    }
+    // Redirect back to Plugins tab with a compact summary
+    $args = array(
+        'page'                          => self::MENU_SLUG,
+        'tab'                           => 'plugins',
+        'fa_plugins_root_deleted'       => (int) $deleted,
+        'fa_plugins_root_ignored'       => (int) $ignored_added,
+        'fa_plugins_root_included'      => (int) $ignored_removed,
+        // jump straight to the section
+        }
+        return $map;
+    }
+    /**
+     * Build rows matching the Plugins screen items.
+     *
+     * Each row:
+     * - name        → plugin display name
+     * - plugin_file → plugin main file (basename)
+     * - folder_slug → top folder slug ('.' for single-file plugins)
+     *
+     * @return array
+     */
+    private function build_plugin_rows() : array {
+        $plugins = $this->get_installed_plugins();
+        $rows    = [];
+        foreach ( $plugins as $plugin_basename => $data ) {
+            $parts = explode( '/', $plugin_basename, 2 );
+            $slug  = ( count( $parts ) > 1 ) ? $parts[0] : '.'; // '.' = single-file plugin
+            $rows[] = [
+                'name'        => isset( $data['Name'] ) ? $data['Name'] : $plugin_basename,
+                'plugin_file' => $plugin_basename,
+                'folder_slug' => $slug,
+            ];
+        }
+        usort(
+            $rows,
+            function( $a, $b ) {
+                return strcasecmp( $a['name'], $b['name'] );
+            }
         );
+    $args['#'] = 'plugins-root-files'; // anchor
+    wp_safe_redirect( add_query_arg( $args, admin_url( 'admin.php' ) ) );
+    exit;
+        return $rows;
+    }
+    /**
+     * Generic lister: returns two arrays [ $folders, $files ] for a given path.
+     *
+     * @param string $path
+     * @return array{0: string[], 1: string[]}
+     */
+    private function list_top_level( $path ) : array {
+        $folders = [];
+        $files   = [];
+        if ( is_dir( $path ) && is_readable( $path ) ) {
+            try {
+                $it = new DirectoryIterator( $path );
+                foreach ( $it as $fi ) {
+                    if ( $fi->isDot() ) { continue; }
+                    if ( $fi->isDir() ) {
+                        $folders[] = $fi->getFilename();
+                    } elseif ( $fi->isFile() ) {
+                        $files[] = $fi->getFilename();
+                    }
+                }
+            } catch ( Exception $e ) {
+                // Silent fallback; return what we have
+            }
+        }
+        sort( $folders, SORT_NATURAL | SORT_FLAG_CASE );
+        sort( $files,   SORT_NATURAL | SORT_FLAG_CASE );
+        return [ $folders, $files ];
+    }
+    // ==========================
+    // Plugin Folder ZIP/Deletion
+    // ==========================
+    /**
+     * Download a plugin folder as ZIP (triggered via admin-post.php).
+     *
+     * Nonce: 'folder_auditor_download_{slug}'
+     * POST:  slug
+     */
+    public function handle_download() {
+        if ( ! $this->can_manage() ) {
+            wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
+        $slug = isset( $_POST['slug'] ) ? sanitize_text_field( wp_unslash( $_POST['slug'] ) ) : '';
+        check_admin_referer( 'folder_auditor_download_' . $slug );
+        $folder = $this->get_safe_folder_path( $slug );
+        if ( ! $folder ) {
+            wp_die( esc_html__( 'Invalid folder.', 'folder-auditor' ) );
+        }
+        if ( ! class_exists( 'ZipArchive' ) ) {
+            wp_die( esc_html__( 'ZipArchive is not available on this server.', 'folder-auditor' ) );
+        }
+        // Build ZIP in temp (stream from disk to avoid memory spikes)
+        $zip_file = wp_tempnam( 'folder-auditor-' . $slug . '-' );
+        if ( ! $zip_file ) {
+            wp_die( esc_html__( 'Could not create a temporary ZIP file.', 'folder-auditor' ) );
+        }
+        $zip = new ZipArchive();
+        if ( true !== $zip->open( $zip_file, ZipArchive::CREATE | ZipArchive::OVERWRITE ) ) {
+            wp_delete_file( $zip_file ); // safe cleanup
+            wp_die( esc_html__( 'Failed to build ZIP.', 'folder-auditor' ) );
+        }
+        $base_len = strlen( trailingslashit( $folder ) );
+        $rii = new RecursiveIteratorIterator(
+            new RecursiveDirectoryIterator( $folder, FilesystemIterator::SKIP_DOTS )
+        );
+        foreach ( $rii as $fi ) {
+            if ( $fi->isFile() ) {
+                $full = $fi->getPathname();
+                $rel  = substr( $full, $base_len );
+                $zip->addFile( $full, $rel );
+            }
+        }
+        $zip->close();
+        $download_name = sanitize_file_name( $slug . '.zip' );
+        // Clean any open buffers (avoid corruption)
+        if ( function_exists( 'ob_get_level' ) ) {
+            while ( ob_get_level() ) { ob_end_clean(); }
+        }
+        $wp_filesystem = $this->fa_require_filesystem();
+        $size          = is_file( $zip_file ) ? (int) filesize( $zip_file ) : 0;
+        $bytes         = $wp_filesystem->get_contents( $zip_file );
+        nocache_headers();
+        header( 'Content-Type: application/zip' );
+        if ( $size > 0 ) {
+            header( 'Content-Length: ' . $size );
+        }
+        header( 'Content-Disposition: attachment; filename="' . rawurlencode( $download_name ) . '"' );
+        if ( false !== $bytes ) {
+            echo $bytes; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- sending raw file bytes
+        }
+        wp_delete_file( $zip_file ); // remove temp file (no unlink())
+        exit;
+    }
+    /**
+     * Delete a plugin folder (recursive).
+     *
+     * Nonce: 'folder_auditor_delete_{slug}'
+     * POST:  slug
+     */
+    public function handle_delete() {
+        if ( ! $this->can_manage() ) {
+            wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
+        $slug = isset( $_POST['slug'] ) ? sanitize_text_field( wp_unslash( $_POST['slug'] ) ) : '';
+        check_admin_referer( 'folder_auditor_delete_' . $slug );
+        $folder = $this->get_safe_folder_path( $slug );
+        if ( ! $folder ) {
+            wp_die( esc_html__( 'Invalid folder.', 'folder-auditor' ) );
+        }
+        // Require Filesystem API and use it for recursive removal (no rmdir()/unlink() fallbacks)
+        $wp_filesystem = $this->fa_require_filesystem();
+        $ok            = $wp_filesystem->delete( $folder, true ); // recursive
+        if ( ! $ok ) {
+            wp_die( esc_html__( 'Failed to delete the folder (permissions?).', 'folder-auditor' ) );
+        }
+        // Redirect back to the auditor page with a success flag
+        $redirect = add_query_arg(
+            array(
+                'page'                   => self::MENU_SLUG,
+                'folder_auditor_deleted' => rawurlencode( $slug ),
+                // keep tab context if present
+                'tab'                    => isset( $_GET['tab'] ) ? sanitize_key( wp_unslash( $_GET['tab'] ) ) : 'plugins',
+            ),
+            admin_url( 'admin.php' )
+        );
+        wp_safe_redirect( $redirect );
+        exit;
+    }
+}
-private function get_safe_plugin_file( string $file ) {
-    // Only allow files directly in wp-content/plugins (no subfolders)
-    $file = trim($file);
-    // Basic invalid checks
-    if ($file === '' || strpos($file, '..') !== false || strpbrk($file, "/\\")) {
-        return '';
+    }
-    // Build absolute path and resolve
-    $abs        = trailingslashit(WP_PLUGIN_DIR) . $file;
-    $realBase   = realpath(WP_PLUGIN_DIR);
-    $realTarget = ($abs && file_exists($abs)) ? realpath($abs) : '';
-    // Must be a readable file inside wp-content/plugins
-    if ($realBase && $realTarget && strpos($realTarget, $realBase) === 0 && is_file($realTarget) && is_readable($realTarget)) {
-        return $realTarget;
+    }
-    return '';
+}
-public function handle_plugin_file_view_ajax() {
-    if ( ! $this->can_manage() ) {
-        wp_send_json_error( array( 'message' => __( 'You do not have permission to do this.', 'folder-auditor' ) ), 403 );
+    }
-    $file = (string) ( filter_input( INPUT_POST, 'file', FILTER_UNSAFE_RAW ) ?? '' );
-    $file = sanitize_text_field( $file );
-    if ( ! check_ajax_referer( 'fa_plugin_file_view_' . md5( $file ), '_wpnonce', false ) ) {
-        wp_send_json_error( array( 'message' => __( 'Invalid or expired nonce.', 'folder-auditor' ) ), 400 );
+    }
-    // Use your existing safe resolver inside plugins directory:
-    $abs = $this->get_safe_plugin_file( $file ); // or your equivalent helper
-    if ( ! $abs ) {
-        wp_send_json_error( array( 'message' => __( 'Invalid file.', 'folder-auditor' ) ), 400 );
+    }
-    $fs = $this->fa_require_filesystem();
-    $contents = $fs && method_exists( $fs, 'get_contents' )
-        ? $fs->get_contents( $abs )
-        : @file_get_contents( $abs );
-    if ( false === $contents ) {
-        wp_send_json_error( array( 'message' => __( 'Unable to read file (permissions?).', 'folder-auditor' ) ), 500 );
+    }
-    $max = 200 * 1024;
-    $truncated = false;
-    if ( strlen( $contents ) > $max ) {
-        $contents  = substr( $contents, 0, $max );
-        $truncated = true;
+    }
-    wp_send_json_success( array(
-        'file'      => $file,
-        'size'      => (int) @filesize( $abs ),
-        'mtime'     => (int) @filemtime( $abs ),
-        'truncated' => $truncated,
-        'content'   => $contents,
-    ) );
+}
-    // ============================
-    // Root File Handlers (generic)
-    // ============================
-    /**
-     * Download a single file from the site root (validated via get_safe_root_file()).
+     *
-     * Nonce: 'folder_auditor_file_download_{file}'
-     * POST:  file
-     */
-    public function handle_file_download() {
-        if ( ! $this->can_manage() ) {
-            wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
-        $file = isset( $_POST['file'] ) ? sanitize_text_field( wp_unslash( $_POST['file'] ) ) : '';
-        check_admin_referer( 'folder_auditor_file_download_' . $file );
-        $abs = $this->get_safe_root_file( $file );
-        if ( ! $abs ) {
-            wp_die( esc_html__( 'Invalid file.', 'folder-auditor' ) );
+        }
-        // Clean output buffers to prevent corruption
-        if ( function_exists( 'ob_get_level' ) ) {
-            while ( ob_get_level() ) { ob_end_clean(); }
+        }
-        $wp_filesystem = $this->fa_require_filesystem();
-        $size          = is_file( $abs ) ? (int) filesize( $abs ) : 0;
-        $bytes         = $wp_filesystem->get_contents( $abs );
-        $download_name = sanitize_file_name( basename( $abs ) );
-        nocache_headers();
-        header( 'Content-Type: application/octet-stream' );
-        if ( $size > 0 ) {
-            header( 'Content-Length: ' . $size );
+        }
-        header( 'Content-Disposition: attachment; filename="' . rawurlencode( $download_name ) . '"' );
-        if ( false !== $bytes ) {
-            echo $bytes; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- sending raw file bytes
+        }
-        exit;
+    }
-    /**
-     * Delete a single file from the site root (validated via get_safe_root_file()).
+     *
-     * Nonce: 'folder_auditor_file_delete_{file}'
-     * POST:  file
-     */
-    public function handle_file_delete() {
-        if ( ! $this->can_manage() ) {
-            wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
-        $file = isset( $_POST['file'] ) ? sanitize_text_field( wp_unslash( $_POST['file'] ) ) : '';
-        check_admin_referer( 'folder_auditor_file_delete_' . $file );
-        $abs = $this->get_safe_root_file( $file );
-        if ( ! $abs ) {
-            wp_die( esc_html__( 'Invalid file.', 'folder-auditor' ) );
+        }
-        $wp_filesystem = $this->fa_require_filesystem();
-        $ok = true;
-        if ( method_exists( $wp_filesystem, 'delete' ) ) {
-            $ok = $wp_filesystem->delete( $abs );
-        } else {
-            // Safe fallback for single files only
-            $ok = (bool) wp_delete_file( $abs );
+        }
-        if ( ! $ok ) {
-            wp_die( esc_html__( 'Failed to delete the file (permissions?).', 'folder-auditor' ) );
+        }
-        // Redirect back to the Guard Dog Security page (keep ‘plugins’ tab)
-        $redirect = add_query_arg(
-            array(
-                'page'                   => self::MENU_SLUG,
-                'tab'                    => 'plugins',
-                'folder_auditor_deleted' => rawurlencode( $file ), // reuse notice
-            ),
-            admin_url( 'admin.php' )
-        );
-        wp_safe_redirect( $redirect );
-        exit;
+    }
-    // ======================
-    // Plugin List Utilities
-    // ======================
-    /**
-     * Retrieve installed plugins (mirrors Plugins screen after filters).
+     *
-     * @return array
-     */
-    private function get_installed_plugins() : array {
-        if ( ! function_exists( 'get_plugins' ) ) {
-            require_once ABSPATH . 'wp-admin/includes/plugin.php';
+        }
-        $plugins = get_plugins();
-        // Match Plugins screen exactly
-        $plugins = apply_filters( 'all_plugins', $plugins );
-        return $plugins;
+    }
-    /**
-     * Map of top-level plugin folders in wp-content/plugins → slug => absolute path.
+     *
-     * @return array
-     */
-    private function get_plugin_folders() : array {
-        $map = [];
-        if ( is_dir( WP_PLUGIN_DIR ) && is_readable( WP_PLUGIN_DIR ) ) {
-            try {
-                $it = new DirectoryIterator( WP_PLUGIN_DIR );
-                foreach ( $it as $fileinfo ) {
-                    if ( $fileinfo->isDot() ) { continue; }
-                    if ( $fileinfo->isDir() ) {
-                        $slug = $fileinfo->getFilename();
-                        $map[ $slug ] = $fileinfo->getPathname();
+                    }
+                }
-            } catch ( Exception $e ) {
-                // Fallback scan if DirectoryIterator fails
-                $dirs = glob( WP_PLUGIN_DIR . '/*', GLOB_ONLYDIR );
-                if ( is_array( $dirs ) ) {
-                    foreach ( $dirs as $dir ) { $map[ basename( $dir ) ] = $dir; }
+                }
+            }
+        }
-        return $map;
+    }
-    /**
-     * Build rows matching the Plugins screen items.
+     *
-     * Each row:
-     * - name        → plugin display name
-     * - plugin_file → plugin main file (basename)
-     * - folder_slug → top folder slug ('.' for single-file plugins)
+     *
-     * @return array
-     */
-    private function build_plugin_rows() : array {
-        $plugins = $this->get_installed_plugins();
-        $rows    = [];
-        foreach ( $plugins as $plugin_basename => $data ) {
-            $parts = explode( '/', $plugin_basename, 2 );
-            $slug  = ( count( $parts ) > 1 ) ? $parts[0] : '.'; // '.' = single-file plugin
-            $rows[] = [
-                'name'        => isset( $data['Name'] ) ? $data['Name'] : $plugin_basename,
-                'plugin_file' => $plugin_basename,
-                'folder_slug' => $slug,
-            ];
+        }
-        usort(
-            $rows,
-            function( $a, $b ) {
-                return strcasecmp( $a['name'], $b['name'] );
+            }
-        );
-        return $rows;
+    }
-    /**
-     * Generic lister: returns two arrays [ $folders, $files ] for a given path.
+     *
-     * @param string $path
-     * @return array{0: string[], 1: string[]}
-     */
-    private function list_top_level( $path ) : array {
-        $folders = [];
-        $files   = [];
-        if ( is_dir( $path ) && is_readable( $path ) ) {
-            try {
-                $it = new DirectoryIterator( $path );
-                foreach ( $it as $fi ) {
-                    if ( $fi->isDot() ) { continue; }
-                    if ( $fi->isDir() ) {
-                        $folders[] = $fi->getFilename();
-                    } elseif ( $fi->isFile() ) {
-                        $files[] = $fi->getFilename();
+                    }
+                }
-            } catch ( Exception $e ) {
-                // Silent fallback; return what we have
+            }
+        }
-        sort( $folders, SORT_NATURAL | SORT_FLAG_CASE );
-        sort( $files,   SORT_NATURAL | SORT_FLAG_CASE );
-        return [ $folders, $files ];
+    }
-    // ==========================
-    // Plugin Folder ZIP/Deletion
-    // ==========================
-    /**
-     * Download a plugin folder as ZIP (triggered via admin-post.php).
+     *
-     * Nonce: 'folder_auditor_download_{slug}'
-     * POST:  slug
-     */
-    public function handle_download() {
-        if ( ! $this->can_manage() ) {
-            wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
-        $slug = isset( $_POST['slug'] ) ? sanitize_text_field( wp_unslash( $_POST['slug'] ) ) : '';
-        check_admin_referer( 'folder_auditor_download_' . $slug );
-        $folder = $this->get_safe_folder_path( $slug );
-        if ( ! $folder ) {
-            wp_die( esc_html__( 'Invalid folder.', 'folder-auditor' ) );
+        }
-        if ( ! class_exists( 'ZipArchive' ) ) {
-            wp_die( esc_html__( 'ZipArchive is not available on this server.', 'folder-auditor' ) );
+        }
-        // Build ZIP in temp (stream from disk to avoid memory spikes)
-        $zip_file = wp_tempnam( 'folder-auditor-' . $slug . '-' );
-        if ( ! $zip_file ) {
-            wp_die( esc_html__( 'Could not create a temporary ZIP file.', 'folder-auditor' ) );
+        }
-        $zip = new ZipArchive();
-        if ( true !== $zip->open( $zip_file, ZipArchive::CREATE | ZipArchive::OVERWRITE ) ) {
-            wp_delete_file( $zip_file ); // safe cleanup
-            wp_die( esc_html__( 'Failed to build ZIP.', 'folder-auditor' ) );
+        }
-        $base_len = strlen( trailingslashit( $folder ) );
-        $rii = new RecursiveIteratorIterator(
-            new RecursiveDirectoryIterator( $folder, FilesystemIterator::SKIP_DOTS )
-        );
-        foreach ( $rii as $fi ) {
-            if ( $fi->isFile() ) {
-                $full = $fi->getPathname();
-                $rel  = substr( $full, $base_len );
-                $zip->addFile( $full, $rel );
+            }
+        }
-        $zip->close();
-        $download_name = sanitize_file_name( $slug . '.zip' );
-        // Clean any open buffers (avoid corruption)
-        if ( function_exists( 'ob_get_level' ) ) {
-            while ( ob_get_level() ) { ob_end_clean(); }
+        }
-        $wp_filesystem = $this->fa_require_filesystem();
-        $size          = is_file( $zip_file ) ? (int) filesize( $zip_file ) : 0;
-        $bytes         = $wp_filesystem->get_contents( $zip_file );
-        nocache_headers();
-        header( 'Content-Type: application/zip' );
-        if ( $size > 0 ) {
-            header( 'Content-Length: ' . $size );
+        }
-        header( 'Content-Disposition: attachment; filename="' . rawurlencode( $download_name ) . '"' );
-        if ( false !== $bytes ) {
-            echo $bytes; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- sending raw file bytes
+        }
-        wp_delete_file( $zip_file ); // remove temp file (no unlink())
-        exit;
+    }
-    /**
-     * Delete a plugin folder (recursive).
+     *
-     * Nonce: 'folder_auditor_delete_{slug}'
-     * POST:  slug
-     */
-    public function handle_delete() {
-        if ( ! $this->can_manage() ) {
-            wp_die( esc_html__( 'You do not have permission to do this.', 'folder-auditor' ) );
+        }
-        $slug = isset( $_POST['slug'] ) ? sanitize_text_field( wp_unslash( $_POST['slug'] ) ) : '';
-        check_admin_referer( 'folder_auditor_delete_' . $slug );
-        $folder = $this->get_safe_folder_path( $slug );
-        if ( ! $folder ) {
-            wp_die( esc_html__( 'Invalid folder.', 'folder-auditor' ) );
+        }
-        // Require Filesystem API and use it for recursive removal (no rmdir()/unlink() fallbacks)
-        $wp_filesystem = $this->fa_require_filesystem();
-        $ok            = $wp_filesystem->delete( $folder, true ); // recursive
-        if ( ! $ok ) {
-            wp_die( esc_html__( 'Failed to delete the folder (permissions?).', 'folder-auditor' ) );
+        }
-        // Redirect back to the auditor page with a success flag
-        $redirect = add_query_arg(
-            array(
-                'page'                   => self::MENU_SLUG,
-                'folder_auditor_deleted' => rawurlencode( $slug ),
-                // keep tab context if present
-                'tab'                    => isset( $_GET['tab'] ) ? sanitize_key( wp_unslash( $_GET['tab'] ) ) : 'plugins',
-            ),
-            admin_url( 'admin.php' )
-        );
-        wp_safe_redirect( $redirect );
-        exit;
+    }
+}

folder-auditor/trunk/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_FS.php

-                      r3369236
+                      r3395335
 /** Exclude wp-content/cache, Uploads exclusions, wp-content exclusions, and ABSPATH (root) exclusions. */
 protected static function is_excluded_path( $path ) {
+    $p = wp_normalize_path( $path );
+    $wp_content = wp_normalize_path( WP_CONTENT_DIR );
+    $abspath   = wp_normalize_path( trailingslashit( ABSPATH ) );
+    // 1) Exclude any folder under wp-content with "cache" in the name
+    $relative_path = str_replace( wp_normalize_path( $wp_content ) . '/', '', $p );
+    // Extract the top-level child folder name
+    $first_segment = explode( '/', $relative_path )[0];
+    if ( stripos( $first_segment, 'cache' ) !== false ) {
+        return true;
+    }
+    // 2) Uploads exclusions (relative to uploads basedir)
+    $uploads      = wp_get_upload_dir(); // ['basedir'=>...]
+    $uploads_base = isset( $uploads['basedir'] ) ? wp_normalize_path( $uploads['basedir'] ) : '';
+    $ex_uploads   = (array) get_option( 'wpfa_never_lock_uploads', array() );
+    if ( $uploads_base && ! empty( $ex_uploads ) ) {
+        foreach ( $ex_uploads as $slug ) {
+            $slug = ltrim( (string) $slug, "/\\" );
+            if ( '' === $slug ) { continue; }
+            $abs = wp_normalize_path( trailingslashit( $uploads_base ) . $slug );
+            if ( $p === $abs || 0 === strpos( $p, trailingslashit( $abs ) ) ) {
+                return true;
+            }
+    $p = wp_normalize_path( $path );
+    $wp_content = wp_normalize_path( WP_CONTENT_DIR );
+    $abspath    = wp_normalize_path( trailingslashit( ABSPATH ) );
+    $plugins    = wp_normalize_path( WP_PLUGIN_DIR );
+    // 1) Exclude any folder under wp-content with "cache" in the name
+    $relative_path = str_replace( $wp_content . '/', '', $p );
+    $first_segment = explode( '/', $relative_path )[0];
+    if ( stripos( $first_segment, 'cache' ) !== false ) {
+        return true;
+    }
+    // 2) Uploads exclusions
+    $uploads      = wp_get_upload_dir();
+    $uploads_base = isset( $uploads['basedir'] ) ? wp_normalize_path( $uploads['basedir'] ) : '';
+    $ex_uploads   = (array) get_option( 'wpfa_never_lock_uploads', array() );
+    if ( $uploads_base && ! empty( $ex_uploads ) ) {
+        foreach ( $ex_uploads as $slug ) {
+            $slug = ltrim( (string) $slug, "/\\" );
+            if ( '' === $slug ) { continue; }
+            $abs = wp_normalize_path( trailingslashit( $uploads_base ) . $slug );
+            if ( $p === $abs || strpos( $p, trailingslashit( $abs ) ) === 0 ) {
+                return true;
+            }
+        }
+    }
+    // 3) wp-content exclusions
+    $ex_content = (array) get_option( 'wpfa_never_lock_content', array() );
+    if ( ! empty( $ex_content ) ) {
+        foreach ( $ex_content as $slug ) {
+            $slug = ltrim( (string) $slug, "/\\" );
+            if ( '' === $slug ) { continue; }
+            $abs = wp_normalize_path( trailingslashit( $wp_content ) . $slug );
+            if ( $p === $abs || strpos( $p, trailingslashit( $abs ) ) === 0 ) {
+                return true;
+            }
+        }
+    }
+    // 4) ABSPATH exclusions
+    $ex_root = (array) get_option( 'wpfa_never_lock_root', array() );
+    if ( ! empty( $ex_root ) ) {
+        foreach ( $ex_root as $slug ) {
+            $slug = ltrim( (string) $slug, "/\\" );
+            if ( '' === $slug ) { continue; }
+            $abs = wp_normalize_path( $abspath . $slug );
+            if ( $p === $abs || strpos( $p, trailingslashit( $abs ) ) === 0 ) {
+                return true;
+            }
+        }
+    }
+    // 5) 🔥 Plugin exclusions (this was missing!)
+    $ex_plugins = (array) get_option( 'wpfa_never_lock_plugins', array() );
+    if ( ! empty( $ex_plugins ) ) {
+        foreach ( $ex_plugins as $slug ) {
+            $slug = ltrim( (string) $slug, "/\\" );
+            if ( '' === $slug ) continue;
+            $abs = wp_normalize_path( trailingslashit( $plugins ) . $slug );
+            // Match the plugin folder or anything inside it
+            if ( $p === $abs || strpos( $p, trailingslashit( $abs ) ) === 0 ) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+protected static function maybe_write_htaccess( $fs, $dir, $mode ) {
+            $ht    = wp_normalize_path( trailingslashit( $dir ) . '.htaccess' );
+            $rules = "# Folder Auditor - Lock Rules\n"
+                   . "<IfModule mod_rewrite.c>\nRewriteEngine On\n"
+                   . "RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|MOVE|COPY|MKCOL|PROPFIND|PROPPATCH|LOCK|UNLOCK|PATCH)$\n"
+                   . "RewriteRule ^ - [F,L]\n</IfModule>\n\n"
+                   . "<FilesMatch \"\\.php(?:\\.\\d+)?$\">\nRequire all denied\n</FilesMatch>\n"
+                   . "Options -Indexes\n";
+            if ( 'lock' === $mode ) {
+                $fs->put_contents( $ht, $rules, FS_CHMOD_FILE );
+                $fs->chmod( $ht, 0444, false, false );
+            } else {
+                if ( $fs->exists( $ht ) ) {
+                    $fs->chmod( $ht, 0644, false, false );
+                }
+            }
+        }
+    }
+    // 3) wp-content exclusions (relative to WP_CONTENT_DIR)
+    $ex_content = (array) get_option( 'wpfa_never_lock_content', array() );
+    if ( ! empty( $ex_content ) ) {
+        foreach ( $ex_content as $slug ) {
+            $slug = ltrim( (string) $slug, "/\\" );
+            if ( '' === $slug ) { continue; }
+            $abs = wp_normalize_path( trailingslashit( $wp_content ) . $slug );
+            if ( $p === $abs || 0 === strpos( $p, trailingslashit( $abs ) ) ) {
+                return true;
+            }
+        }
+    }
+    // 4) Root (ABSPATH) exclusions — for top-level non-core folders
+    $ex_root = (array) get_option( 'wpfa_never_lock_root', array() );
+    if ( ! empty( $ex_root ) ) {
+        foreach ( $ex_root as $slug ) {
+            $slug = ltrim( (string) $slug, "/\\" );
+            if ( '' === $slug ) { continue; }
+            $abs = wp_normalize_path( $abspath . $slug );
+            // Only match top-level dir and its subtree
+            if ( $p === $abs || 0 === strpos( $p, trailingslashit( $abs ) ) ) {
+                return true;
+            }
+        }
+    }
+    return false;
+    }
+}
-protected static function maybe_write_htaccess( $fs, $dir, $mode ) {
-            $ht    = wp_normalize_path( trailingslashit( $dir ) . '.htaccess' );
-            $rules = "# Folder Auditor - Lock Rules\n"
-                   . "<IfModule mod_rewrite.c>\nRewriteEngine On\n"
-                   . "RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|MOVE|COPY|MKCOL|PROPFIND|PROPPATCH|LOCK|UNLOCK|PATCH)$\n"
-                   . "RewriteRule ^ - [F,L]\n</IfModule>\n\n"
-                   . "<FilesMatch \"\\.php(?:\\.\\d+)?$\">\nRequire all denied\n</FilesMatch>\n"
-                   . "Options -Indexes\n";
-            if ( 'lock' === $mode ) {
-                $fs->put_contents( $ht, $rules, FS_CHMOD_FILE );
-                $fs->chmod( $ht, 0444, false, false );
-            } else {
-                if ( $fs->exists( $ht ) ) {
-                    $fs->chmod( $ht, 0644, false, false );
+                }
+            }
+        }
+    }
+}

folder-auditor/trunk/includes/views/view-plugins.php

-                      r3381342
+                      r3395335
 <?php
+$never_lock_plugins = (array) get_option( 'wpfa_never_lock_plugins', array() );
 // Ignore these slugs everywhere (counts + tables)
 …
         <th><?php esc_html_e( 'Actions', 'folder-auditor' ); ?></th>
+        <th><?php esc_html_e( 'Lock Status', 'folder-auditor' ); ?></th>
     </tr>
 …
         <?php if ( empty( $plugin_rows ) ) : ?>
             <tr><td colspan="4"><?php esc_html_e( 'No plugins found.', 'folder-auditor' ); ?></td></tr>
+            <tr><td colspan="5"><?php esc_html_e( 'No plugins found.', 'folder-auditor' ); ?></td></tr>
         <?php else : foreach ( $plugin_rows as $row ) :
             $slug = $row['folder_slug'];
+    $never_lock_list = isset( $never_lock_plugins ) ? (array) $never_lock_plugins : array();
+    $is_excluded     = in_array( $slug, $never_lock_list, true );
+    $toggle_action = $is_excluded
+        ? 'folder_auditor_plugin_allow_lock'
+        : 'folder_auditor_plugin_never_lock';
+    $toggle_nonce = wp_create_nonce( 'fa_plugin_toggle_' . $slug );
             $is_active = is_plugin_active( $row['plugin_file'] );
 …
                 </td>
+                        <td>
+            <?php
+            // Lock Status toggle button (copy of uploads UI, just plugin-specific action/nonce)
+            ?>
+            <form style="display:inline;" method="post" action="<?php echo esc_url( admin_url( 'admin-post.php' ) ); ?>">
+                <input type="hidden" name="action" value="<?php echo esc_attr( $toggle_action ); ?>">
+                <input type="hidden" name="slug"   value="<?php echo esc_attr( $slug ); ?>">
+                <input type="hidden" name="_wpnonce" value="<?php echo esc_attr( $toggle_nonce ); ?>">
+                <button type="submit"
+                    class="button folder-toggle-button <?php echo $is_excluded ? 'folder-unlocked' : 'folder-locked'; ?>">
+                    <span class="dashicons <?php echo $is_excluded ? 'dashicons-unlock' : 'dashicons-lock'; ?>"></span>
+                    <span class="label">
+                        <?php echo $is_excluded
+                            ? esc_html__( 'Never Lock', 'folder-auditor' )
+                            : esc_html__( 'Allow Lock', 'folder-auditor' ); ?>
+                    </span>
+                </button>
+            </form>
+        </td>
             </tr>

folder-auditor/trunk/readme.txt

-                      r3395071
+                      r3395335
 Tested up to: 6.8
 Requires PHP: 7.4
 Stable tag: 4.9.1
+Stable tag: 4.9.2
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= 4.9.2 =
+* Can now exclude single plugins from Site Lock
 = 4.9.1 =
 * Added new infection patterns to stop false positives
 …
 == Upgrade Notice ==
+= 4.9.2 =
+* Can now exclude single plugins from Site Lock
 = 4.9.1 =
 * Added new infection patterns to stop false positives

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory

Context Navigation

Changeset 3395335

Legend:

folder-auditor/trunk/folder-auditor.php

folder-auditor/trunk/includes/handlers/handler-actions.php

folder-auditor/trunk/includes/handlers/handler-plugins.php

folder-auditor/trunk/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_FS.php

folder-auditor/trunk/includes/views/view-plugins.php

folder-auditor/trunk/readme.txt

Download in other formats: