Manage Your Old Core Files: Introducing OCF

Over the past week I’ve been working with Rami Yushuvaev on a cool utility plugin that helps you stay on top of your site’s security by letting you know about old core files that may exist in your installation’s file-system. Not only that old core files are deprecated, but they can potentially expose your site to risks.

screenshot-1

It’s time to make sure you’re protected!

View & Download on WordPress.org Review on WPBeginner

9 Comments

  1. Love this – definitely gonna tweet this out later today. The more people who know, the better ;).

    Killer work, guys.

    Reply

    1. Thanks for the support, Tom! As always, it’s much appreciated :)
      This is yet another aspect that is lacking attention in conversations about WordPress security. It’s about time people take these things into attention and add ‘em to the mix!

      Reply

  2. Interesting plugin. In what scenario would the core upgrade have access to perform the upgrade (overwriting and adding files) but not have access to delete files?

    Reply

    1. So the most common scenario (that at least I thought of) for that is, if a user upgrades WordPress manually (and not using the built-in upgrade process). In that scenario a user will either:

      • Copy the new files over the old ones (some old core files will still remain)
      • Upload a ZIP file of a new WP version, unzip it (again, leaving some old core files behind)

      Now these files that were left behind shouldn’t be there. And if the server or the PHP handler will not have the permissions to delete these files, they will stay there. So right now we haven’t figured out a way to actually delete these old files (since if the server can’t delete them, it just can’t). It might be possible to find a workaround (for instance, allowing the user to use a different WP_Filesystem method).

      If you have any ideas on how to do that, I’d appreciate if you can share them.

      It’s also worth noting that as of this moment, all this plugin does is – it lists the old files that exist in the filesystem, and nothing beyond that.

      Reply

    2. Hmm, if they’re upgrading manually, shouldn’t they just remove all files that aren’t wp-config.php and wp-content/ before copying the new files?

      I guess it’s possible that non-WP files have been mixed in with the core files. It’s bad practice, but I’ve seen plenty of times. For example, a PHP file in the root folder that does something on it’s own, unrelated to WP. You wouldn’t want to remove those files.

      I think another scenario where this plugin would be very handy is when a developer starts work on a WP install that had previously been built/maintained by another developer and there’s no docs. Pretty typical scenario in my experience.

      In this case, it would great if the plugin also identified non-WP files and any core files that were modified. Unfortunately, some developers still hack the core.

      Reply

      1. if they’re upgrading manually, shouldn’t they just remove all files that aren’t wp-config.php and wp-content/ before copying the new files?

        That’s a valid point. The issue is that not all users actually know that it’s a good practice to delete all files but the ones in /wp-content/ — and that’s unfortunate. Plus, you’re right, we shouldn’t be messing with the users’s files that don’t belong to core. That might not be a fair, since it’s really up to the user to decide. I actually had a scenario on a site I’ve been working on where the client was so fanatic about security, and so they wanted to password-protect the /wp-admin/ directory. Now guess what that means? If visitors were to initiate an AJAX call from the front-end, they would be getting a 403 Forbidden HTTP error instead of what they’re expecting. For that case I’ve created a proxy file and placed it right in the root of the installation. What it did was basically offloading the request to wp-admin/admin-ajax.php, so all AJAX calls were working properly.

        Anyway, Old Core Files is not really about searching the filesystem for “odd” files. What it does is pretty simple: it iterates the $_old_files array (that stores a relative path for each and every old file that ever existed) and checks each of these file against the user’s filesystem. If the file exists, it will get listed on the dashboard page. Otherwise, all is good!

        In this case, it would great if the plugin also identified non-WP files and any core files that were modified. Unfortunately, some developers still hack the core.

        I am almost certain that a plugin called Better WP Security does exactly that. Not too sure about what happens if you add a foreign file to the installation, but I do know that it sends alerts if a core file was changed. Which is great. And it would be even better if this (and other security plugins) will utilize what Old Core Files does.

        Reply

        1. Ah, perfect. I didn’t know about Better WP Security. Thanks for the tip. Also, thanks for writing and releasing your plugin. It may come in handy. :)

          Reply

          1. Sure thing! Better WP Security is a pretty solid plugin.

            Thanks for stopping by, and have a nice weekend!

  3. […] 2. Remove Old Core Files via Maor Chasen […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">