#!/usr/bin/env bash # wp-cross-site-check.sh, audit a shared hosting environment for cross-site contamination risk. # Source: https://techearl.com/wordpress-shared-hosting-cross-site-contamination # Site: https://techearl.com/ # Reports the ownership, permissions, and PHP isolation status of every WordPress site # in the same parent directory. # # Usage: ./wp-cross-site-check.sh /path/to/one-of-your-wordpress-sites set -e ONE_SITE="${1:-$PWD}" PARENT=$(dirname "$ONE_SITE") echo "=========================================" echo " Cross-site contamination audit" echo " Parent directory: $PARENT" echo "=========================================" # 1. Find every WordPress install in the parent echo echo "--- 1. WordPress sites in $PARENT ---" find "$PARENT" -maxdepth 3 -name "wp-config.php" -type f 2>/dev/null | while read cfg; do site_dir=$(dirname "$cfg") owner=$(stat -c '%U:%G' "$cfg" 2>/dev/null || stat -f '%Su:%Sg' "$cfg") perms=$(stat -c '%a' "$cfg" 2>/dev/null || stat -f '%Lp' "$cfg") echo " $site_dir" echo " wp-config.php perms=$perms owner=$owner" done # 2. Are all the wp-config.php files owned by the same user? echo echo "--- 2. Ownership consistency check ---" OWNERS=$(find "$PARENT" -maxdepth 3 -name "wp-config.php" -exec stat -c '%U' {} \; 2>/dev/null | sort -u) NUM_OWNERS=$(echo "$OWNERS" | wc -l | tr -d ' ') if [ "$NUM_OWNERS" = "1" ]; then echo " WARNING: All wp-config.php files are owned by the same user: $OWNERS" echo " -> Cross-site contamination is possible structurally." else echo " OK: Multiple owners detected, proper per-site isolation." echo "$OWNERS" fi # 3. PHP configuration echo echo "--- 3. PHP isolation configuration ---" PHP_BIN=$(command -v php) if [ -n "$PHP_BIN" ]; then OPENBASE=$($PHP_BIN -r 'echo ini_get("open_basedir");') if [ -n "$OPENBASE" ]; then echo " open_basedir is set: $OPENBASE" else echo " open_basedir is NOT set, PHP can read any file the running user owns." fi DISFNS=$($PHP_BIN -r 'echo ini_get("disable_functions");') echo " disable_functions: ${DISFNS:-}" fi # 4. Check whether Apache mod_suexec / mod_ruid2 / mod_itk is loaded echo echo "--- 4. Apache user-switching modules (if Apache) ---" if command -v apachectl >/dev/null 2>&1; then apachectl -M 2>/dev/null | grep -iE "suexec|ruid|itk_module|mpm_itk" \ || echo " None loaded, Apache PHP runs as the shared web user." else echo " Apache not detected (Nginx or other)." fi # 5. Per-site PHP-FPM pool detection echo echo "--- 5. PHP-FPM pool configuration ---" for pooldir in /etc/php/*/fpm/pool.d /etc/php-fpm.d; do if [ -d "$pooldir" ]; then echo " $pooldir:" ls -1 "$pooldir"/*.conf 2>/dev/null | head -10 || echo " (no pool configs found)" fi done # 6. Cross-read test: can we read wp-config.php from a sibling site? echo echo "--- 6. Practical cross-read test ---" ME_CFG="$ONE_SITE/wp-config.php" [ -f "$ME_CFG" ] || { echo " Caller's wp-config not found at $ME_CFG; skipping."; exit 0; } find "$PARENT" -maxdepth 3 -name "wp-config.php" -type f 2>/dev/null | while read sib; do if [ "$sib" != "$ME_CFG" ]; then if [ -r "$sib" ]; then echo " READABLE from this shell: $sib" else echo " NOT READABLE: $sib" fi fi done echo echo "=========================================" echo " If section 2 shows shared ownership AND" echo " section 6 shows readable siblings, you" echo " have the cross-contamination risk." echo "========================================="