#!/usr/bin/env bash # wp-security-plugin-check.sh, detect whether a WordPress security plugin has been # silently disabled. Reports the four known mechanisms. # Source: https://techearl.com/wordpress-security-plugin-silently-disabled # Site: https://techearl.com/ # # Usage: ./wp-security-plugin-check.sh /path/to/wordpress set -e WP_ROOT="${1:-$PWD}" echo "=========================================" echo " Security plugin disablement check" echo " WP root: $WP_ROOT" echo "=========================================" # 1. What WordPress thinks is active vs. what's installed on disk echo echo "--- 1. Active plugins (from wp_options.active_plugins) ---" wp plugin list --status=active --format=table --fields=name,version,status \ --path="$WP_ROOT" --allow-root 2>/dev/null echo echo "--- 2. Inactive plugins (installed on disk but not loading) ---" wp plugin list --status=inactive --format=table --fields=name,version,status \ --path="$WP_ROOT" --allow-root 2>/dev/null echo echo "--- 3. Known security plugins, present on disk? ---" PLUGINS_DIR="$WP_ROOT/wp-content/plugins" KNOWN="wordfence sucuri-scanner jetpack wp-security-audit-log wp-2fa limit-login-attempts-reloaded wps-hide-login better-wp-security" for p in $KNOWN; do if [ -d "$PLUGINS_DIR/$p" ]; then echo " PRESENT: $p" fi done echo echo "--- 4. Hidden / renamed plugin directories ---" ls -la "$PLUGINS_DIR" | grep -E "^d.*\.|-bak|-old|-tmp|_disabled|\.disabled$" \ || echo " (no hidden / renamed plugin directories)" echo echo "--- 5. Permission / ownership anomalies on plugin main files ---" WEB_USER=$(stat -c '%U' "$WP_ROOT/wp-config.php" 2>/dev/null || stat -f '%Su' "$WP_ROOT/wp-config.php") for d in "$PLUGINS_DIR"/*/; do name=$(basename "$d") main="$d$name.php" if [ -f "$main" ]; then owner=$(stat -c '%U' "$main" 2>/dev/null || stat -f '%Su' "$main") perms=$(stat -c '%a' "$main" 2>/dev/null || stat -f '%Lp' "$main") if [ "$owner" != "$WEB_USER" ] || ! { [ "$perms" = "644" ] || [ "$perms" = "664" ]; }; then echo " ANOMALY: $main perms=$perms owner=$owner (expected 644 $WEB_USER)" fi fi done echo echo "--- 6. mu-plugins (anything here is suspicious if you didn't put it there) ---" ls -la "$WP_ROOT/wp-content/mu-plugins/" 2>/dev/null || echo " (mu-plugins directory absent, normal)" echo echo "--- 7. Drop-in files ---" for f in advanced-cache.php object-cache.php db.php sunrise.php; do if [ -f "$WP_ROOT/wp-content/$f" ]; then echo " PRESENT: wp-content/$f" fi done echo echo "--- 8. Hook-removal patterns targeting security plugins ---" grep -rnlE "remove_action.*['\"]?(wordfence|sucuri|jetpack|wp_security_audit_log)|remove_filter.*['\"]?(wordfence|sucuri|jetpack)" \ "$WP_ROOT/wp-content/" --include="*.php" 2>/dev/null \ | grep -v "/plugins/wordfence/\|/plugins/sucuri-scanner/\|/plugins/jetpack/" \ | head -20 echo echo "=========================================" echo " If any check turned up an anomaly," echo " treat the site as compromised and run" echo " the full malware-removal playbook." echo "========================================="