ealmeida/claude-plugins
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
claude-plugins/wordpress/skills/wp-hardening/SKILL.md
Emanuel Almeida 6b3a6f2698 feat: refactor 30+ skills to Anthropic progressive disclosure pattern 
- All SKILL.md files now <500 lines (avg reduction 69%)
- Detailed content extracted to references/ subdirectories
- Frontmatter standardised: only name + description (Anthropic standard)
- New skills: brand-guidelines, spec-coauthor, report-templates, skill-creator
- Design skills: anti-slop guidelines, premium-proposals reference
- Removed non-standard frontmatter fields (triggers, version, author, category)

Plugins affected: infraestrutura, marketing, dev-tools, crm-ops, gestao,
core-tools, negocio, perfex-dev, wordpress, design-media

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 15:05:03 +00:00

11 KiB
Raw Permalink Blame History

name, description
name description
wp-hardening Aplicar hardening de seguranca standard a sites WordPress via SSH. Desactiva XML-RPC, file editing, directory listing, esconde versao WP, verifica permissoes e security headers.

/wp-hardening - Hardening WordPress

Aplica medidas de hardening standard a sites WordPress no servidor CWP (176.9.3.158).

Nota: Esta skill APLICA alteracoes. Para auditar sem alterar, usar /security-check.

Contexto NotebookLM

ANTES de executar, consultar notebook para contexto:

Notebook ID Consultar quando
WordPress e Elementor 5be0d1a6 Sempre 
mcp__notebooklm__notebook_query({
  notebook_id: "5be0d1a6-00f2-4cd9-b835-978cb7721601",
  query: "wordpress security hardening best practices"
})

Uso

/wp-hardening descomplicar.pt
/wp-hardening all                    # todos os 16 sites
/wp-hardening descomplicar.pt --dry  # apenas verificar, sem aplicar

Argumento: dominio do site (ver tabela de sites em /wp-update) ou all. Flag --dry: apenas verifica estado actual sem aplicar alteracoes.

Sites WordPress no servidor

Conta Site Path
carstuff carstuff.pt /home/carstuff/public_html
ealmeida descomplicar.pt /home/ealmeida/public_html
ealmeida emanuelalmeida.pt /home/ealmeida/emanuelalmeida.pt
ealmeida ecommerce.descomplicar.pt /home/ealmeida/ecommerce.descomplicar.pt
ealmeida ecommerce-demo.descomplicar.pt /home/ealmeida/ecommerce-demo.descomplicar.pt
ealmeida starter.descomplicar.pt /home/ealmeida/starter.descomplicar.pt
ealmeida care.descomplicar.pt /home/ealmeida/care.descomplicar.pt
ealmeida e-commerce.descomplicar.pt /home/ealmeida/e-commerce.descomplicar.pt
espiral espiralsenior.pt /home/espiral/public_html
espiral dev.espiralsenior.pt /home/espiral/dev.espiralsenior.pt
familycl familyclinic.pt /home/familycl/public_html
ignition ignitionvortex.pt /home/ignition/public_html
karate karateclubedegaia.com /home/karate/karateclubedegaia.com
sintri sintricare.com.pt /home/sintri/public_html
solarfv solarfvengenharia.com /home/solarfv/public_html
wtc watercontrol.pt /home/wtc/public_html

Execucao

Passo 0: Identificar site e path

Mapear o dominio fornecido para o path e conta do servidor usando a tabela acima.

SITE="dominio.pt"
WP_PATH="/home/USER/public_html"
WP_USER="user"

Passo 1: Verificar estado actual (antes)

Executar via mcp__ssh-unified__ssh_execute no servidor cwp:

# 1. XML-RPC activo?
curl -s -o /dev/null -w "%{http_code}" -X POST "${SITE}/xmlrpc.php" -d '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName></methodCall>'

# 2. DISALLOW_FILE_EDIT definido?
grep -c "DISALLOW_FILE_EDIT" ${WP_PATH}/wp-config.php

# 3. Permissoes directórios (esperado: 755)
find ${WP_PATH} -type d -not -perm 755 | head -10

# 4. Permissoes ficheiros (esperado: 644)
find ${WP_PATH} -type f -not -perm 644 -not -name "wp-config.php" | head -10

# 5. Versao WP exposta no HTML?
curl -s ${SITE} | grep -o 'content="WordPress [0-9.]*"' | head -1

# 6. Versao WP exposta no feed?
curl -s ${SITE}/feed/ | grep -o '<generator>.*</generator>' | head -1

# 7. Directory listing activo?
curl -s -o /dev/null -w "%{http_code}" ${SITE}/wp-content/uploads/

# 8. wp-config.php permissoes (esperado: 400 ou 440)
stat -c "%a" ${WP_PATH}/wp-config.php

# 9. .htaccess security headers?
grep -c "X-Frame-Options\|X-Content-Type-Options\|X-XSS-Protection\|Referrer-Policy\|Content-Security-Policy\|Strict-Transport-Security" ${WP_PATH}/.htaccess 2>/dev/null

# 10. debug.log exposto?
test -f ${WP_PATH}/wp-content/debug.log && echo "EXPOSTO" || echo "OK"

Registar cada resultado como ANTES.

Passo 2: Aplicar hardening (se nao --dry)

Regra: Fazer backup de cada ficheiro ANTES de alterar.

2.1 Desactivar XML-RPC

# Backup .htaccess
cp ${WP_PATH}/.htaccess ${WP_PATH}/.htaccess.bak.$(date +%Y%m%d)

# Adicionar bloqueio XML-RPC ao .htaccess (antes de # BEGIN WordPress)
sed -i '/# BEGIN WordPress/i \
# BEGIN Block XML-RPC\
<Files xmlrpc.php>\
  Require all denied\
</Files>\
# END Block XML-RPC\
' ${WP_PATH}/.htaccess

Excepcao: Se o site usa JetPack ou aplicacao mobile WP, NAO desactivar XML-RPC. Verificar primeiro:

sudo -u ${WP_USER} wp plugin list --status=active --path=${WP_PATH} | grep -i "jetpack"

2.2 Desactivar file editing (DISALLOW_FILE_EDIT)

# Backup wp-config.php
cp ${WP_PATH}/wp-config.php ${WP_PATH}/wp-config.php.bak.$(date +%Y%m%d)

# Adicionar se nao existir
grep -q "DISALLOW_FILE_EDIT" ${WP_PATH}/wp-config.php || \
  sed -i "/\/\* That's all, stop editing/i define('DISALLOW_FILE_EDIT', true);" ${WP_PATH}/wp-config.php

2.3 Corrigir permissoes

# Directorios: 755
find ${WP_PATH} -type d -exec chmod 755 {} \;

# Ficheiros: 644
find ${WP_PATH} -type f -exec chmod 644 {} \;

# wp-config.php: 440 (leitura apenas para owner e grupo)
chmod 440 ${WP_PATH}/wp-config.php

# Corrigir ownership
chown -R ${WP_USER}:${WP_USER} ${WP_PATH}

2.4 Esconder versao WordPress

# Adicionar ao functions.php do tema activo (via wp-cli)
THEME_PATH=$(sudo -u ${WP_USER} wp theme path --path=${WP_PATH})/$(sudo -u ${WP_USER} wp theme list --status=active --field=name --path=${WP_PATH})

# Verificar se ja tem o filtro
grep -q "remove_action.*wp_head.*wp_generator" ${THEME_PATH}/functions.php 2>/dev/null
if [ $? -ne 0 ]; then
  # Alternativa robusta: usar mu-plugin (nao se perde em updates de tema)
  mkdir -p ${WP_PATH}/wp-content/mu-plugins
  cat > ${WP_PATH}/wp-content/mu-plugins/dsc-hardening.php << 'MUEOF'
<?php
/**
 * Descomplicar - WordPress Hardening
 * Esconde versao WP, desactiva XML-RPC via filtro, remove headers desnecessarios.
 */

// Esconder versao WP
remove_action('wp_head', 'wp_generator');
add_filter('the_generator', '__return_empty_string');

// Remover versao dos scripts e styles
function dsc_remove_version_scripts_styles($src) {
    if (strpos($src, 'ver=')) {
        $src = remove_query_arg('ver', $src);
    }
    return $src;
}
add_filter('style_loader_src', 'dsc_remove_version_scripts_styles', 9999);
add_filter('script_loader_src', 'dsc_remove_version_scripts_styles', 9999);

// Desactivar XML-RPC via filtro (complemento ao .htaccess)
add_filter('xmlrpc_enabled', '__return_false');

// Remover link do REST API do header (opcional, reduz surface)
remove_action('wp_head', 'rest_output_link_wp_head');
remove_action('wp_head', 'wp_oembed_add_discovery_links');
remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wlwmanifest_link');
remove_action('wp_head', 'wp_shortlink_wp_head');
MUEOF
  chown ${WP_USER}:${WP_USER} ${WP_PATH}/wp-content/mu-plugins/dsc-hardening.php
  chmod 644 ${WP_PATH}/wp-content/mu-plugins/dsc-hardening.php
fi

2.5 Desactivar directory listing

# Adicionar ao .htaccess se nao existir
grep -q "Options -Indexes" ${WP_PATH}/.htaccess || \
  sed -i '1i Options -Indexes' ${WP_PATH}/.htaccess

2.6 Security headers no .htaccess

# Verificar e adicionar headers em falta
if ! grep -q "X-Frame-Options" ${WP_PATH}/.htaccess; then
  cat >> ${WP_PATH}/.htaccess << 'HTEOF'

# BEGIN Security Headers
<IfModule mod_headers.c>
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-XSS-Protection "1; mode=block"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
# END Security Headers
HTEOF
fi

2.7 Proteger debug.log

# Se debug.log existe, bloquear acesso
if [ -f "${WP_PATH}/wp-content/debug.log" ]; then
  cat >> ${WP_PATH}/wp-content/.htaccess << 'DLEOF'
<Files debug.log>
  Require all denied
</Files>
DLEOF
fi

# Desactivar WP_DEBUG se estiver activo em producao
grep -q "define.*WP_DEBUG.*true" ${WP_PATH}/wp-config.php && \
  sed -i "s/define.*'WP_DEBUG'.*true.*/define('WP_DEBUG', false);/" ${WP_PATH}/wp-config.php

Passo 3: Verificar estado (depois)

Re-executar todos os testes do Passo 1 e registar como DEPOIS.

Passo 4: Verificar site funcional

# Verificar que o site responde correctamente
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" https://${SITE})
echo "HTTP: ${HTTP_CODE}"

# Verificar conteudo por erros criticos
curl -s https://${SITE} | grep -i "critical error\|fatal error\|error establishing" | head -3

Se o site reportar erro apos hardening: reverter imediatamente usando os backups (.bak).

Passo 5: Corrigir ownership final

chown -R ${WP_USER}:${WP_USER} ${WP_PATH}

Output Template

# WP Hardening Report - [site.pt]

**Data:** YYYY-MM-DD
**Modo:** Aplicado / Dry Run

---

## Checklist Hardening

| # | Item | Antes | Depois | Accao |
|---|------|-------|--------|-------|
| 1 | XML-RPC desactivado | /  | /  | .htaccess + mu-plugin |
| 2 | File editing desactivado | /  | /  | wp-config.php |
| 3 | Permissoes dirs (755) | /  | /  | chmod recursivo |
| 4 | Permissoes ficheiros (644) | /  | /  | chmod recursivo |
| 5 | Versao WP escondida | /  | /  | mu-plugin |
| 6 | Directory listing desactivado | /  | /  | .htaccess |
| 7 | Security headers | /  | /  | .htaccess |
| 8 | wp-config.php (440) | /  | /  | chmod |
| 9 | debug.log protegido | /  | /  | .htaccess |
| 10 | WP_DEBUG desactivado | /  | /  | wp-config.php |

---

## Ficheiros alterados

- `wp-config.php` (DISALLOW_FILE_EDIT, WP_DEBUG)
- `.htaccess` (XML-RPC, directory listing, security headers)
- `wp-content/mu-plugins/dsc-hardening.php` (criado)

## Backups criados

- `.htaccess.bak.YYYYMMDD`
- `wp-config.php.bak.YYYYMMDD`

## Verificacao pos-hardening

- HTTP: [200/301/etc]
- Erros criticos: [Nenhum / Lista]

---

*Gerado via /wp-hardening v1.0.0 - YYYY-MM-DD*

Notas importantes

  1. Backups obrigatorios antes de qualquer alteracao
  2. mu-plugin preferido sobre functions.php (sobrevive a updates de tema)
  3. JetPack requer XML-RPC — verificar SEMPRE antes de desactivar
  4. Content-Security-Policy nao incluido como header standard porque varia por site. Adicionar manualmente se necessario
  5. Reverter: os backups .bak.YYYYMMDD permitem rollback rapido
  6. Ownership: SEMPRE chown -R USER:USER no final (regra #11)

Changelog

v1.0.0 (2026-03-12)

  • Versao inicial
  • 10 verificacoes de hardening
  • Modo dry run (--dry)
  • mu-plugin dsc-hardening.php para medidas PHP
  • Security headers standard no .htaccess
  • Backup automatico antes de alteracoes
  • Verificacao pos-hardening com rollback
  • Tarefa Desk CRM #443 (Projecto #65, Discussao #33)
Reference in New Issue View Git Blame Copy Permalink