-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathreadme.txt
More file actions
169 lines (120 loc) · 10.3 KB
/
readme.txt
File metadata and controls
169 lines (120 loc) · 10.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
=== CloudScale Cyber and Devtools ===
Contributors: andrewbaker
Tags: security, code block, syntax highlighting, AI security scan, WordPress hardening
Requires at least: 6.0
Tested up to: 6.8
Requires PHP: 7.4
Stable tag: 1.9.107
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html
AI-powered WordPress security audit, one-click hardening fixes, server log viewer, syntax-highlighted code blocks, SQL tool, and login security.
== Description ==
CloudScale Cyber and Devtools is a free, zero-dependency WordPress developer and security toolkit. The centrepiece is an **AI Cyber Audit** that uses frontier AI models (Anthropic Claude or Google Gemini) to perform deep security analysis of your WordPress installation and deliver prioritised, actionable findings — the kind of analysis that would normally cost hundreds of dollars from a security consultant, in under 60 seconds.
= Security Features =
* **AI Cyber Audit** — fast scan of WordPress config, plugins, users, file permissions, and wp-config.php hardening constants
* **AI Deep Dive Cyber Audit** — extends the fast scan with live HTTP probes, DNS checks (SPF, DMARC, DKIM), weak TLS detection, PHP end-of-life status, directory listing checks, plugin code static analysis, and AI-powered code triage
* **Quick Fixes** — one-click automated remediations: move debug.log outside the web root, disable XML-RPC, hide WP version, disable application passwords, disable directory browsing
* **Scan History** — last 10 results saved automatically; click any entry to reload the full report
* **Scheduled Scans** — daily or weekly background scans with email and ntfy.sh push notifications
* **AI Code Triage** — static findings classified as Confirmed / False Positive / Needs Context before main AI analysis
* **Server Logs** — read-only browser viewer for PHP error log, WordPress debug log, and web server logs with live search, level filter, and auto-refresh tail mode
* **Brute-Force Protection** — per-username account lockout after N failed logins
* **Hide Login URL** — moves /wp-login.php to a custom slug
* **Two-Factor Authentication** — email code, TOTP (authenticator app), and passkeys
* **Passkeys (WebAuthn)** — FIDO2 biometric and hardware key login
* **Test Account Manager** — temporary subscriber accounts with app passwords for Playwright/CI pipelines
= Developer Tools =
* **Syntax-highlighted code block** — Gutenberg block and shortcode powered by highlight.js 11.11.1 (bundled locally), 190+ languages, 14 colour themes, auto-detection, line numbers, copy button, dark/light toggle
* **Code Block Migrator** — batch-converts legacy wp:code blocks and shortcodes from other plugins
* **SQL Query Tool** — read-only SELECT queries against the live database with 14 built-in quick queries
* **Social Preview Diagnostics** — URL checker, post scan, og:image generation, Cloudflare integration
* **SMTP Mail** — replaces PHP mail() with authenticated SMTP delivery, test button, email log
* **Performance Monitor** — overlay panel tracking queries, HTTP requests, PHP errors, hooks, assets, transients
* **Custom 404 Page** — branded 404 with seven browser mini-games and a site-wide leaderboard
= Requirements =
* WordPress 6.0 or later
* PHP 7.4 or later
== Installation ==
1. Upload the plugin folder to /wp-content/plugins/
2. Activate the plugin through the Plugins menu in WordPress
3. Go to Tools > CloudScale Cyber and Devtools to configure
== Frequently Asked Questions ==
= What AI providers are supported? =
Anthropic Claude (claude-sonnet-4-6 and claude-opus-4-7) and Google Gemini (gemini-2.0-flash and gemini-2.5-pro). You supply your own API key — no keys are stored anywhere other than your WordPress database (wp_options). A free Gemini tier is available.
= How does the deep dive scan avoid HTTP gateway timeouts? =
The plugin uses fastcgi_finish_request() to close the browser connection immediately, then continues the scan in the same PHP-FPM worker. A progress bar polls every 3 seconds. This does not depend on WP-Cron.
= How do I change the syntax color theme? =
Go to Tools > CloudScale Cyber and Devtools > Code Block tab > Code Block Settings panel. Select your preferred theme from the dropdown and click Save.
= Is the SQL Query Tool safe? =
Yes. Only SELECT, SHOW, DESCRIBE, DESC, and EXPLAIN are permitted. Block and line comments are stripped, semicolons are rejected, and INTO OUTFILE / LOAD_FILE are blocked. Requires manage_options capability.
= What languages are supported for code highlighting? =
highlight.js with auto-detection — 190+ languages including Bash, Python, JavaScript, TypeScript, PHP, SQL, Go, Rust, Java, C/C++, C#, Ruby, Swift, Kotlin, JSON, YAML, XML, HTML, CSS, Terraform, and more.
== Screenshots ==
1. AI Cyber Audit panel with Quick Fixes and scan controls
2. Deep dive scan results with scored findings and remediation steps
3. Server Logs tab with source picker, filters, and log viewer
4. Code block on the frontend with Atom One Dark theme and copy button
5. SQL Query Tool with quick queries and paginated results
== Changelog ==
= 1.9.107 =
* feat: Home dashboard tab — security summary cards showing AI setup status, last scan score (critical/high counts), quick fixes resolved, and login security posture
= 1.9.83 =
* feat: 8 deep scan improvements — CSP quality analysis, HSTS quality, DMARC policy strength, SPF strictness, auto-updates check, PHP display_errors detection, inactive plugins list, server header version leak
* feat: MX record gate — SPF/DMARC/DKIM checks are skipped when the domain has no email configured; audit report notes "no email configured" as a good finding
= 1.9.80 =
* feat: Explain button added to AI Cyber Audit panel (covers Quick Fixes, Standard scan, Deep Dive, Code Triage, Scan History, Scheduled Scans, AI Providers)
* feat: Explain button added to Server Logs panel (covers log sources, PHP setup, filters, tail mode, custom paths, permissions)
* docs: Help page rewritten with 18 sections covering all features including Quick Fixes, Scan History, Scheduled Scans, AI Code Triage, Server Logs, Test Account Manager
* fix: Plugin menu item renamed to "Cyber and Devtools" (consistent with full plugin name)
= 1.9.79 =
* feat: Test Account Manager — temporary single-use accounts with app passwords for Playwright/CI pipelines; subscriber-level accounts auto-delete on expiry or first use; app passwords blocked for all non-test accounts
= 1.9.10 =
* feat: replace WPScan with Claude AI-powered security audit — API key, model selector, editable system prompt, scored report with critical/high/medium/low/good sections
= 1.8.141 =
* Added: "Copy All" button on every tab — copies the full text content of the active tab to clipboard with visual confirmation
= 1.8.118 =
* Fixed: Explain modals now render formatted HTML — inline code tokens styled with dark background, bold/italic emphasis, and bullet lists; all describe items converted from plain text to rich HTML markup
= 1.8.113 =
* Added: "Fix All Posts on Site" button — batch-processes every published post on the site in groups of 10, generating platform-specific social format images with live progress counter
* Added: Crawler UA detection — wp_head at priority 1 outputs platform-specific og:image meta tag before SEO plugins
* Fixed: PNG and WebP featured images now converted to JPEG during social format generation
* Security: Added SSRF protection on admin URL-check endpoints
* Security: Fixed DOM XSS in email 2FA enable flow
= 1.8.89 =
* Added: Brute-force protection — configurable per-account lockout after N failed login attempts (default 5 attempts, 5-minute lock)
* Fixed: Session persistence — login sessions now survive browser close when a custom session duration is set
* Added: Thumbnails tab — Social Preview Diagnostics with URL checker, post scan, Cloudflare integration, and Media Library auditor
= 1.7.20 =
* Security: is_safe_query() now rejects queries containing semicolons, preventing statement stacking
* Fixed: Echoed style/script blocks replaced with wp_add_inline_style() and wp_add_inline_script()
* Added: load_plugin_textdomain(); 48 strings wrapped with i18n functions
= 1.6.0 =
* Merged CloudScale SQL Command plugin into CloudScale Code Block
= 1.5.0 =
* Added: Code Block Migrator tool
= 1.0.0 =
* Initial release
== External services ==
= highlight.js (bundled locally) =
highlight.js 11.11.1 is bundled inside the plugin — no external CDN requests are made for syntax highlighting.
= Anthropic Claude API (optional — AI Cyber Audit only) =
**Service:** Anthropic PBC
**Website:** https://anthropic.com
**Endpoint:** https://api.anthropic.com/v1/messages
**Data sent:** WordPress configuration data (plugin list, PHP version, WordPress version, file permission flags, exposed debug settings, user role counts, key wp-config.php flags) and, for the deep dive, HTTP security header responses from your own site's public URLs. No post content or visitor data is transmitted.
**When data is sent:** Only when you click "Run AI Cyber Audit" or "Run AI Deep Dive Cyber Audit" on the Security tab and Anthropic is selected as your AI provider.
**API key:** You must supply your own Anthropic API key. The key is stored in your WordPress database (wp_options) and is never transmitted anywhere except directly to api.anthropic.com.
Anthropic Privacy Policy: https://www.anthropic.com/privacy
Anthropic Terms of Service: https://www.anthropic.com/terms
= Google Gemini API (optional — AI Cyber Audit only) =
**Service:** Google LLC
**Website:** https://ai.google.dev
**Endpoint:** https://generativelanguage.googleapis.com/v1beta/models/
**Data sent:** Same as Anthropic above. No post content or visitor data is transmitted.
**When data is sent:** Only when you click "Run AI Cyber Audit" or "Run AI Deep Dive Cyber Audit" on the Security tab and Google Gemini is selected as your AI provider.
**API key:** You must supply your own Google AI API key. The key is stored in your WordPress database (wp_options) and is never transmitted anywhere except directly to Google.
Google Privacy Policy: https://policies.google.com/privacy
Google Terms of Service: https://policies.google.com/terms
== Upgrade Notice ==
= 1.9.107 =
New Home dashboard tab with security summary cards. Deep scan now checks CSP/HSTS quality, DMARC/SPF policy strength, auto-updates, display_errors, inactive plugins, and server header version leaks. MX gate prevents false positives on non-email domains.