<?php
// READ-ONLY audit: parse wp-config, report malware in active_plugins + admin users.
// Usage: php _audit_ro.php /absolute/site/dir
error_reporting(0);
$dir = rtrim($argv[1] ?? '', '/');
$cfg = $dir . '/wp-config.php';
if (!is_file($cfg)) { fwrite(STDERR, "no wp-config: $dir\n"); exit(2); }
$s = file_get_contents($cfg);
function gc($s,$k){return preg_match('/define\(\s*[\x27\x22]'.$k.'[\x27\x22]\s*,\s*[\x27\x22]([^\x27\x22]*)/',$s,$m)?$m[1]:'';}
$pfx = preg_match('/\$table_prefix\s*=\s*[\x27\x22]([^\x27\x22]+)/',$s,$m) ? $m[1] : 'wp_';
$host=gc($s,'DB_HOST'); $user=gc($s,'DB_USER'); $pass=gc($s,'DB_PASSWORD'); $name=gc($s,'DB_NAME');
$port=0; if(strpos($host,':')!==false){list($host,$port)=explode(':',$host,2);$port=(int)$port;}
$m=@new mysqli($host,$user,$pass,$name,$port?:3306);
if($m->connect_errno){echo "  DB ERR: ".$m->connect_error."\n";exit(1);}
$site=basename($dir);
// active_plugins malware refs
$r=$m->query("SELECT option_value FROM {$pfx}options WHERE option_name='active_plugins'");
$mal=[];
if($r&&$r->num_rows){$arr=@unserialize($r->fetch_row()[0]); if(is_array($arr)){foreach($arr as $p){if(stripos($p,'wp-helper-')!==false||stripos($p,'hseo/')!==false||stripos($p,'seo-booster')!==false)$mal[]=$p;}}}
echo "  active_plugins malware: ".(count($mal)?implode(', ',$mal):'CLEAN')."\n";
// admin users
$q=$m->query("SELECT u.user_login,u.user_email,u.user_registered FROM {$pfx}users u
  JOIN {$pfx}usermeta um ON um.user_id=u.ID AND um.meta_key='{$pfx}capabilities'
  WHERE um.meta_value LIKE '%administrator%' ORDER BY u.user_registered");
echo "  admins:\n";
if($q){while($row=$q->fetch_assoc()){echo "    - {$row['user_login']} | {$row['user_email']} | {$row['user_registered']}\n";}}
$m->close();
