PHP Functions Makes Your Site Vulnerable
Protecting your site against malicious actors is a big task. It requires constant effort from your side. However, if you are using WordPress, things can become both easy and hard at the same time.
WordPress utilizes PHP, a popular programming language at its core. Two things that make WordPress work is its own library of functions and PHP functions that it utilizes to bring functionality to the user.
These PHP functions are well-developed and are safe to use. However, malicious actors such as hackers can use it to do bad things and make some of the functions relatively unsafe for the end-user.
In this article, we will list the PHP functions that are more likely to act badly and cause issues on your site. By knowing these functions, you will be well-equipped with the knowledge and ensure that you can take action when needed.
To simplify our understanding of the topic, we will first list the PHP based functions that can cause trouble. Once done, we will shift our focus to WordPress related PHP functions.
Let’s get started.
There are tons of PHP options out there. Out of all of these, some of them can cause some issues.
Also, if you are using PHP 5.4 or below, you will have register globals and magic quotes enabled by default. They should be turned off by default if you are using PHP 5 or above. It is easy to say that new sites are using PHP 7 and if you plan to secure your site for longer, then you shift to it sooner or later.
So, which PHP functions are risky? Let’s explore.
Extract function
The extract function is one of the easy-to-use functions, but it does come with its own drawbacks. It is used to extract an array that consists of key-value pairs.
To get a better understanding, let’s look at the code below.
$arr = array(
'alexa' => 1
);
extract($arr);
echo $alexa; // 1
The above code should work without any issue. But the problem arises when you are using extract() function with $POST or $GET. By doing so, you manage to create the register_globals problem. This means that the variables can be modified by an outsider by using the form or query string.
To circumvent, just don’t use the extract function.
Eval function
The eval function is also not optimal to be used on websites or apps. The reason being is that it can be used to execute arbitrary PHP code. This is why you should not use it in any case. Eval is useful for meta programming and is mainly used in programs where you call another program.
You should also vary on the different variations on eval. The other ways, PHP offers executing string-based code is old. These two functions are preg_replace with /e modified and the create_function.
/e modifiers with Regex
Another vulnerable combination that you should be wary of is the /e modifiers with regex. If you are running PHP 5.4 or below, then you should not use it with regex at all.
Create_function
Another function that you should not use is create_fuction. It got decrepitated in the latest PHP 7.2 version. If you are using PHP 7 or less, then you need to makes sure not to use it. The reason behind this is that it works similarly to eval where the second argument that is sent through the function can be executed.
Other PHP functions that you should not use include the following.
- Assert as it works similar to eval
- Don’t include variable files
- shell_exec -- don’t pass user input
- unserialize function can be dangerous as it runs code automatically
WordPress Functions That Make Your Site Vulnerable
Now that we have taken a good look at some of the dangerous PHP functions, it is now to look at WordPress-specific PHP functions that can cause harm to your site.
As WordPress is popular, many bloggers share about WordPress functions through their blogging tips. Also, some blogs might look suspicious and you should try to access your VPN options.
maybe_unserialize function
The function maybe_unserialize function lets you unserialize that that you pass through it. The reason why it is not recommended to use is the fact that the object can be exploited when it is being unserialized.
is_admin method
The function can be confusing considering how it is named. If you are in a hurry, you can misuse it and hence can risk your site. The function is useful to check if a user is an administrator or not before he tries to perform an action that requires privileges or rights to do.
To solve the problem, you should instead use the current_user_can function.
But, why is_admin function not recommended. It is because of the fact that it is used to verify if a user has admin-level privileges or not. This means the malicious actor can learn about the user and identify the administrator before trying to gain access to that user.
$wpdg -> query()
SQL injection attacks are very common in web applications. The attackers can use it to get access to the database and then the whole site. The current database solution has proper protection against these types of attacks.
$wpdb when used with other methods such as delete, insert, are taken care of from injection attacks. But, when it is paired with query(), it opens a way to do SQL injection.
To overcome it, you need to make sure that you do not use the $wpdg → query() straight away. Instead, use the $wpdg->prepare() before using it. It will ensure that the SQL injection doesn’t happen.
esc_sql
Another function that you should be wary about is the esc_sql. It also do not protect against the SQL injection attacks and developers should know that before using it.
Conclusion
Both PHP and WordPress functions library are huge. Also, there are functions that should be completely eradicated from use. Even the PHP community knows that and that’s why you should become part of one. There are other functions that are not completely bad, but some combinations of inputs can pose a threat.
So, what do you think about the PHP and WordPress functions listed here? Comment below and let us know.
