WordPress Security: Silence is golden. Part 2.

display_errors OFF

display_errors OFF

Some shared hosting providers don’t turn off php error showing by default. If you don’t change this default PHP configuration settings too, your blog has vulnerability issue or even security problem. Why I talk about security problem? Be cause of this can lead to exposure of the absolute path to your WordPress blog installation. Let’s check together. Put this little script into your blog root folder, for example name it phpinfo.php:


Call it from the browser as http://yourBlogURL/phpinfo.php
You will see standard ‘PHP Info’ page with values of different PHP configuration parameters. Check display_errors parameter value under ‘PHP Core section’ now. If you see STDOUT as on the image from the left or ON values and error_reporting parameter below is not equal to 0 or OFF this vulnerability exists on your site and thus, you have to resolve it.
Now lets check it in action how bad guy can get information about your WordPress installation absolute path. Everybody can get WordPress installation package. Everybody knows what files and in what folders are placed in that package. So we just call WordPress files directly by name while get the result we wish. I stopped on the wp-settings.php file. Type in the browser address field this URL http://yourBlogURL/wp-settings.php Do you get the same error message as me (I made my test with last WordPress 2.8.4 version)?
Warning: require(ABSPATHwp-includes/compat.php) [function.require]: failed to open stream: No such file or directory in
/homepages/xx/zz/htdocs/dev/wp-settings.php on line 246

Another example of the same problem from wp-admin folder – I call admin-functions.php directly:
Fatal error: Call to undefined function _deprecated_file() in
/homepages/xx/zz/htdocs/dev/wp-admin/admin-functions.php on line 12

In order to resolve this security issue you need to set PHP configuration display_error parameter value to OFF. There are two ways to do it. Each way depends from how PHP execution is configured on your site:
1st: PHP running as CGI (CGI).
In this case you need to create your own php.ini file and put these rows into it

error_reporting = 0
display_errors = OFF

2nd: running PHP as an Apache Module (Apache 2.0 Handler).
In this case you need to create .htaccess file and put these rows into it

php_value error_reporting "0"
php_value display_errors "OFF"

Look at the ‘Server API’ line at the top of the ‘PHP Info’ page to define in what mode your hosting provider execute PHP.
Not all directives are changeable/installed. If you have made a change in php.ini and it is not working correctly, contact your shared hosting provider technical support for more information.
You will need a php.ini or .htaccess file in every directory for which you want the changes to apply. Do not forget about wp-content/plugins folder an its subfolders. Some plugins shows paths in the error messages also if your make direct call to its files.
It is right practice to fully turn off all PHP error messages at the live site.
If you need to check PHP error messages to isolate some code problem you may use PHP error logging feature. Put the next parameters values in your php.ini file:

error_reporting = E_ALL
display_errors = OFF
log_errors = ON
error_log = /homepages/xx/zz/htdocs/phplogs/php.log

It is better to put your PHP error log file somewhere beyond of your site root in order it will not be accessible to your site visitors.
For more information about php.ini directives you can visit this php.net link.
And remember – “Silence is golden”.

Tags: , , , , , ,