• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Wordpress Toolkit bug

burnleyvic

burnleyvic

Regular Pleskian
Using Wordpress Toolkit with plesk 12.0.18#21 on Centos 6.

There is a bug in the Security Check feature for hiding Version information. You script adds the following line of code to the last line of functions.php;

remove_action('wp_head', 'wp_generator');

Unfortunately if functions.php had '?>' at the end, which closes off the php code before this function is line is processed, all that happens is the line of code gets printed in top left of the wordpress site. You should check for this or perhaps just open and close php around your script injection which seems to work just fine for the hackers.

Also not a bug as such but it would perhaps be a good idea if you add a comment to the file telling people why that function was suddenly added and by what and when. I say this as typically when code is suddenly appended to the end of files like that its gets people worried.
 
Thank you. Developers confirmed this bug. It was submitted as PPP-12717 for your reference.
 
What version of WordPress do you have? And what themes? I've checked it on WordPress 3.8.2 and 4.0.1 with default set of the themes and everything works fine. The script adds the following lines in this case:

<?php

remove_action('wp_head', 'wp_generator');
 
It was a WP 3.9 but I don't recall the custom theme used by the client. In the example I had the script only added the remove_action line to the last line of the file and did not appear to create its own open tag.

This only caused an issue because that particular functions.php had a close tag which, I'll admit isn't commonly used now, especially by WordPress team if you look at all their files they have open tags but not close. However you can never tell what a 3rd party dev will do so best to either check or perhaps even simpler just add the open tag before your remove_action.
 
Could you please post the code of the broken functions.php? It helps to understand a reason why this error happened. My guess that this file has some short php open tag <?' with ?>. So Plesk thinks that count of open tags ?php more than clsoe tag ?> and add only `remove_action('wp_head', 'wp_generator'); ` without additional <?php
 
yes as per the first post it had ?> as the close tag, so for that to work short open tags must have been enabled. Hope that helps as i don't have a copy of the broken functions.php file handy.
 
You must log in or register to reply here.

Similar threads

R
Resolved WP Toolkit/Wordpress Toolkit - older version screenshot issue
Replies
4
Views
526
rhall
R
T
Resolved WordPress Toolkit Reporting Incorrect Risk Levels Again
Replies
5
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
R
Issue Error getting administrator credentials: PHP Fatal error: Call to undefined function WC_CLI_Runner::after_wp_load()
Replies
1
Views
530
Evgeny
E
P
Question wordpressPermalinkHandlingFeature
Replies
5
Views
2K
rohan3
R
andreios
Resolved PHP FPM 8.2.17 is not accurately checking cached files for changes
Replies
3
Views
7K
andreios
andreios
Back
Top