• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Wordpress Toolkit bug

burnleyvic

Regular Pleskian
Using Wordpress Toolkit with plesk 12.0.18#21 on Centos 6.

There is a bug in the Security Check feature for hiding Version information. You script adds the following line of code to the last line of functions.php;

remove_action('wp_head', 'wp_generator');

Unfortunately if functions.php had '?>' at the end, which closes off the php code before this function is line is processed, all that happens is the line of code gets printed in top left of the wordpress site. You should check for this or perhaps just open and close php around your script injection which seems to work just fine for the hackers.

Also not a bug as such but it would perhaps be a good idea if you add a comment to the file telling people why that function was suddenly added and by what and when. I say this as typically when code is suddenly appended to the end of files like that its gets people worried.
 
Thank you. Developers confirmed this bug. It was submitted as PPP-12717 for your reference.
 
What version of WordPress do you have? And what themes? I've checked it on WordPress 3.8.2 and 4.0.1 with default set of the themes and everything works fine. The script adds the following lines in this case:

<?php

remove_action('wp_head', 'wp_generator');
 
It was a WP 3.9 but I don't recall the custom theme used by the client. In the example I had the script only added the remove_action line to the last line of the file and did not appear to create its own open tag.

This only caused an issue because that particular functions.php had a close tag which, I'll admit isn't commonly used now, especially by WordPress team if you look at all their files they have open tags but not close. However you can never tell what a 3rd party dev will do so best to either check or perhaps even simpler just add the open tag before your remove_action.
 
Could you please post the code of the broken functions.php? It helps to understand a reason why this error happened. My guess that this file has some short php open tag <?' with ?>. So Plesk thinks that count of open tags ?php more than clsoe tag ?> and add only `remove_action('wp_head', 'wp_generator'); ` without additional <?php
 
yes as per the first post it had ?> as the close tag, so for that to work short open tags must have been enabled. Hope that helps as i don't have a copy of the broken functions.php file handy.
 
Back
Top