I used website security detection to scan the blog and found a vulnerability. In fact, if I access the theme path directly, the get_header() function does not take effect (Call to undefined function get_header()), and my WordPress will output The complete error message exposes the directory structure of sensitive names. Although it has no impact on normal access, it will give some people an opportunity to take advantage of it. I often see many people scanning various blog paths or files in the backend of the blog. Solving as many vulnerabilities as possible will greatly enhance the security of the website. Let me show you the security of my blog. It’s 100 points and there are no loopholes. Although it’s only superficial, I will find solutions one by one!
The following is a detailed description of the problems and solutions I encountered for reference.
Environment: linux vps + lnmp
The complete error message is as follows:
Fatal error: Call to undefined function get_header() in /websiterootpath/izhangheng/wp-content/themes/twentytwelve/ on line 10
Solution:
If the WEB application comes with its own error handling/management system, please ensure that the function is turned on; otherwise, handle it separately according to language and environment. If it is a PHP application/Apache server, you can suppress the error message by modifying the php script, configuring the configuration items in php.ini and httpd.conf.
1.1. Modify the configuration line in php.ini: display_errors = off
2.2. Modify the configuration line in httpd.conf/apache2.conf: php_flag display_errors off
3.3. Modify the php script and add the line of code: ini_set(‘display_errors’, false);
For this problem, it is not perfect just not to display the error message. Jumping to the homepage after an error can avoid traffic loss. In my environment, the display of error messages is turned off by default. I only need to call the WordPress function before the source code of the vulnerable page. First, enter the appearance of the WordPress backend. For example, if you are editing the index.php home page template, change the header code to the following. Note that all symbols are in English.
| The code is as follows | |||||
|
|||||
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
