Web site security detection Scan Blog, found a vulnerability, is actually directly access to the topic path, the Get_header () function is not effective (call to undefined functions get_header ()), And my WordPress will output a complete error message, the directory structure of the sensitive name exposed, although there is no impact on normal access, but will give some people the opportunity. Often in the background of the blog to see many people scan the blog various paths or files, as much as possible to solve the vulnerabilities, will greatly enhance the security of the site. Show me my blog security, 100 points, no loopholes; it's just superficial, but I'll find a solution for one!
Here is a detailed description of the problems and solutions I have encountered, for reference.
Environment: Linux VPS + LNMP
The complete error message is as follows:
Fatal error:call to undefined function get_header () in/website root path/izhangheng/wp-content/themes/twentytwelve/on Line 10
Solution:
If the Web application comes with an error handling/management system, make sure the feature is turned on, otherwise, by language, environment, respectively. If you are a PHP application/apache server, you can suppress error messages by modifying PHP scripts, configuring PHP.ini, and Configuration items in httpd.conf.
1.1. Modify the configuration line in php.ini: display_errors = Off
2.2. Modify the configuration line in httpd.conf/apache2.conf: Php_flag display_errors off
3.3, modify the PHP script, add code line: Ini_set (' display_errors ', false);
For this problem, only do not display the error message is not perfect, error after jumping to the homepage, you can avoid loss of traffic. My environment is turned off by default display error message, only need to be in the vulnerable page source code before calling the WordPress function. First into the appearance of the WordPress backstage, such as editing the index.php home template, the head code to change to the following, note that all symbols in English.
The code is as follows |
|
/** * @package WordPress * @code www.45it.net if (function_exists (' Get_header ')) { Get_header (); }else{ Header ("location:http://". $_server[' Http_host '). ""); Exit };?> |
http://www.bkjia.com/PHPjc/372436.html www.bkjia.com true http://www.bkjia.com/PHPjc/372436.html techarticle using Web site security detection Scan Blog, found a vulnerability, is actually directly access to the topic path, the Get_header () function is not effective (call to undefined functions get_header ()), ...