[wp-trac] [WordPress Trac] #47154: Prevent "Call to undefined function: get_header()" error in theme files
WordPress Trac
noreply at wordpress.org
Tue May 11 18:29:15 UTC 2021
#47154: Prevent "Call to undefined function: get_header()" error in theme files
---------------------------+------------------------------
Reporter: devonto | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Bundled Theme | Version: 5.1.1
Severity: minor | Resolution:
Keywords: | Focuses:
---------------------------+------------------------------
Comment (by devonto):
Replying to [comment:5 SergeyBiryukov]:
> Hi there, welcome to WordPress Trac!
>
> Thanks for the ticket, sorry it took so long for someone to get back to
you.
>
> I think the reason this has not seen any traction yet is because these
fatal errors are considered a server configuration issue rather than a
security issue per the [https://make.wordpress.org/core/handbook/testing
/reporting-security-vulnerabilities/ Security FAQ]:
> > ''' Why are there path disclosures when directly loading certain
files?'''
> > This is a server configuration problem. Never enable `display_errors`
on a production site.
Thanks for the update.
I completely agree that errors should not be displayed on a production
site, however logging of errors is still good practice.
It is from the server error logs where this is being displayed.
My suggestion is simply to change the recommended setup for PHP files to
follow what you have already recommended for plugins.
In addition to triggering index.php files, I often see header.php etc
being directly accessed. These are all bot-accessed; so I can only assume
they are snooping for vulnerabilities.
Changing the recommendations to include a check if WP is loaded would only
serve to improve security.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47154#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list