WP plu­g­ins and PHP safe_mode

Obvi­ous­ly a lot of WP plu­g­in authors do not check if their plu­g­in is PHP safe_mode/open_basedir com­pat­i­ble. Yes, I know, it is dep­re­cat­ed and does not offer 100% safe­ty, but it is at least an addi­tion­al road-block in some cas­es and may pre­vent some mali­cious behav­ior… If I can choice between 100% break-in pos­si­bil­i­ty and <100% break-in pos­si­bil­i­ty, I chose the later.

I also think most of them also do not check with suhosin. They also fail to list oth­er PHP exten­sion require­ments most of the time, they just assume you have a full install.

  • quick­stats wants the PHP ctype exten­sion, does not seem to play well with sql.safe_mode while the rest of WP does not seem to have an obvi­ous prob­lem with it
  • wp-stats-dashboard wants the PHP curl and json exten­sion (curl does not play well with safe_mode or open_basedir => needs to be dis­abled), needs suhosin.executor.include.max_traversal set to 6; still does not work 100% cor­rect, I delet­ed the cache direc­to­ry con­tents to let it recre­ate the stats, but it still does not dis­play as much vis­its as I can see in the stats on the post­ings page
  • bot-tracker wants the PHP ses­sion extension
  • broken-link-checker tries to write to /var/tmp/ (safe_mode/open_basedir incompatible)
  • one-time-password does not play well with safe_mode/open_basedir
  • smartlink­er tells me that the vari­able cook­ieString is not defined