Obviously a lot of WP plugin authors do not check if their plugin is PHP safe_mode/open_basedir compatible. Yes, I know, it is deprecated and does not offer 100% safety, but it is at least an additional road-block in some cases and may prevent some malicious behavior… If I can choice between 100% break-in possibility and <100% break-in possibility, I chose the later.
I also think most of them also do not check with suhosin. They also fail to list other PHP extension requirements most of the time, they just assume you have a full install.
- quickstats wants the PHP ctype extension, does not seem to play well with sql.safe_mode while the rest of WP does not seem to have an obvious problem with it
- wp-stats–dashboard wants the PHP curl and json extension (curl does not play well with safe_mode or open_basedir => needs to be disabled), needs suhosin.executor.include.max_traversal set to 6; still does not work 100% correct, I deleted the cache directory contents to let it recreate the stats, but it still does not display as much visits as I can see in the stats on the postings page
- bot-tracker wants the PHP session extension
- broken-link-checker tries to write to /var/tmp/ (safe_mode/open_basedir incompatible)
- one-time-password does not play well with safe_mode/open_basedir
- smartlinker tells me that the variable cookieString is not defined
Tags: cache directory, ctype, directory contents, executor, link checker, malicious behavior, one time password, php extension, php session, safe mode —