Unrendered PHP code

  • Resolved solu78

    (@solu78)


    4 years, 9 months ago

    My security scanner tells me:

    “We have detected unexecuted php code on your site. PHP code displayed to end users can give away information that a hacker may use to attack your site. This may also be the result of server misconfiguration.”

    Btw – I’d share the precise link, but then the link would be public. If you must have the exact link to answer this question, please let me know if there’s a way to send it privately.

    Does this plugin have some unexecuted PHP code in it?

    • This topic was modified 4 years, 9 months ago by solu78.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Stoyan Georgiev

    (@stoyangeorgiev)

    4 years, 9 months ago

    Hey there @solu78 ,

    Would it be possible to be more specific about the issue and how it is connected to the SG Optimizer? Do you have any issues when using our plugin?

    It would be impossible to find the exact reason for that without a URL. As for the second question, I am afraid that sending details in private is not following the community guidelines, so you can safely send it here.

    Kind regards,
    Stoyan

    Thread Starter solu78

    (@solu78)

    4 years, 9 months ago

    Hello @stoyangeorgiev

    I have Siteground as my host, Cloudflare for the CDN, and I have a site scanner (from Sitelock) installed that is notifying me that the following link may have ‘unexecuted php code’:

    https://havihealth.com/wp-content/uploads/siteground-optimizer-assets/%url%

    The plugin is currently working great and from what I can tell, my website is functioning at 100%.

    That said, I wanted to be proactive and inquire if that security warning was coming from the SG optimizer (as Sitelock has identified it as a vulnerability).

    RE: Optimizer set up

    Environmental Optimization
    Enable HTTPS > On
    Fix Insecure Content > OFF
    Heartbeat > OFF
    DNS Prefetch. > ON (//ajax.cloudflare.com/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js)
    Scheduled Database Maintenance > ON

    Front End Optimization — Everything is ON + I have prefetched google fonts (i.e., https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxP.ttf)

    Media optimization — None

    Thanks so much for your help.

    • This reply was modified 4 years, 9 months ago by solu78.
    • This reply was modified 4 years, 9 months ago by solu78.
    Plugin Author Hristo Pandjarov

    (@hristo-sg)

    SiteGround Representative

    4 years, 9 months ago

    We do not add any PHP code there. Check the files and see where it is coming from. Of course, it can always be false positive but there is a chance that a plugin / custom function is adding it there. I can see the rocket-loader.min.js too so please stop and disable all wp rocket stuff or other performance optionzations to be sure you’re avoiding conflict.

    Thread Starter solu78

    (@solu78)

    4 years, 9 months ago

    Thanks for your reply.

    Outside of Cloudflare rocket-loader, I don’t have any other speed or cashing plugin. I’ll turn off the rocket-loader and any minification of JavaScript, HTML, and CSS in Cloudflare.

    Because I DNS-prefetched the rocket loader, could that be causing a conflict as well?

    Here are the following two items I have DNS-prefetched on this Siteground optimizer plugin:

    //ajax.cloudflare.com/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js

    //cloudflare.com

    • This reply was modified 4 years, 9 months ago by solu78.
    • This reply was modified 4 years, 9 months ago by solu78.
Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Unrendered PHP code’ is closed to new replies.

Tags