ini_set() has been disabled for security reasons

  • Resolved Checo

    (@checo)


    6 years, 7 months ago

    Hi,

    I’m using Wordfence v7.1.10 and WordPress v4.9.7

    My server admin recommended disabling “ini_set()” for security reasons.

    I noticed that in the error_log, Wordfence uses ini_set() because I see this warning:

    [30-Jul-2018 15:12:10 UTC] PHP Warning: ini_set() has been disabled for security reasons in /home/zzzzzzzz/public_html/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/rules.php on line 778

    I have 2 questions:

    1) If Wordfence uses or needs ini_set(), does this mean it might not be that insecure? Should I enable it? All my PrestaShop sites have error_log files that get pretty big filled with “ini_set() has been disabled for security reasons” messages every couple of seconds.

    2) If it does cause security issues and if I keep it disabled, will Wordfence still work to its full potential?

    Any suggestion or recommendation would be greatly appreciated concerning ini_set() being enabled or disabled.

    Thanks!

    Sergio

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi Sergio,

    We encounter far more hosts with bad default settings where ini_set is the only way to compensate for it than we see malicious use.

    WordPress itself uses the ini_set function multiple times.

    Interestingly the warning that you provided above lead to the use of ini_set being used there because another popular plugin was using ini_set to override the default value of a PHP directive that caused Wordfence scans to fail.

    Many of the most sensitive directives can’t be set via the function call so you can safely enable ini_set if you want to.

    Thanks.

    Hi @checo,

    Since we haven’t heard from you for a while I’m going to go ahead and resolve this thread. If you have any other questions or concerns, don’t hesitate to open a new one.

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘ini_set() has been disabled for security reasons’ is closed to new replies.

Tags