Replies: 0
There is a potentially dangerous security and compatibility issue in WP Cerber.
The WP Cerber code currently uses the PHP function file_get_contents() to retrieve URLs. This is not a secure or reliable method for retrieving URLs.
Site owners often disable this in their site’s php.ini file for security reasons, in which case the reCaptcha functionality breaks, and your connection with Cerber Labs will break as well.
Two of the recommended php.ini settings for security are:
allow_url_fopen = 0
allow_url_include = 0
Setting allow_url_fopen to 0 (Off) prevents functions like fopen() and file_get_contents() from retrieving URLS, and allow_url_include to 0 (Off) prevents the inclusion of URLS as if they were files.
If you are having any issues with reCaptcha not working on certain sites, this could be why.
A better practice would be to use cURL, but the best practice for WordPress is to use the HTTP API, which is designed to overcome compatibility issues. It’s the most reliable method of retrieving URLS. <a href="https://developer.wordpress.org/reference/functions/wp_remote_get/" target="_blank">wp_remote_get()</a> is the function you need.
Also, in order to prevent the potential of Man in the Middle Attacks that could potentially compromise the sites of your plugin users, you need to make sure that the plugin only uses HTTPS URLs to contact Cerber Labs in function lab_send_request(). If you’re not contacting a secure URL, there is no guarantee that it’s the genuine website, and hackers can substitute their own code instead of yours.
Please look into and fix these issues. Thank you. Keep up the good work.
– Scott