Welcome to Rise Forums

Join our fantastic community to connect with like-minded website owners, WordPress users, and online entrepreneurs.

A Useful Wordpress Plugin For Displaying Shortcodes And Php In Widgets

Discussion in 'WordPress Plugins' started by Kevin Muldoon, May 26, 2016.

  1. Yes I know you can add this functionality by adding some simply code to your theme's functions.php file, but I like the simplicity of this plugin.

    All it does is add shortcode and PHP support to your widgets. You can enable and disable each option via the plugin settings page.


    It's a simple plugin but you will find it very useful.

  2. Thanks for sharing this plugin. It becomes useful for some of our customers to show contact forms etc on sidebars.
  3. Urgh. Shortcodes are fine. PHP I would avoid. So much chance for things to go wrong, and a wee bit of a security risk too..
  4. Perhaps this is a silly question, but hopefully you can humour a non-coder :)

    Why is displaying PHP code in a widget a security risk? Isn't it the same as displaying PHP in a page or in a theme template?

    Are you referring to someone gaining access to your WordPress admin area and doing something?
  5. Quick response, will try to elaborate later: every user input (including from the admin panel) is a potential security risk. If someone hacks your database, worst case the hacker gets some data, and possibly deletes other data.

    If a hacker uploads any php script, they could do all of that, plus impersonate you by using your server in any way possible.

    Sent from my SAMSUNG-SM-G930A using Tapatalk
    Kevin Muldoon likes this.
  6. What @k06mars said - if somebody gets into your blog and they can run PHP from the post editor, that's going to make the hack a billion times worse.

    To elaborate further, every action you take in WordPress is sanitised to a fairly secure level. Even if you forget to escape attributes the chances are it will be fine, so if I was to type <?php echo 1+1; ?> into WordPress, it will unlikely output 2, because WordPress does check to make sure that it will never, ever run.

    With these PHP functions, you completely bypass this sanitization, so running the wrong command could lead to something like a complete database drop.
  7. ..and then some. Your system is only as secure as your least secure plugin. So, let's assume your website has some sort of security vulnerability that allows an attacker to access your database. This gives them access to basic CRUD operations (Create/Read/Update/Delete) - they can mess with your data, might even steal it - but unless you are storing sensitive information or don't have backups, none of this is too big of a deal.

    With this plugin, any sort of php code can be inserted by a would-be attacker. Some things you can do with PHP:
    • Track users behavior
    • Spam through php's mail() function
    • Deliver a virus to all visitors
    • Depending on your server setup, CRUD your entire server (instead of just data) - this includes adding their public key to your authorized_keys file - meaning even after you fix the issue in the database, they have access (and unless you regularly check this file, you wouldn't notice)...and they could in turn revoke your access.
    With hardcoded code (that is, stuff you need to edit an actual file for), things might be slow, might be buggy - but that code will never change unless someone has access to it - you can predict behavior. You can't predict database data that potentially anyone could have data to.
    Kevin Muldoon likes this.

Share This Page