New WordPress theme review policy (security)

tips-and-tricks

#1

Hello,
we are in the process of uploading an new theme and have received a new type of soft reject:

fopen, file_put_contents, file_get_contents, fclose, curl_exec, curl_init, base64_encode, etc are no longer allowed.

The reason being: security. While we do understand, some features do require those functions. Example being the Vimeo API, which requires the use of file_get_contents to get the video images.

We also used base64_decode because we used the textarea_raw_html element of Visual Composer. That means we cannot use functionality of the most popular plugin on Codecanyon, which seems a bit funny.

One solution the reviewer mentioned, is to move everything to a plugin. But is that really a solution? That does not seem to make it anymore secure.

What do you guys think? Do you have any other solutions or do you still use the above PHP functions?


#2

Hello,

You can easly replace file_get_contents with native wordpress functions.

For example, you can easly retrieve Vimeo thumbnail like this:

$video_ID = 'xxxx'; $thumbnail = wp_remote_get( 'http://vimeo.com/api/v2/video/'.$video_ID.'.json' ); if ($thumbnail) { $body = json_decode( $thumbnail['body'] ); $poster = $body[0]->thumbnail_large; }


#3

My Plugin also uses base64_decode and base64_encode and I can’t remove it since it would brake some old links.

I know these methods can hide some malicious code but if you check out the source of my plugin it’s obvious just maps urls.

Better check for eval() which is of course evil.


#4

moving everything to a plugin. But is that really a solution? That does not seem to make it anymore secure.

What do you guys think?


#5

Move these code to plugin, our theme have to move this code to plugin to pass this bug.


#6

Migrating code which has security issues into plugin is not a solution for end user. You must develop both theme and plugins hack proof. Only for base64 you should create a function in plugin and use it into theme.