WordPress ve Web Sunucu Güvenliği – Php Kullanılmayan Fonksiyonları Engelleme

Merhaba,

Bu yazımızda WordPress 6.5.4, PHP 8.2.20 sürümleri için kullanılmayan fonksiyonları bulma ve deaktif etmeyi göstereceğim. Kullanmış olduğunuz wordpress eklentilerine göre kullanılan php fonksiyonları değişiklik gösterecektir.

İlk olarak aşağıdaki php kodlarını deneme.php dosyası oluşturup içine yapıştırıp bu dosyayı çağırıyoruz ve sunucumuzda aktif olan php fonksiyonları listeliyoruz.

<?php
function satır($id, $veri)
{
    return "<tr><th>$id</th><td>$veri</td></tr>\n";
}
$dizi = get_defined_functions();

print_r($dizi);
?>

Aşağıdaki ekran karşılıyoruz bizi.

Burada aktif olan fonksiyonlarımızı görüyoruz. Hepsini metin belgesine kaydedip bir excel dosyasında txtden veri yüklemeyi seçiyoruz ve sınırlayıcıda => işaretini koyuyoruz.

Yükleye bastığımızda aşağıdaki çıktıyı alıyoruz.

İkinci satırı komple seçip kopyalıyoruz. Yeni sayfada devrik dönüşüm olarak yapıştırıyoruz.

İlk iki ve son iki satırları sildiğimizde temiz bir aktif fonksiyon listemizle buluşuyoruz.

Örnek olarak strlen fonksiyonunu ele alalım. Notepad++ programı ile ctrl+f yapıp wordpress dizinimizde bu fonksiyonu aratıyoruz.

Fonksiyonun yanına ( işareti koyup tümünü bula basıyoruz.

Gördüğünüz gibi bu fonksiyonun wordpressde kullanıldığı yerleri görüyoruz.

Tek tek her fonksiyonu bu yolla aratıp (otomatik yapması için scriptte yazabiliriz) her fonksiyonun kullanılıp kullanılmadığını tespit etmiş oluyoruz. Kullanılmayan fonksiyonları kapatmak için ise php.ini dosyasında “disable_functions” a bu fonksiyonları ekliyoruz.

disable_functions = passthru,exec,proc_open,system,popen,curl_multi_exec,parse_ini_file,show_source,shell_exec,eval,symlink,pcntl_exec,getmyuid,phpinfo,get_current_user,proc_get_status,apache_setenv,escapeshellarg,escapeshellcmd,highlight_file,ini_alter,ini_get_all,ini_restore,openlog,php_uname,proc_close,proc_nice,proc_terminate,putenv,register_tick_function,syslog,stream_socket_server,pfsockopen,disk_total_space,getrusage,link,pnctl_exec,fgetcsv,fputcsv,fpassthru,apache_get_version,apache_note,apache_request_headers,diskfreespace,virtual,set_include_path,tmpfile,mail,mb_send_mail,create_function,stream_bucket_make_writeable,str_shuffle,stream_filter_register,stream_filter_append,parse_ini_string,openssl_x509_export_to_file,gc_enable,gc_disable,get_included_files,get_required_files,openssl_x509_export,openssl_x509_fingerprint,openssl_x509_check_private_key,openssl_x509_verify,localtime,strncasecmp,get_called_class,get_parent_class,get_class_vars,get_mangled_object_vars,openssl_cms_verify,openssl_x509_checkpurpose,trait_exists,enum_exists,user_error,set_exception_handler,restore_exception_handler,get_declared_classes,get_declared_traits,get_declared_interfaces,get_defined_vars,get_resource_id,get_resources,debug_print_backtrace,get_extension_funcs,gc_mem_caches,gc_collect_cycles,gc_status,bcsqrt,bcscale,cal_days_in_month,cal_from_jd,cal_info,cal_to_jd,easter_date,easter_days,frenchtojd,gregoriantojd,jddayofweek,jdmonthname,jdtofrench,jdtogregorian,jdtojewish,jdtojulian,jdtounix,jewishtojd,juliantojd,unixtojd,ctype_alpha,ctype_cntrl,ctype_lower,ctype_graph,ctype_print,ctype_punct,ctype_space,ctype_upper,ctype_xdigit,idate,gmstrftime,date_create_from_format,date_parse,date_parse_from_format,preg_replace_callback_array,preg_last_error,preg_last_error_msg,mhash,mhash_count,mhash_get_block_size,mhash_get_hash_name,mhash_keygen_s2k,realpath_cache_get,realpath_cache_size,sapi_windows_cp_set,sapi_windows_cp_get,sapi_windows_cp_conv,sapi_windows_cp_is_utf8,sapi_windows_set_ctrl_handler,sapi_windows_generate_ctrl_event,xmlwriter_open_uri,xmlwriter_open_memory,xmlwriter_set_indent,xmlwriter_set_indent_string,xmlwriter_start_comment,xmlwriter_end_comment,xmlwriter_start_attribute,xmlwriter_end_attribute,xmlwriter_write_attribute,xmlwriter_start_attribute_ns,xmlwriter_write_attribute_ns,xmlwriter_start_element,xmlwriter_end_element,xmlwriter_full_end_element,xmlwriter_start_element_ns,xmlwriter_write_element,xmlwriter_write_element_ns,xmlwriter_start_pi,xmlwriter_end_pi,xmlwriter_write_pi,xmlwriter_start_cdata,xmlwriter_end_cdata,xmlwriter_write_cdata,xmlwriter_text,xmlwriter_write_raw,xmlwriter_start_document,xmlwriter_end_document,xmlwriter_write_comment,xmlwriter_start_dtd,xmlwriter_end_dtd,xmlwriter_write_dtd,xmlwriter_start_dtd_element,xmlwriter_end_dtd_element,xmlwriter_write_dtd_element,xmlwriter_start_dtd_attlist,xmlwriter_end_dtd_attlist,xmlwriter_write_dtd_attlist,xmlwriter_start_dtd_entity,xmlwriter_end_dtd_entity,xmlwriter_write_dtd_entity,xmlwriter_output_memory,xmlwriter_flush,intlcal_create_instance,intlcal_get_keyword_values_for_locale,intlcal_get_now,intlcal_get_available_locales,intlcal_get,intlcal_get_time,intlcal_set_time,intlcal_add,intlcal_set_time_zone,intlcal_after,intlcal_before,intlcal_set,intlcal_roll,intlcal_clear,intlcal_field_difference,intlcal_get_actual_maximum,intlcal_get_actual_minimum,intlcal_get_day_of_week_type,intlcal_get_first_day_of_week,intlcal_get_least_maximum,intlcal_get_greatest_minimum,intlcal_get_locale,intlcal_get_maximum,intlcal_get_minimal_days_in_first_week,intlcal_set_minimal_days_in_first_week,intlcal_get_minimum,intlcal_get_time_zone,intlcal_get_type,intlcal_get_weekend_transition,intlcal_in_daylight_time,intlcal_is_lenient,intlcal_is_set,intlcal_is_equivalent_to,intlcal_is_weekend,intlcal_set_first_day_of_week,intlcal_set_lenient,intlcal_get_repeated_wall_time_option,intlcal_equals,intlcal_get_skipped_wall_time_option,intlcal_set_repeated_wall_time_option,intlcal_set_skipped_wall_time_option,intlcal_from_date_time,intlcal_to_date_time,intlcal_get_error_code,intlcal_get_error_message,datefmt_create,datefmt_get_datetype,datefmt_get_timetype,datefmt_get_calendar,datefmt_set_calendar,datefmt_get_timezone_id,datefmt_get_calendar_object,datefmt_get_timezone,datefmt_set_timezone,datefmt_set_pattern,datefmt_get_pattern,datefmt_get_locale,datefmt_set_lenient,datefmt_is_lenient,datefmt_format,datefmt_format_object,datefmt_parse,datefmt_localtime,datefmt_get_error_code,datefmt_get_error_message,numfmt_create,numfmt_format,numfmt_parse,numfmt_format_currency,numfmt_parse_currency,numfmt_set_attribute,numfmt_get_attribute,numfmt_set_text_attribute,numfmt_get_text_attribute,numfmt_set_symbol,numfmt_get_symbol,numfmt_set_pattern,numfmt_get_pattern,numfmt_get_locale,numfmt_get_error_code,numfmt_get_error_message,grapheme_strlen,grapheme_strpos,grapheme_stripos,grapheme_strrpos,grapheme_strripos,grapheme_substr,grapheme_strstr,grapheme_stristr,grapheme_extract,openssl_x509_read,openssl_x509_free,openssl_pkcs12_export_to_file,openssl_pkcs12_export,openssl_pkcs12_read,openssl_csr_export_to_file,openssl_csr_export,openssl_csr_sign,openssl_csr_new,openssl_csr_get_subject,openssl_csr_get_public_key,openssl_pkey_export_to_file,openssl_pkey_get_public,openssl_get_publickey,openssl_free_key,openssl_get_privatekey,openssl_pkey_get_details,openssl_pbkdf2,openssl_pkcs7_verify,openssl_pkcs7_encrypt,openssl_pkcs7_decrypt,openssl_pkcs7_read,openssl_cms_encrypt,openssl_cms_sign,openssl_cms_decrypt,openssl_cms_read,openssl_private_encrypt,openssl_private_decrypt,openssl_public_decrypt,openssl_seal,openssl_open,openssl_get_curve_names,openssl_digest,openssl_cipher_iv_length,openssl_dh_compute_key,openssl_pkey_derive,openssl_spki_new,openssl_spki_verify,openssl_spki_export,openssl_spki_export_challenge,openssl_get_cert_locations,stream_context_set_params,stream_context_get_params,stream_context_get_default,stream_context_set_default,stream_filter_prepend,stream_filter_remove,stream_socket_accept,stream_socket_get_name,stream_socket_recvfrom,stream_socket_sendto,stream_socket_shutdown,stream_socket_pair,stream_supports_lock,stream_set_write_buffer,set_file_buffer,stream_get_line,stream_get_transports,stream_is_local,sapi_windows_vt100_support,stream_bucket_prepend,stream_bucket_append,stream_bucket_new,stream_get_filters,convert_uuencode,convert_uudecode,debug_zval_dump,pdo_drivers,simplexml_load_file,gettimeofday,password_get_info,password_hash,password_needs_rehash,password_verify,password_algos,locale_get_default,locale_get_primary_language,locale_get_script,locale_get_region,locale_get_keywords,locale_get_display_script,locale_get_display_region,locale_get_display_name,locale_get_display_language,locale_get_display_variant,locale_set_default,locale_compose,locale_parse,locale_get_all_variants,date_get_last_errors,date_format,date_modify,date_add,date_sub,date_timezone_get,date_timezone_set,date_offset_get,date_diff,date_time_set,date_date_set,date_isodate_set,date_timestamp_set,date_timestamp_get,timezone_name_get,timezone_name_from_abbr,timezone_location_get,timezone_abbreviations_list,timezone_version_get,date_interval_create_from_date_string,date_interval_format,date_sunrise,date_sunset,date_sun_info,filter_has_var,filter_input_array,filter_var_array,hash_hmac_file,hash_update_stream,hash_update_file,hash_copy,hash_hmac_algos,hash_pbkdf2,hash_hkdf,readline_info,readline_add_history,readline_clear_history,readline_list_history,readline_read_history,readline_write_history,readline_completion_function,session_name,session_module_name,session_save_path,session_id,session_create_id,session_regenerate_id,session_decode,session_encode,session_destroy,session_unset,session_gc,session_get_cookie_params,session_write_close,session_abort,session_reset,session_status,session_register_shutdown,session_commit,session_set_save_handler,session_cache_limiter,session_cache_expire,session_set_cookie_params,session_start,class_parents,class_uses,spl_autoload,spl_autoload_call,spl_autoload_extensions,spl_autoload_functions,spl_classes,spl_object_id,iterator_apply,iterator_count,iterator_to_array,header_register_callback,ob_flush,ob_get_length,ob_get_status,ob_implicit_flush,output_reset_rewrite_vars,output_add_rewrite_var,stream_wrapper_register,stream_register_wrapper,stream_wrapper_unregister,stream_wrapper_restore,natsort,natcasesort,pos,shuffle,array_intersect_ukey,array_uintersect,array_intersect_assoc,array_uintersect_assoc,array_intersect_uassoc,array_uintersect_uassoc,array_diff_ukey,array_udiff,array_diff_assoc,array_diff_uassoc,array_udiff_assoc,array_udiff_uassoc,array_multisort,array_product,key_exists,array_chunk,array_is_list,ip2long,long2ip,getopt,time_nanosleep,time_sleep_until,get_cfg_var,error_clear_last,forward_static_call,forward_static_call_array,php_strip_whitespace,highlight_string,get_include_path,connection_aborted,connection_status,getservbyname,getservbyport,getprotobyname,getprotobynumber,unregister_tick_function,get_browser,crc32,gethostname,gethostbynamel,dns_check_record,checkdnsrr,dns_get_record,dns_get_mx,getmxrr,net_get_interfaces,ftok,hrtime,lcg_value,getmygid,getmypid,getmyinode,getlastmod,sha1_file,closelog,inet_ntop,inet_pton,metaphone,setrawcookie,http_response_code,headers_list,htmlspecialchars_decode,get_html_translation_table,assert_options,hex2bin,strcoll,chop,wordwrap,strchr,strripos,str_contains,str_starts_with,str_ends_with,chunk_split,quotemeta,lcfirst,similar_text,str_ireplace,hebrev,nl2br,setlocale,str_getcsv,count_chars,strnatcmp,localeconv,sscanf,str_rot13,str_word_count,utf8_encode,utf8_decode,getcwd,rewinddir,get_meta_tags,pclose,fgetc,fscanf,fstat,fflush,fsync,fdatasync,fputs,tempnam,fnmatch,dngettext,dcngettext,bind_textdomain_codeset,intlgregcal_create_instance,intlgregcal_set_gregorian_change,intlgregcal_get_gregorian_change,intlgregcal_is_leap_year,collator_create,collator_compare,ngettext,collator_get_attribute,collator_set_attribute,collator_get_strength,collator_set_strength,collator_sort,collator_sort_with_sort_keys,collator_asort,collator_get_locale,collator_get_error_code,collator_get_error_message,collator_get_sort_key,intl_get_error_code,intl_get_error_message,intl_is_failure,intl_error_name,filectime,fileinode,filetype,lstat,vprintf,vfprintf,image_type_to_extension,phpcredits,php_ini_scanned_files,php_ini_loaded_file,iptcembed,levenshtein,linkinfo,tan,asin,atan,atanh,atan2,sinh,cosh,tanh,asinh,acosh,expm1,log1p,pi,is_finite,intdiv,doubleval,exp,hypot,octdec,fdiv,mt_srand,srand,getrandmax,soundex,get_debug_type,token_name,zip_open,zip_close,zip_read,zip_entry_open,zip_entry_close,zip_entry_read,zip_entry_name,zip_entry_compressedsize,zip_entry_filesize,zip_entry_compressionmethod,ob_gzhandler,zlib_get_coding_type,gzfile,readgzfile,zlib_encode,zlib_decode,gzcompress,gzrewind,gzeof,gzgetc,gzpassthru,gzseek,gztell,gzgets,deflate_init,deflate_add,inflate_init,inflate_add,inflate_get_status,inflate_get_read_len,libxml_set_streams_context,libxml_get_errors,libxml_set_external_entity_loader,dom_import_simplexml,xml_set_processing_instruction_handler,xml_set_unparsed_entity_decl_handler,xml_set_notation_decl_handler,xml_set_external_entity_ref_handler,xml_parser_get_option,apache_lookup_uri,apache_response_headers,apache_getenv,bzopen,bzread,bzwrite,bzflush,bzclose,bzerrno,bzerrstr,bzerror,bzcompress,bzdecompress,curl_copy_handle,curl_escape,curl_unescape,curl_file_create,curl_multi_errno,curl_multi_getcontent,curl_multi_strerror,curl_pause,curl_share_close,curl_share_errno,curl_share_init,curl_share_setopt,curl_share_strerror,curl_strerror,finfo_set_flags,finfo_buffer,imageloadfont,imagesetstyle,imagepalettetotruecolor,imagecolormatch,imagesetthickness,imagefilledellipse,imagefilledarc,imagelayereffect,imagecolorresolvealpha,imagecolorclosestalpha,imagecolorexactalpha,imagegrabwindow,imagegrabscreen,imagesettile,imagesetbrush,imagecreate,imagexbm,imageavif,imagewbmp,imagegd,imagegd2,imagebmp,imagecolorallocate,imagepalettecopy,imagecolorat,imagecolorclosest,imagecolorclosesthwb,imagecolordeallocate,imagecolorresolve,imagecolorexact,imagecolorset,imagecolorsforindex,imagegammacorrect,imagesetpixel,imageline,imagedashedline,imagerectangle,imagefilledrectangle,imagearc,imageellipse,imagefilltoborder,imagefill,imagecolortransparent,imageinterlace,imagepolygon,imageopenpolygon,imagefilledpolygon,imagefontwidth,imagefontheight,imagechar,imagecharup,imagestring,imagestringup,imagecopymerge,imagecopymergegray,imagecopyresized,imagesetclip,imagegetclip,imageftbbox,imagefttext,imagettfbbox,imagettftext,imagefilter,imageconvolution,imageflip,imagecrop,imagecropauto,imagescale,imageaffine,imageaffinematrixget,imageaffinematrixconcat,imagegetinterpolation,imagesetinterpolation,imageresolution,dgettext,dcgettext,bindtextdomain,locale_filter_matches,locale_canonicalize,locale_lookup,locale_accept_from_http,msgfmt_create,msgfmt_format,msgfmt_format_message,msgfmt_parse,msgfmt_parse_message,msgfmt_set_pattern,msgfmt_get_pattern,msgfmt_get_locale,msgfmt_get_error_code,msgfmt_get_error_message,normalizer_normalize,normalizer_is_normalized,normalizer_get_raw_decomposition,resourcebundle_create,resourcebundle_get,resourcebundle_count,resourcebundle_locales,resourcebundle_get_error_code,resourcebundle_get_error_message,intltz_count_equivalent_ids,intltz_create_default,intltz_create_enumeration,intltz_create_time_zone,intltz_create_time_zone_id_enumeration,intltz_from_date_time_zone,intltz_get_canonical_id,intltz_get_display_name,intltz_get_dst_savings,intltz_get_equivalent_id,intltz_get_error_code,intltz_get_error_message,intltz_get_gmt,intltz_get_id,intltz_get_offset,intltz_get_raw_offset,intltz_get_region,intltz_get_tz_data_version,intltz_get_unknown,intltz_get_windows_id,intltz_get_id_for_windows_id,intltz_has_same_rules,intltz_to_date_time_zone,intltz_use_daylight_time,transliterator_create,transliterator_create_from_rules,transliterator_list_ids,transliterator_create_inverse,transliterator_transliterate,transliterator_get_error_code,transliterator_get_error_message,mb_preferred_mime_name,mb_strcut,mb_strimwidth,mb_regex_encoding,mb_ereg,mb_eregi,mb_ereg_replace,mb_eregi_replace,mb_ereg_replace_callback,mb_split,mb_ereg_match,mb_ereg_search,mb_ereg_search_pos,mb_ereg_search_regs,mb_ereg_search_init,mb_ereg_search_getregs,mb_ereg_search_getpos,mb_ereg_search_setpos,mb_regex_set_options,exif_tagname,exif_thumbnail,mysqli_autocommit,mysqli_begin_transaction,mysqli_change_user,mysqli_commit,mysqli_data_seek,mysqli_dump_debug_info,mysqli_debug,mysqli_error_list,mysqli_stmt_execute,mysqli_execute,mysqli_fetch_fields,mysqli_fetch_field_direct,mysqli_fetch_lengths,mysqli_fetch_all,mysqli_fetch_assoc,mysqli_fetch_row,mysqli_fetch_column,mysqli_field_count,mysqli_field_seek,mysqli_field_tell,mysqli_get_connection_stats,mysqli_get_client_stats,mysqli_get_charset,mysqli_get_client_version,mysqli_get_links_stats,mysqli_get_host_info,mysqli_get_proto_info,mysqli_get_server_version,mysqli_get_warnings,mysqli_info,mysqli_kill,mysqli_multi_query,mysqli_num_rows,mysqli_options,mysqli_set_opt,mysqli_poll,mysqli_prepare,mysqli_escape_string,mysqli_real_query,mysqli_reap_async_query,mysqli_release_savepoint,mysqli_rollback,mysqli_savepoint,mysqli_stmt_affected_rows,mysqli_stmt_attr_get,mysqli_stmt_attr_set,mysqli_stmt_bind_param,mysqli_stmt_bind_result,mysqli_stmt_close,mysqli_stmt_data_seek,mysqli_stmt_errno,mysqli_stmt_error,mysqli_stmt_error_list,mysqli_stmt_fetch,mysqli_stmt_field_count,mysqli_stmt_free_result,mysqli_stmt_get_result,mysqli_stmt_get_warnings,mysqli_stmt_init,mysqli_stmt_insert_id,mysqli_stmt_more_results,mysqli_stmt_next_result,mysqli_stmt_num_rows,mysqli_stmt_param_count,mysqli_stmt_prepare,mysqli_stmt_reset,mysqli_stmt_result_metadata,mysqli_stmt_send_long_data,mysqli_stmt_store_result,mysqli_stmt_sqlstate,mysqli_sqlstate,mysqli_ssl_set,mysqli_stat,mysqli_store_result,mysqli_thread_id,mysqli_thread_safe,mysqli_use_result,mysqli_warning_count,mysqli_refresh,iconv_mime_decode_headers,iconv_set_encoding,iconv_get_encoding,imagecreatefromavif,imagecreatefromxbm,imagecreatefromxpm,imagecreatefromwbmp,imagecreatefromgd,imagecreatefromgd2,imagecreatefromgd2part,imagecreatefrombmp,imagecreatefromtga,php_sapi_name,bcadd,bcsub,bcmul,bcdiv,bcmod,bcpowmod,bcpow,bccomp,stream_set_read_buffer,stream_set_chunk_size,libxml_get_external_entity_loader,mysqli_execute_query,memory_reset_peak_usage,iconv_mime_encode,openssl_cipher_key_length,openssl_get_md_methods,openssl_pkey_new,openssl_public_encrypt,openssl_verify,textdomain,ini_parse_quantity,iconv_substr,iconv_strpos,iconv_strrpos,readline,getallheaders,substr_compare,is_infinite

Yukarıda yazdığım gibi bu fonksiyonlar anlık wordpress sürümleri, kullanmış olduğunuz php sürümü ve kullanmış olduğunuz eklentiler ile değişecektir. Bu disable etmiş olduğum fonksiyonlar WordPress 6.5.4, PHP 8.2.20 sürümleri ve contact-form-7, google-sitemap-generator ve wp-mail-smtp wordpress eklentileri için geçerlidir. WordPress ve eklenti sürümleri güncellendikçe php error log dosyanızı kontrol edip disable olduğu için hata veren fonksiyonları kontrol edip bunları listeden kaldırmanız gerekecektir. Yeni php sürümleri için ise yeni eklenen ve wordpress ve eklentilerinizin kullanmadığı fonksiyonları buraya eklemeniz gerekecektir.

Bu şekilde kullanılmayan fonksiyonların potansiyel olarak yapabileceklerinden kurtulup güvenliğinizi arttırmış olacaksınız.

İyi Çalışmalar.

Yorum yapın