Support » Fixing WordPress » Warning: escapeshellcmd() has been disabled for security reasons

  • Warning: escapeshellcmd() has been disabled for security reasons in … /public_html/wp-includes/PHPMailer/PHPMailer.php on line 1779

    Thousands of these errors swamping my logs since the last WP update on hundreds of sites. On sites that don’t have contact forms or use any mail functions.

    What’s going on and how to make it stop?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Dion

    (@diondesigns)

    Recent versions of WordPress use an updated version of PHPMailer that has a number of new features…and restrictions.

    The problem is escapeshellcmd() (and no doubt several other functions) has been disabled in php.ini. The solution depends on the type of hosting you have.

    If you have shared hosting, ask your hosting company to remove the disabled functions from php.ini. Shared hosting uses FastCGI, which isolates accounts on the server, so blocking shell functions make little sense. (One wonders why these hosts block shell functions which hackers tend to avoid, but don’t block eval(), which is used in 99% of all hacks. But I digress.)

    If you have a VPS with multiple accounts/websites set up, it would be safe to remove the disabled functions if PHP was using FastCGI (such as PHP-FPM), and each account/website was running as its own user.

    Otherwise, it’s probably best to leave the functions disabled. If PHP is running as the same user on all accounts/websites, enabling those functions will allow an attacker to do nasty things to all your sites.

    Thread Starter aljuk

    (@aljuk)

    Hi, thanks for the feedback, good to know …

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.