Support » Fixing WordPress » Warning: ini_get_all() has been disabled for security reasons

  • Resolved itscoolbro

    (@itscoolbro)


    Hey guys,

    I was in my website dashboard and saw there is an update available for wordpress, I just clicked on update and process has started, I was away for like 20 mins and once i came back, the last message on update page was “Disabling Maintenance mode…” I just waited another 20 mins but nothings changed. So i decided to reload the page but guess what, Now i can’t access WP-Admin and my website has an error on top of header:

    Warning: ini_get_all() has been disabled for security reasons in /home/itscoolb/public_html/wp-includes/load.php on line 1020

    How can i fix it guys? I can only access my website files via FTP and cpanel, Thank you

Viewing 7 replies - 91 through 97 (of 97 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    @adespont there have been several confirmed successful real solutions and explanations posted, and also repeated, throughout this thread.

    We know you are frustrated, but please do everyone involved here the courtesy of reviewing the entire thread before jumping in.

    I am very happy to be part of this beautiful and helping community, I asked directly to my host and they enabled the function and problem solved. Now I asked them about my all domains which i hosted with them to enabled the function before I upgrade my other websites so problem can be prevented in advance and hope they will do that too for me.

    Thanks for the helpers once again and thumbs up for you all

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    You’re welcome! 🙂

    Disabling that function is not an easy call for most hosting companies,
    enabling it needs to make some researches first, it can’t be done simply without any care about security.
    as someone earlier pointed out, it is not the “getting all info” a problem, the function itself has/had exploits.

    if that was a crucial function for wordpress 4.6 to work and can’t work without it, then it should be implemented gradually, just like when PHP release a new version, it does not suddenly force stuff or kill website down, it gives warnings in the first release, and fatal error in the next one.

    so after all these days, the only solution you came up with is to move people to your sponsors host?
    there are hundreds of thousands websites effected with this issue
    (I my self manage many servers which host hundreds of wordpress websites)
    but they don’t have to post when many other already post it, so you can’t say only a few users complains!!!
    I was monitoring this topic to see what will came out of it, I thought you might make a patch to make it optional or anything to help stuck wordpress users, but you rather let them down to force hosting companies with your opinion!!!
    so you don’t care about security (big history), and you force hosting companies to immediately unblock security measures!!!
    this is a big evidence to why it is bad to let one CMS dominate the web.

    here is what some wordpress users told me:

    Please do not unblock that function now, I’ll restore a backup and will not upgrade to the latest version before they release a fix

    I’m sure that people will not leave wordpress for this (except the already frustrated), but it’ll add a black point to a long history.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    @lion4h Based on what you’re saying, it sounds like you haven’t reviewed the entire thread, or you’d have seen https://wordpress.org/support/topic/warning-ini_get_all-has-been-disabled-for-security-reasons/page/2?replies=95&view=all#post-8763685 which links to https://core.trac.wordpress.org/ticket/37680 where the developers are taking this very seriously and have provided a patch which will be in WordPress 4.6.1 when they’re sure it’s ready to go.

    Additionally, many successful solutions have been shared (and repeated) throughout this thread that aren’t just “contact your host.”

    As for the security of ini_get_all() it was vulnerable in the PHP 5.3 branch (which reached end of life almost a year ago by the way) and patched years ago. Based on my research at least, the call was never vulnerable in PHP 5.4 and higher (or at least I can’t find any public vulnerability reports regarding these branches and ini_get_all() ).

    No one intentionally made this change “force hosting companies with [our] opinion.” As you can see, the developers are working hard to undo it right now. What actually happened is that of the 272 volunteers who built WordPress 4.6, and the volunteers who helped test it on top of that simply did not have this call blocked on their servers and therefore never noticed that it would be a problem.

    The first public beta of WordPress 4.6 was released June 30: https://wordpress.org/news/2016/06/wordpress-4-6-beta-1/

    Here’s the full timeline of all of the public pre-final releases: https://make.wordpress.org/core/version-4-6-project-schedule/

    Since your customers rely so heavily on WordPress, we’d really appreciate your help with testing out a beta release next time. With more beta testers on their unique server configurations, I’m sure we can catch more things like this before the final release: https://make.wordpress.org/core/handbook/testing/beta/

    Here’s the timeline on 4.7, the first public beta is planned for October 26: https://make.wordpress.org/core/4-7/

    @james Huff

    Indeed I didn’t saw that post, I only check if there is any official blog for this or an update release.

    I know PHP 5.3 is EOL, even 5.5 is EOL, I love to keep up to date always, it is better for performance and security.
    but we are forced to keep the old versions for certain servers,
    so old website software’s keeps running
    especially when the server owner request that explicitly.

    but we are mostly on 5.4 and later now.
    Thanks for your input

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    We do have an official announcement at https://wordpress.org/support/topic/read-this-first-wordpress-46-master-list?replies=5&view=all&message=unspammed-normal#post-8762136

    We rarely use the blog for this sort of thing. If the number of affected users reporting here were closer to the number of WordPress 4.6 upgrade and new installations, we might: https://wordpress.org/download/counter/ (otherwise, that’s what the pinned “READ THIS FIRST WordPress 4.6 Master List” thread is all about)

Viewing 7 replies - 91 through 97 (of 97 total)
  • The topic ‘Warning: ini_get_all() has been disabled for security reasons’ is closed to new replies.