Call to undefined function get_header and bot attacks

Hi,

Every now and then i see bots snooping and triggering call to undefined function get_header:
Backend fatal error: PHP Fatal error: Uncaught Error: Call to undefined function get_header() in XXXX/wp-content/themes/woodmart/index.php:11\nStack trace:\n#0 {main}\n thrown in XXXXwp-content/themes/woodmart/index.php on line 11\n

Two questions:
1. Is this a problem? or a vulnerability?
2. Why does the woodmart team not deal with this? I see online fixes in themes by exiting if wordpress is not defined

Hello,

This path in error log/home/site/public_html/wp-content/themes/index.php:11 means that there should not be any custom codes in this themes folder by default, and the error occurred because of the custom code in that file, so you need to remove that customization and recheck the issue.

Kind Regards

Hi Luke,

I don’t think that analysis is correct. both the index.php in
public_html/wp-content/themes and public_html/wp-content/themes/woodmart are the default non custom files

See also the links below. It seems to be caused by bots trying to connect to the woodmart theme files. And the woodmart theme files do not have something along the lines of if ( !defined( ‘ABSPATH’ ) ) exit; in them.

https://perishablepress.com/fix-error-undefined-function/
https://www.sktthemes.org/wordpress/call-to-undefined-function/
https://theme4press.com/support-forums/topic/php-fatal-error-uncaught-error-call-to-undefined-function-get_header/

Hello,

Send me admin access and some screenshots of where you see the error on the site.

I look forward to hearing back.

Kind Regards

Hi Luke,

This error can be easily replicated in a test environent. Simply go to a website that runs woodmart e.g. https://www.example.com/wp-content/themes/woodmart/index.php and check the server logging. You will get the error: backend fatal error: PHP Fatal error: Uncaught Error: Call to undefined function get_header(). Which is as explained by the links I sent due to bots snooping the site.

This is not specific to my website so i prefer not to give admin access. Note that I have compared all the theme files of my website with a freshly downloaded set of themefiles. Everything is identical.

See also the discussion for wordpress default themes. It seems to be a discussion point still:
https://core.trac.wordpress.org/ticket/47154

Hello,

Our code is made according to WordPress documentation, all WordPress themes are made in this way and there are no such check functionality, you can be sure of that by checking the same issue in the twenty-twenty theme or any other that is related to WordPress.

You can limit access to these files on your server or you can add that code from the article to the child theme to fix that issue.

Kind Regards

Ok, thanks for the reply.

See also the following topic: https://wordpress.stackexchange.com/questions/62999/worthwhile-to-restrict-direct-access-of-theme-files

Apparantly some themes do implement that code i mentioned before.

Hello,

As I mentioned above, our code is made according to WordPress documentation and there is no mention related to that security code in its documentation. If we add such code to WordPress by default, it could cause some bugs or break thousands of sites after the update, so I suggest you contact the WordPress support team and ask them when they add it by default.

Thank you for your time.

Kind Regards

[Author]

Posts