Functions to avoid for PHP and WordPress Developers

secure php and wordpress

PHP, the language powering WordPress has evolved significantly in recent years. The programming language is now on version 7 and performing better and more securely than ever before.

As PHP and the web has matured much of the functions of PHP have been improved upon or replaced. However Functions that have long past their glory days, together with misinformation on the proper usage, still linger.

By updating to the latest version of PHP problems that can occur by using this code can be avoided as those the functions are deprecated and begin to lose their support.

It is not always possible to update, so some developers may find themselves with access to code that they can use but shouldn’t

In this article, I will look at some of the functions that PHP and WordPress developers should take caution with and avoid altogether when attempting to build a secure website. These are functions known to developers should be avoided.

By now it is widely known that magic quotes and globals are no no’s in PHP security and thankfully newer versions of the language do not support this. You will also be hard-pressed to find a host that allowed this code on their servers too.

Going beyond these obvious security flaws to avoid are some common misconceptions over when to be alert using outdated functions or functions frequently used that go beyond their otherwise safe purpose.

The below are my big never use in PHP Functions.


The worst offending, outdated code, a problem I come across is password hashing.

A common misconception is that MD5 and Shar1 should be used for this purpose. This is absolutely wrong and completely outdated. Unfortunately, this is a real problem as some education institutions still teach outdated PHP password hashing.

With MD5 and Shar1 all hashes can ultimately be linked back to one source.

PHP now comes with its own inbuilt Password hashing functions, this is the most advisable method to use for your password hashing needs. For now at least. This function uses BCrypt which uses a built-in salt meaning it is impossible to get two hashes with the same value with the same source password. This is unlike password hashing with MD5 and Shar1 where the hash for a given word will be the same.

Hashing a password is a one-way system that cannot be reversed into its original state. This is distinct from encryption that can be decrypted back to its original state.

Websites now exist with the dedicated purpose of breaking MD5 and Shar1 hashes and can do so in seconds with billions of known hashes stored in databases known as rainbow tables. Previously it was the case that these hashing functions would take years to break but that was with the most sophisticated technology of the time, and this has moved on.

There are several arguments that support MD5 and Shar1. Despite some misinformation that is around it is not the case that either of these hashing function can be hashed inside each other to create a stronger password. Nor is it the case that the websites that are dedicated to breaking hashes can have only a small pool of possible passwords to serve up a password that matches the hash provided.

Ultimately users will create themselves insecure passwords but good security should never rely on user input.


The original purpose of this function was to evaluate a string as PHP code.

This purpose has been found to be open to manipulation and injection, not actually escaping anything, can pass through a raw request to be executed on the server, this potential could be from malicious user input. In worst case scenario a hacker might wipe out entire server.

Rasmus Lerdorf, the founder of PHP himself disapproves of the use of eval function. He once even said “If `eval()` is the answer, you’re almost certainly asking the wrong question.””.


Global can change a variable state so can change something from a local to a global state, for instance, a variable inside a function or closure that is a local state, but prefix it with global and it potentially turns it into a global state.

This is bad because you can then access a variable outside of that function that should only be inside that function.
If you need to access the variable, then the function should be returning the value instead.

Another problem with global is the potential to interfere with an existing varible without realizing it or where that variable has come from.

Risky PHP

These PHP Functions have good wholesome real world intentions but do come with certain risks attached. For this reason, they have fallen out of favor among developers.


This function has the potential to expose you to man in the middle attacks.

Over the file_get_contents() function is a useful common practice for call an external URL. The danger is when the remote pages that are fetched, the integrity of the HTTPS protocol connection is not always checked. This would then leave the file_get_contents() page result open to contain anything the attacker places there.


The use of the extract function has lost popularity. The useful little function was once used by developers who just wanted to create living variables out of the key => value pairs in their code.

Developers should watch out because when extracting $_GET and $_POST this exposes vulnerabilities. The danger with extract is you don’t know what your extracting. The risk here is that you may find you are extracting malicious input data from the user.

If this is unavoidable, then the web developer should be sure to sanitize data resulting from the extract before it is used.

WordPress dangers

WordPress builts on PHP and provides a library of its own useful functions to make use of when developing plugins and functionality for the popular CMS. Here are some common user mistakes with some of these functions.


Not so long ago WordPress developers were mistakingly believing that this WordPress function sanitized their URL’s. This was caused by misleading information in the documentation. Some website continue to use this safely as a result meaning website owners are not as safe from XSS attacks as they thought they were.


The problem with this function lies in the name. It looks like it will tell you if the user is an admin. In fact, what it indeed does is indicated that the code is on the administration side of the site as opposed to the front end viewable by the average visitor.

Read more