Fatal error on settings page

On some servers, we’ve seen a critical error on the settings page. The debug log showed this error:

Fatal error: [disabled_function] Aborted execution on call of the function ‘function_exists’, because its argument ‘$function_name’ content (shell_exec) matched a rule in public_html/wp-content/plugins/really-simple-ssl/lets-encrypt/functions.php on line 652

This line is causing the error:

if ( function_exists('shell_exec') || function_exists('system') || function_exists('passthru') || function_exists('exec') ) {
return true;

It appears to be triggered by security software.

The software blocks execution of the line which contains the reference to the shell_exec function.

While this function can be misused by software which has gained access to the site, there are several reasons why this specific security measure seems rather silly:

– the shell_exec function is not actually used here, the plugin only checks if the function exists.
– most providers simply do not load this function. This is what the function_exists function checks. In that case, blocking it would be obsolete: it’s not there anyway.
– if the hosting company has chosen to load the shell_exec function in the first place, it’s a bit strange to block it when it’s actually used.

I don’t see a use case where you would want to provide a server with the shell_exec function, then block its use.

If you have this issue, please let us know which hosting company you use. I’m very interested in getting into contact with them to discuss why they do this.

Lightweight plugin, Heavyweight Security features. Get Pro and leverage your SSL certificate for WordPress security standards.