11 Apr

Actually Wordfence, It Doesn’t Look Like is_admin() Strikes Again

In our previous post we mentioned how Wordfence was lying about us related to a vulnerability in the plugin Related Posts (Yuzo Related Posts), but they also got something else wrong that is worth noting. One section of their post titled “is_admin() Strikes Again”. In that they write this:

Developers often mistakenly use is_admin() to check if a piece of code that requires administrative privileges should be run, but as the WordPress documentation points out, that isn’t how the function should be used. In this scenario self::_ini_() is called on any request to an administrative interface page, including /wp-admin/options-general.php and /wp-admin/admin-post.php, which allows a POST request to those pages to be processed by self::save_options(); later in the code.

If you look at the code they showed before that though, the developer doesn’t seem to have mistakenly used it though (as we noted in our original post):

function __construct(){
	if( ! is_admin() ){ // only front-end
	}elseif( is_admin()  ){ // only admin
		// set default if not exists

What they first do there is to check if not is_admin() and the comment next to that is “only front-end” and then they check if is_admin() and the comment next to that is “only admin”, so it seems they were not using that to check if someone was an Administrator, but how it was intended to tell you if you are on an admin page. At worst they used it both ways, one right after another. As we noted with another vulnerability in the plugin, the developer doesn’t seem to have a great grasp of the code they are writing.

Replacing is_admin()

With that being said, is_admin() should be replaced due to the confusion its name causes and the exploited vulnerabilities that it has actually help lead to. That isn’t a new idea, as the confusion was warned about in February of 2011 before the function even made it in to a production version of WordPress, but the response after two years was:

As for the is_*_admin() methods, this ticket was totally ignored for 2 years, and those have been in use for a long time now, so now I really think this patch is completely pointless now, and not worth doing.

Even six years after that, it is in fact worth doing.