Feb 8 · 2 min read
Taken from here

Right on time and it was a time. We all know about many of the issues WP faces today because its sins from the past and instead to correct them and fix, crew continues towards cosmetic changes for certain cases and in certain time.

Serialization and WordPress

PHP serialization seems to be quite big problem for WordPress from the aspect of security and remains here because of backward compatibility debt. At the moment WordPress instances out there are on thin ice when we speak about serialization, simple and tiny mistake could result with system compromise and attack surface is quite big:

  • changing meta values outside maybe_serialize routines like here and here
  • repetitive usage of maybe_unserialize
  • direct input towards maybe_unserialize in the form of export files or values crunched via search_replace wpcli functionality.
  • + sign bypass


Fix proposal for WordPress

This piece of code should be enough to present the idea on the plastic way towards everyone how this could be solved in appropriate way. There are many reasons for this approach and one of them is backward compatibility, but also there is the performance factor (on big data sets unserialize beats almost every serialization approaches). From security aspect introduces integrity of the data e.g. makes us sure that data is placed there via system and not from the outside. One of the weaknesses of serialization is used here as countermeasure.

How to prepare your systems for its usage

Approach is more than easy because could be done even on live environment because backward compatibility is considered in it. Simply loop trough all of the DB columns and every cells pass trough is_serialized($cell_value, false) and if true update its value with output from sign_serialize . That is it, even if you hold the old maybe_serialize / unserialize functions, everything will work. Btw in the code there is permissive demo too, where you can monitor what is going on with serialized values on your system — Yes we need filters there in the core!


With only one constant many problems are solved: from wordpress-importer, wp-cli, all of those maintenance plugins, all of the plugins/themes/scripts that meddle with serialized content, but also would prevent future wooops moments in the core.

One way or another, serialization gonna find ya, gonna get ya, get ya


If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).


Attack sources + web application security


Written by




Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade