0
Validation results

Bakery

Bakery

WordPress 4.9.8 theme
0
Critical alerts
  1. Customizer : Sanitization of Customizer settings Found a Customizer setting that did not have a sanitization callback function in file extension_customizer.php. Every call to the add_setting() method needs to have a sanitization callback function passed.
  2. Title : Title No reference to add_theme_support( "title-tag" ) was found in the theme.The theme needs to have <title> tags, ideally in the header.php file.The theme needs to have a call to wp_title(), ideally in the header.php file.The <title> tags can only contain a call to wp_title(). Use the wp_title filter to modify the output.
  3. Security breaches : Use of PHP sytem calls Found shell_exec in file tmhUtilities.php.
    Line 1: <?php
    /**
     * tmhUtilities
     *
     * Helpful utility and Twitter formatting functions
     *
     * @author themattharris
     * @version 0.5.0
     *
     * 04 September 2012
     */
    class tmhUtilities {
      const VERSION = '0.5.0';
      /**
       * Entifies the tweet using the given entities element.
       * Deprecated.
       * You should instead use entify_with_options.
       *
       * @param array $tweet the json converted to normalised array
       * @param array $replacements if specified, the entities and their replacements will be stored to this variable
       * @return the tweet text with entities replaced with hyperlinks
       */
      public static function entify($tweet, &$replacements=array()) {
        return tmhUtilities::entify_with_options($tweet, array(), $replacements);
      }
    
      /**
       * Entifies the tweet using the given entities element, using the provided
       * options.
       *
       * @param array $tweet the json converted to normalised array
       * @param array $options settings to be used when rendering the entities
       * @param array $replacements if specified, the entities and their replacements will be stored to this variable
       * @return the tweet text with entities replaced with hyperlinks
       */
      public static function entify_with_options($tweet, $options=array(), &$replacements=array()) {
        $default_opts = array(
          'encoding' => 'UTF-8',
          'target'   => '',
        );
    
        $opts = array_merge($default_opts, $options);
    
        $encoding = mb_internal_encoding();
        mb_internal_encoding($opts['encoding']);
    
        $keys = array();
        $is_retweet = false;
    
        if (isset($tweet['retweeted_status'])) {
          $tweet = $tweet['retweeted_status'];
          $is_retweet = true;
        }
    
        if (!isset($tweet['entities'])) {
          return $tweet['text'];
        }
    
        $target = (!empty($opts['target'])) ? ' target=''.$opts['target'].''' : '';
    
        // prepare the entities
        foreach ($tweet['entities'] as $type => $things) {
          foreach ($things as $entity => $value) {
            $tweet_link = '<a href=\'https://twitter.com/{$tweet['user']['screen_name']}/statuses/{$tweet['id']}\'{$target}>{$tweet['created_at']}</a>';
    
            switch ($type) {
              case 'hashtags':
                $href = '<a href=\'https://twitter.com/search?q=%23{$value['text']}\'{$target}>#{$value['text']}</a>';
                break;
              case 'user_mentions':
                $href = '@<a href=\'https://twitter.com/{$value['screen_name']}\' title=\'{$value['name']}\'{$target}>{$value['screen_name']}</a>';
                break;
              case 'urls':
              case 'media':
                $url = empty($value['expanded_url']) ? $value['url'] : $value['expanded_url'];
                $display = isset($value['display_url']) ? $value['display_url'] : str_replace('http://', '', $url);
                // Not all pages are served in UTF-8 so you may need to do this ...
                $display = urldecode(str_replace('%E2%80%A6', '&hellip;', urlencode($display)));
                $href = '<a href=\'{$value['url']}\'{$target}>{$display}</a>';
                break;
            }
            $keys[$value['indices']['0']] = mb_substr(
              $tweet['text'],
              $value['indices']['0'],
              $value['indices']['1'] - $value['indices']['0']
            );
            $replacements[$value['indices']['0']] = $href;
          }
        }
    
        ksort($replacements);
        $replacements = array_reverse($replacements, true);
        $entified_tweet = $tweet['text'];
        foreach ($replacements as $k => $v) {
          $entified_tweet = mb_substr($entified_tweet, 0, $k).$v.mb_substr($entified_tweet, $k + strlen($keys[$k]));
        }
        $replacements = array(
          'replacements' => $replacements,
          'keys' => $keys
        );
    
        mb_internal_encoding($encoding);
        return $entified_tweet;
      }
    
      /**
       * Returns the current URL. This is instead of PHP_SELF which is unsafe
       *
       * @param bool $dropqs whether to drop the querystring or not. Default true
       * @return string the current URL
       */
      public static function php_self($dropqs=true) {
        $protocol = 'http';
        if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
          $protocol = 'https';
        } elseif (isset($_SERVER['SERVER_PORT']) && ($_SERVER['SERVER_PORT'] == '443')) {
          $protocol = 'https';
        }
    
        $url = sprintf('%s://%s%s',
          $protocol,
          $_SERVER['SERVER_NAME'],
          $_SERVER['REQUEST_URI']
        );
    
        $parts = parse_url($url);
    
        $port = $_SERVER['SERVER_PORT'];
        $scheme = $parts['scheme'];
        $host = $parts['host'];
        $path = @$parts['path'];
        $qs   = @$parts['query'];
    
        $port or $port = ($scheme == 'https') ? '443' : '80';
    
        if (($scheme == 'https' && $port != '443')
            || ($scheme == 'http' && $port != '80')) {
          $host = '$host:$port';
        }
        $url = '$scheme://$host$path';
        if ( ! $dropqs)
          return '{$url}?{$qs}';
        else
          return $url;
      }
    
      public static function is_cli() {
        return (PHP_SAPI == 'cli' && empty($_SERVER['REMOTE_ADDR']));
      }
    
      /**
       * Debug function for printing the content of an object
       *
       * @param mixes $obj
       */
      public static function pr($obj) {
    
        if (!self::is_cli())
          echo '<pre style='word-wrap: break-word'>';
        if ( is_object($obj) )
          print_r($obj);
        elseif ( is_array($obj) )
          print_r($obj);
        else
          echo $obj;
        if (!self::is_cli())
          echo '</pre>';
      }
    
      /**
       * Make an HTTP request using this library. This method is different to 'request'
       * because on a 401 error it will retry the request.
       *
       * When a 401 error is returned it is possible the timestamp of the client is
       * too different to that of the API server. In this situation it is recommended
       * the request is retried with the OAuth timestamp set to the same as the API
       * server. This method will automatically try that technique.
       *
       * This method doesn't return anything. Instead the response should be
       * inspected directly.
       *
       * @param string $method the HTTP method being used. e.g. POST, GET, HEAD etc
       * @param string $url the request URL without query string parameters
       * @param array $params the request parameters as an array of key=value pairs
       * @param string $useauth whether to use authentication when making the request. Default true.
       * @param string $multipart whether this request contains multipart data. Default false
       */
      public static function auto_fix_time_request($tmhOAuth, $method, $url, $params=array(), $useauth=true, $multipart=false) {
        $tmhOAuth->request($method, $url, $params, $useauth, $multipart);
    
        // if we're not doing auth the timestamp isn't important
        if ( ! $useauth)
          return;
    
        // some error that isn't a 401
        if ($tmhOAuth->response['code'] != 401)
          return;
    
        // some error that is a 401 but isn't because the OAuth token and signature are incorrect
        // TODO: this check is horrid but helps avoid requesting twice when the username and password are wrong
        if (stripos($tmhOAuth->response['response'], 'password') !== false)
         return;
    
        // force the timestamp to be the same as the Twitter servers, and re-request
        $tmhOAuth->auto_fixed_time = true;
        $tmhOAuth->config['force_timestamp'] = true;
        $tmhOAuth->config['timestamp'] = strtotime($tmhOAuth->response['headers']['date']);
        return $tmhOAuth->request($method, $url, $params, $useauth, $multipart);
      }
    
      /**
       * Asks the user for input and returns the line they enter
       *
       * @param string $prompt the text to display to the user
       * @return the text entered by the user
       */
      public static function read_input($prompt) {
        echo $prompt;
        $handle = fopen('php://stdin','r');
        $data = fgets($handle);
        return trim($data);
      }
    
      /**
       * Get a password from the shell.
       *
       * This function works on *nix systems only and requires shell_exec and stty.
       *
       * @param  boolean $stars Wether or not to output stars for given characters
       * @return string
       * @url http://www.dasprids.de/blog/2008/08/22/getting-a-password-hidden-from-stdin-with-php-cli
       */
      public static function read_password($prompt, $stars=false) {
        echo $prompt;
        $style = shell_exec('stty -g');
    
        if ($stars === false) {
          shell_exec('stty 
  4. Security breaches : Use of base64_encode() Found base64_encode in file tmhOAuth.php.
     base64_encode(
  5. Presence of iframes : iframes are sometimes used to load unwanted adverts and malicious code on another site Found <iframe class="embed-responsive-item" src="'. esc_url($atts['src']) .'"> in file others.php.
    Line 19: return '<div class='embed-responsive embed-responsive-'. esc_attr($atts['ratio']) .''><iframe class='embed-responsive-item' src=''. esc_url($atts['src']) .''></i
  6. Malware : Operations on file system file_get_contents was found in the file parsers.php
    Line 66: $success = $dom->loadXML( file_get_contents( $file ) );
    Line 269: if ( ! xml_parse( $xml, file_get_contents( $file ), true ) ) {
    file_get_contents was found in the file parsers.php
    Line 66: $success = $dom->loadXML( file_get_contents( $file ) );
    Line 269: if ( ! xml_parse( $xml, file_get_contents( $file ), true ) ) {
    fopen was found in the file parsers.php
    Line 415: $fp = $this->fopen( $file, 'r' );
    Line 641: function fopen( $filename, $mode = 'r' ) {
    Line 644: return fopen( $filename, $mode );
    fclose was found in the file parsers.php
    Line 464: $this->fclose($fp);
    Line 659: function fclose( $fp ) {
    Line 662: return fclose( $fp );
    fopen was found in the file parsers.php
    Line 415: $fp = $this->fopen( $file, 'r' );
    Line 641: function fopen( $filename, $mode = 'r' ) {
    Line 644: return fopen( $filename, $mode );
    fopen was found in the file parsers.php
    Line 415: $fp = $this->fopen( $file, 'r' );
    Line 641: function fopen( $filename, $mode = 'r' ) {
    Line 644: return fopen( $filename, $mode );
    fclose was found in the file parsers.php
    Line 464: $this->fclose($fp);
    Line 659: function fclose( $fp ) {
    Line 662: return fclose( $fp );
    fclose was found in the file parsers.php
    Line 464: $this->fclose($fp);
    Line 659: function fclose( $fp ) {
    Line 662: return fclose( $fp );
    file_get_contents was found in the file radium-importer.php
    Line 263: $data = file_get_contents( $file );
    Line 338: $data = file_get_contents( $file );
    file_get_contents was found in the file radium-importer.php
    Line 263: $data = file_get_contents( $file );
    Line 338: $data = file_get_contents( $file );
    fopen was found in the file class.redux_helpers.php
    Line 645: //$fp = fopen( $file, 'r' );
    fread was found in the file class.redux_helpers.php
    Line 648: //$file_data = fread( $fp, 8192 );
    fclose was found in the file class.redux_helpers.php
    Line 651: //fclose( $fp );
    fopen was found in the file tmhUtilities.php
    Line 1: <?php
    /**
     * tmhUtilities
     *
     * Helpful utility and Twitter formatting functions
     *
     * @author themattharris
     * @version 0.5.0
     *
     * 04 September 2012
     */
    class tmhUtilities {
      const VERSION = '0.5.0';
      /**
       * Entifies the tweet using the given entities element.
       * Deprecated.
       * You should instead use entify_with_options.
       *
       * @param array $tweet the json converted to normalised array
       * @param array $replacements if specified, the entities and their replacements will be stored to this variable
       * @return the tweet text with entities replaced with hyperlinks
       */
      public static function entify($tweet, &$replacements=array()) {
        return tmhUtilities::entify_with_options($tweet, array(), $replacements);
      }
    
      /**
       * Entifies the tweet using the given entities element, using the provided
       * options.
       *
       * @param array $tweet the json converted to normalised array
       * @param array $options settings to be used when rendering the entities
       * @param array $replacements if specified, the entities and their replacements will be stored to this variable
       * @return the tweet text with entities replaced with hyperlinks
       */
      public static function entify_with_options($tweet, $options=array(), &$replacements=array()) {
        $default_opts = array(
          'encoding' => 'UTF-8',
          'target'   => '',
        );
    
        $opts = array_merge($default_opts, $options);
    
        $encoding = mb_internal_encoding();
        mb_internal_encoding($opts['encoding']);
    
        $keys = array();
        $is_retweet = false;
    
        if (isset($tweet['retweeted_status'])) {
          $tweet = $tweet['retweeted_status'];
          $is_retweet = true;
        }
    
        if (!isset($tweet['entities'])) {
          return $tweet['text'];
        }
    
        $target = (!empty($opts['target'])) ? ' target=''.$opts['target'].''' : '';
    
        // prepare the entities
        foreach ($tweet['entities'] as $type => $things) {
          foreach ($things as $entity => $value) {
            $tweet_link = '<a href=\'https://twitter.com/{$tweet['user']['screen_name']}/statuses/{$tweet['id']}\'{$target}>{$tweet['created_at']}</a>';
    
            switch ($type) {
              case 'hashtags':
                $href = '<a href=\'https://twitter.com/search?q=%23{$value['text']}\'{$target}>#{$value['text']}</a>';
                break;
              case 'user_mentions':
                $href = '@<a href=\'https://twitter.com/{$value['screen_name']}\' title=\'{$value['name']}\'{$target}>{$value['screen_name']}</a>';
                break;
              case 'urls':
              case 'media':
                $url = empty($value['expanded_url']) ? $value['url'] : $value['expanded_url'];
                $display = isset($value['display_url']) ? $value['display_url'] : str_replace('http://', '', $url);
                // Not all pages are served in UTF-8 so you may need to do this ...
                $display = urldecode(str_replace('%E2%80%A6', '&hellip;', urlencode($display)));
                $href = '<a href=\'{$value['url']}\'{$target}>{$display}</a>';
                break;
            }
            $keys[$value['indices']['0']] = mb_substr(
              $tweet['text'],
              $value['indices']['0'],
              $value['indices']['1'] - $value['indices']['0']
            );
            $replacements[$value['indices']['0']] = $href;
          }
        }
    
        ksort($replacements);
        $replacements = array_reverse($replacements, true);
        $entified_tweet = $tweet['text'];
        foreach ($replacements as $k => $v) {
          $entified_tweet = mb_substr($entified_tweet, 0, $k).$v.mb_substr($entified_tweet, $k + strlen($keys[$k]));
        }
        $replacements = array(
          'replacements' => $replacements,
          'keys' => $keys
        );
    
        mb_internal_encoding($encoding);
        return $entified_tweet;
      }
    
      /**
       * Returns the current URL. This is instead of PHP_SELF which is unsafe
       *
       * @param bool $dropqs whether to drop the querystring or not. Default true
       * @return string the current URL
       */
      public static function php_self($dropqs=true) {
        $protocol = 'http';
        if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
          $protocol = 'https';
        } elseif (isset($_SERVER['SERVER_PORT']) && ($_SERVER['SERVER_PORT'] == '443')) {
          $protocol = 'https';
        }
    
        $url = sprintf('%s://%s%s',
          $protocol,
          $_SERVER['SERVER_NAME'],
          $_SERVER['REQUEST_URI']
        );
    
        $parts = parse_url($url);
    
        $port = $_SERVER['SERVER_PORT'];
        $scheme = $parts['scheme'];
        $host = $parts['host'];
        $path = @$parts['path'];
        $qs   = @$parts['query'];
    
        $port or $port = ($scheme == 'https') ? '443' : '80';
    
        if (($scheme == 'https' && $port != '443')
            || ($scheme == 'http' && $port != '80')) {
          $host = '$host:$port';
        }
        $url = '$scheme://$host$path';
        if ( ! $dropqs)
          return '{$url}?{$qs}';
        else
          return $url;
      }
    
      public static function is_cli() {
        return (PHP_SAPI == 'cli' && empty($_SERVER['REMOTE_ADDR']));
      }
    
      /**
       * Debug function for printing the content of an object
       *
       * @param mixes $obj
       */
      public static function pr($obj) {
    
        if (!self::is_cli())
          echo '<pre style='word-wrap: break-word'>';
        if ( is_object($obj) )
          print_r($obj);
        elseif ( is_array($obj) )
          print_r($obj);
        else
          echo $obj;
        if (!self::is_cli())
          echo '</pre>';
      }
    
      /**
       * Make an HTTP request using this library. This method is different to 'request'
       * because on a 401 error it will retry the request.
       *
       * When a 401 error is returned it is possible the timestamp of the client is
       * too different to that of the API server. In this situation it is recommended
       * the request is retried with the OAuth timestamp set to the same as the API
       * server. This method will automatically try that technique.
       *
       * This method doesn't return anything. Instead the response should be
       * inspected directly.
       *
       * @param string $method the HTTP method being used. e.g. POST, GET, HEAD etc
       * @param string $url the request URL without query string parameters
       * @param array $params the request parameters as an array of key=value pairs
       * @param string $useauth whether to use authentication when making the request. Default true.
       * @param string $multipart whether this request contains multipart data. Default false
       */
      public static function auto_fix_time_request($tmhOAuth, $method, $url, $params=array(), $useauth=true, $multipart=false) {
        $tmhOAuth->request($method, $url, $params, $useauth, $multipart);
    
        // if we're not doing auth the timestamp isn't important
        if ( ! $useauth)
          return;
    
        // some error that isn't a 401
        if ($tmhOAuth->response['code'] != 401)
          return;
    
        // some error that is a 401 but isn't because the OAuth token and signature are incorrect
        // TODO: this check is horrid but helps avoid requesting twice when the username and password are wrong
        if (stripos($tmhOAuth->response['response'], 'password') !== false)
         return;
    
        // force the timestamp to be the same as the Twitter servers, and re-request
        $tmhOAuth->auto_fixed_time = true;
        $tmhOAuth->config['force_timestamp'] = true;
        $tmhOAuth->config['timestamp'] = strtotime($tmhOAuth->response['headers']['date']);
        return $tmhOAuth->request($method, $url, $params, $useauth, $multipart);
      }
    
      /**
       * Asks the user for input and returns the line they enter
       *
       * @param string $prompt the text to display to the user
       * @return the text entered by the user
       */
      public static function read_input($prompt) {
        echo $prompt;
        $handle = fopen('php://stdin','r');
        $data = fgets($handle);
        return trim($data
    fwrite was found in the file tmhUtilities.php
    Line 1: <?php
    /**
     * tmhUtilities
     *
     * Helpful utility and Twitter formatting functions
     *
     * @author themattharris
     * @version 0.5.0
     *
     * 04 September 2012
     */
    class tmhUtilities {
      const VERSION = '0.5.0';
      /**
       * Entifies the tweet using the given entities element.
       * Deprecated.
       * You should instead use entify_with_options.
       *
       * @param array $tweet the json converted to normalised array
       * @param array $replacements if specified, the entities and their replacements will be stored to this variable
       * @return the tweet text with entities replaced with hyperlinks
       */
      public static function entify($tweet, &$replacements=array()) {
        return tmhUtilities::entify_with_options($tweet, array(), $replacements);
      }
    
      /**
       * Entifies the tweet using the given entities element, using the provided
       * options.
       *
       * @param array $tweet the json converted to normalised array
       * @param array $options settings to be used when rendering the entities
       * @param array $replacements if specified, the entities and their replacements will be stored to this variable
       * @return the tweet text with entities replaced with hyperlinks
       */
      public static function entify_with_options($tweet, $options=array(), &$replacements=array()) {
        $default_opts = array(
          'encoding' => 'UTF-8',
          'target'   => '',
        );
    
        $opts = array_merge($default_opts, $options);
    
        $encoding = mb_internal_encoding();
        mb_internal_encoding($opts['encoding']);
    
        $keys = array();
        $is_retweet = false;
    
        if (isset($tweet['retweeted_status'])) {
          $tweet = $tweet['retweeted_status'];
          $is_retweet = true;
        }
    
        if (!isset($tweet['entities'])) {
          return $tweet['text'];
        }
    
        $target = (!empty($opts['target'])) ? ' target=''.$opts['target'].''' : '';
    
        // prepare the entities
        foreach ($tweet['entities'] as $type => $things) {
          foreach ($things as $entity => $value) {
            $tweet_link = '<a href=\'https://twitter.com/{$tweet['user']['screen_name']}/statuses/{$tweet['id']}\'{$target}>{$tweet['created_at']}</a>';
    
            switch ($type) {
              case 'hashtags':
                $href = '<a href=\'https://twitter.com/search?q=%23{$value['text']}\'{$target}>#{$value['text']}</a>';
                break;
              case 'user_mentions':
                $href = '@<a href=\'https://twitter.com/{$value['screen_name']}\' title=\'{$value['name']}\'{$target}>{$value['screen_name']}</a>';
                break;
              case 'urls':
              case 'media':
                $url = empty($value['expanded_url']) ? $value['url'] : $value['expanded_url'];
                $display = isset($value['display_url']) ? $value['display_url'] : str_replace('http://', '', $url);
                // Not all pages are served in UTF-8 so you may need to do this ...
                $display = urldecode(str_replace('%E2%80%A6', '&hellip;', urlencode($display)));
                $href = '<a href=\'{$value['url']}\'{$target}>{$display}</a>';
                break;
            }
            $keys[$value['indices']['0']] = mb_substr(
              $tweet['text'],
              $value['indices']['0'],
              $value['indices']['1'] - $value['indices']['0']
            );
            $replacements[$value['indices']['0']] = $href;
          }
        }
    
        ksort($replacements);
        $replacements = array_reverse($replacements, true);
        $entified_tweet = $tweet['text'];
        foreach ($replacements as $k => $v) {
          $entified_tweet = mb_substr($entified_tweet, 0, $k).$v.mb_substr($entified_tweet, $k + strlen($keys[$k]));
        }
        $replacements = array(
          'replacements' => $replacements,
          'keys' => $keys
        );
    
        mb_internal_encoding($encoding);
        return $entified_tweet;
      }
    
      /**
       * Returns the current URL. This is instead of PHP_SELF which is unsafe
       *
       * @param bool $dropqs whether to drop the querystring or not. Default true
       * @return string the current URL
       */
      public static function php_self($dropqs=true) {
        $protocol = 'http';
        if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
          $protocol = 'https';
        } elseif (isset($_SERVER['SERVER_PORT']) && ($_SERVER['SERVER_PORT'] == '443')) {
          $protocol = 'https';
        }
    
        $url = sprintf('%s://%s%s',
          $protocol,
          $_SERVER['SERVER_NAME'],
          $_SERVER['REQUEST_URI']
        );
    
        $parts = parse_url($url);
    
        $port = $_SERVER['SERVER_PORT'];
        $scheme = $parts['scheme'];
        $host = $parts['host'];
        $path = @$parts['path'];
        $qs   = @$parts['query'];
    
        $port or $port = ($scheme == 'https') ? '443' : '80';
    
        if (($scheme == 'https' && $port != '443')
            || ($scheme == 'http' && $port != '80')) {
          $host = '$host:$port';
        }
        $url = '$scheme://$host$path';
        if ( ! $dropqs)
          return '{$url}?{$qs}';
        else
          return $url;
      }
    
      public static function is_cli() {
        return (PHP_SAPI == 'cli' && empty($_SERVER['REMOTE_ADDR']));
      }
    
      /**
       * Debug function for printing the content of an object
       *
       * @param mixes $obj
       */
      public static function pr($obj) {
    
        if (!self::is_cli())
          echo '<pre style='word-wrap: break-word'>';
        if ( is_object($obj) )
          print_r($obj);
        elseif ( is_array($obj) )
          print_r($obj);
        else
          echo $obj;
        if (!self::is_cli())
          echo '</pre>';
      }
    
      /**
       * Make an HTTP request using this library. This method is different to 'request'
       * because on a 401 error it will retry the request.
       *
       * When a 401 error is returned it is possible the timestamp of the client is
       * too different to that of the API server. In this situation it is recommended
       * the request is retried with the OAuth timestamp set to the same as the API
       * server. This method will automatically try that technique.
       *
       * This method doesn't return anything. Instead the response should be
       * inspected directly.
       *
       * @param string $method the HTTP method being used. e.g. POST, GET, HEAD etc
       * @param string $url the request URL without query string parameters
       * @param array $params the request parameters as an array of key=value pairs
       * @param string $useauth whether to use authentication when making the request. Default true.
       * @param string $multipart whether this request contains multipart data. Default false
       */
      public static function auto_fix_time_request($tmhOAuth, $method, $url, $params=array(), $useauth=true, $multipart=false) {
        $tmhOAuth->request($method, $url, $params, $useauth, $multipart);
    
        // if we're not doing auth the timestamp isn't important
        if ( ! $useauth)
          return;
    
        // some error that isn't a 401
        if ($tmhOAuth->response['code'] != 401)
          return;
    
        // some error that is a 401 but isn't because the OAuth token and signature are incorrect
        // TODO: this check is horrid but helps avoid requesting twice when the username and password are wrong
        if (stripos($tmhOAuth->response['response'], 'password') !== false)
         return;
    
        // force the timestamp to be the same as the Twitter servers, and re-request
        $tmhOAuth->auto_fixed_time = true;
        $tmhOAuth->config['force_timestamp'] = true;
        $tmhOAuth->config['timestamp'] = strtotime($tmhOAuth->response['headers']['date']);
        return $tmhOAuth->request($method, $url, $params, $useauth, $multipart);
      }
    
      /**
       * Asks the user for input and returns the line they enter
       *
       * @param string $prompt the text to display to the user
       * @return the text entered by the user
       */
      public static function read_input($prompt) {
        echo $prompt;
        $handle = fopen('php://stdin','r');
        $data = fgets($handle);
        return trim($data);
      }
    
      /**
       * Get a password from the shell.
       *
       * This function works on *nix systems only and requires shell_exec and stty.
       *
       * @param  boolean $stars Wether or not to output stars for given characters
       * @return string
       * @url http://www.dasprids.de/blog/2008/08/22/getting-a-password-hidden-from-stdin-with-php-cli
       */
      public static function read_password($prompt, $stars=false) {
        echo $prompt;
        $style = shell_exec('stty -g');
    
        if ($stars === false) {
          shell_exec('stty -echo');
          $password = rtrim(fgets(STDIN), '\n');
        } else {
          shell_exec('stty -icanon -echo min 1 time 0');
          $password = '';
          while (true) :
            $char = fgetc(STDIN);
            if ($char === '\n') :
              break;
            elseif (ord($char) === 127) :
              if (strlen($password) > 0) {
                fwrite(STDOUT, '\x08 \x08');
                $password = substr($password, 0, -
    fwrite was found in the file tmhUtilities.php
    Line 1: <?php
    /**
     * tmhUtilities
     *
     * Helpful utility and Twitter formatting functions
     *
     * @author themattharris
     * @version 0.5.0
     *
     * 04 September 2012
     */
    class tmhUtilities {
      const VERSION = '0.5.0';
      /**
       * Entifies the tweet using the given entities element.
       * Deprecated.
       * You should instead use entify_with_options.
       *
       * @param array $tweet the json converted to normalised array
       * @param array $replacements if specified, the entities and their replacements will be stored to this variable
       * @return the tweet text with entities replaced with hyperlinks
       */
      public static function entify($tweet, &$replacements=array()) {
        return tmhUtilities::entify_with_options($tweet, array(), $replacements);
      }
    
      /**
       * Entifies the tweet using the given entities element, using the provided
       * options.
       *
       * @param array $tweet the json converted to normalised array
       * @param array $options settings to be used when rendering the entities
       * @param array $replacements if specified, the entities and their replacements will be stored to this variable
       * @return the tweet text with entities replaced with hyperlinks
       */
      public static function entify_with_options($tweet, $options=array(), &$replacements=array()) {
        $default_opts = array(
          'encoding' => 'UTF-8',
          'target'   => '',
        );
    
        $opts = array_merge($default_opts, $options);
    
        $encoding = mb_internal_encoding();
        mb_internal_encoding($opts['encoding']);
    
        $keys = array();
        $is_retweet = false;
    
        if (isset($tweet['retweeted_status'])) {
          $tweet = $tweet['retweeted_status'];
          $is_retweet = true;
        }
    
        if (!isset($tweet['entities'])) {
          return $tweet['text'];
        }
    
        $target = (!empty($opts['target'])) ? ' target=''.$opts['target'].''' : '';
    
        // prepare the entities
        foreach ($tweet['entities'] as $type => $things) {
          foreach ($things as $entity => $value) {
            $tweet_link = '<a href=\'https://twitter.com/{$tweet['user']['screen_name']}/statuses/{$tweet['id']}\'{$target}>{$tweet['created_at']}</a>';
    
            switch ($type) {
              case 'hashtags':
                $href = '<a href=\'https://twitter.com/search?q=%23{$value['text']}\'{$target}>#{$value['text']}</a>';
                break;
              case 'user_mentions':
                $href = '@<a href=\'https://twitter.com/{$value['screen_name']}\' title=\'{$value['name']}\'{$target}>{$value['screen_name']}</a>';
                break;
              case 'urls':
              case 'media':
                $url = empty($value['expanded_url']) ? $value['url'] : $value['expanded_url'];
                $display = isset($value['display_url']) ? $value['display_url'] : str_replace('http://', '', $url);
                // Not all pages are served in UTF-8 so you may need to do this ...
                $display = urldecode(str_replace('%E2%80%A6', '&hellip;', urlencode($display)));
                $href = '<a href=\'{$value['url']}\'{$target}>{$display}</a>';
                break;
            }
            $keys[$value['indices']['0']] = mb_substr(
              $tweet['text'],
              $value['indices']['0'],
              $value['indices']['1'] - $value['indices']['0']
            );
            $replacements[$value['indices']['0']] = $href;
          }
        }
    
        ksort($replacements);
        $replacements = array_reverse($replacements, true);
        $entified_tweet = $tweet['text'];
        foreach ($replacements as $k => $v) {
          $entified_tweet = mb_substr($entified_tweet, 0, $k).$v.mb_substr($entified_tweet, $k + strlen($keys[$k]));
        }
        $replacements = array(
          'replacements' => $replacements,
          'keys' => $keys
        );
    
        mb_internal_encoding($encoding);
        return $entified_tweet;
      }
    
      /**
       * Returns the current URL. This is instead of PHP_SELF which is unsafe
       *
       * @param bool $dropqs whether to drop the querystring or not. Default true
       * @return string the current URL
       */
      public static function php_self($dropqs=true) {
        $protocol = 'http';
        if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
          $protocol = 'https';
        } elseif (isset($_SERVER['SERVER_PORT']) && ($_SERVER['SERVER_PORT'] == '443')) {
          $protocol = 'https';
        }
    
        $url = sprintf('%s://%s%s',
          $protocol,
          $_SERVER['SERVER_NAME'],
          $_SERVER['REQUEST_URI']
        );
    
        $parts = parse_url($url);
    
        $port = $_SERVER['SERVER_PORT'];
        $scheme = $parts['scheme'];
        $host = $parts['host'];
        $path = @$parts['path'];
        $qs   = @$parts['query'];
    
        $port or $port = ($scheme == 'https') ? '443' : '80';
    
        if (($scheme == 'https' && $port != '443')
            || ($scheme == 'http' && $port != '80')) {
          $host = '$host:$port';
        }
        $url = '$scheme://$host$path';
        if ( ! $dropqs)
          return '{$url}?{$qs}';
        else
          return $url;
      }
    
      public static function is_cli() {
        return (PHP_SAPI == 'cli' && empty($_SERVER['REMOTE_ADDR']));
      }
    
      /**
       * Debug function for printing the content of an object
       *
       * @param mixes $obj
       */
      public static function pr($obj) {
    
        if (!self::is_cli())
          echo '<pre style='word-wrap: break-word'>';
        if ( is_object($obj) )
          print_r($obj);
        elseif ( is_array($obj) )
          print_r($obj);
        else
          echo $obj;
        if (!self::is_cli())
          echo '</pre>';
      }
    
      /**
       * Make an HTTP request using this library. This method is different to 'request'
       * because on a 401 error it will retry the request.
       *
       * When a 401 error is returned it is possible the timestamp of the client is
       * too different to that of the API server. In this situation it is recommended
       * the request is retried with the OAuth timestamp set to the same as the API
       * server. This method will automatically try that technique.
       *
       * This method doesn't return anything. Instead the response should be
       * inspected directly.
       *
       * @param string $method the HTTP method being used. e.g. POST, GET, HEAD etc
       * @param string $url the request URL without query string parameters
       * @param array $params the request parameters as an array of key=value pairs
       * @param string $useauth whether to use authentication when making the request. Default true.
       * @param string $multipart whether this request contains multipart data. Default false
       */
      public static function auto_fix_time_request($tmhOAuth, $method, $url, $params=array(), $useauth=true, $multipart=false) {
        $tmhOAuth->request($method, $url, $params, $useauth, $multipart);
    
        // if we're not doing auth the timestamp isn't important
        if ( ! $useauth)
          return;
    
        // some error that isn't a 401
        if ($tmhOAuth->response['code'] != 401)
          return;
    
        // some error that is a 401 but isn't because the OAuth token and signature are incorrect
        // TODO: this check is horrid but helps avoid requesting twice when the username and password are wrong
        if (stripos($tmhOAuth->response['response'], 'password') !== false)
         return;
    
        // force the timestamp to be the same as the Twitter servers, and re-request
        $tmhOAuth->auto_fixed_time = true;
        $tmhOAuth->config['force_timestamp'] = true;
        $tmhOAuth->config['timestamp'] = strtotime($tmhOAuth->response['headers']['date']);
        return $tmhOAuth->request($method, $url, $params, $useauth, $multipart);
      }
    
      /**
       * Asks the user for input and returns the line they enter
       *
       * @param string $prompt the text to display to the user
       * @return the text entered by the user
       */
      public static function read_input($prompt) {
        echo $prompt;
        $handle = fopen('php://stdin','r');
        $data = fgets($handle);
        return trim($data);
      }
    
      /**
       * Get a password from the shell.
       *
       * This function works on *nix systems only and requires shell_exec and stty.
       *
       * @param  boolean $stars Wether or not to output stars for given characters
       * @return string
       * @url http://www.dasprids.de/blog/2008/08/22/getting-a-password-hidden-from-stdin-with-php-cli
       */
      public static function read_password($prompt, $stars=false) {
        echo $prompt;
        $style = shell_exec('stty -g');
    
        if ($stars === false) {
          shell_exec('stty -echo');
          $password = rtrim(fgets(STDIN), '\n');
        } else {
          shell_exec('stty -icanon -echo min 1 time 0');
          $password = '';
          while (true) :
            $char = fgetc(STDIN);
            if ($char === '\n') :
              break;
            elseif (ord($char) === 127) :
              if (strlen($password) > 0) {
                fwrite(STDOUT, '\x08 \x08');
                $password = substr($password, 0, -
  7. Malware : Network operations curl_init was found in the file tmhOAuth.php
    Line 637: $c = curl_init();
    curl_exec was found in the file tmhOAuth.php
    Line 705: $response = curl_exec($c);
  8. Admin menu : Themes should use add_theme_page() for adding admin pages. File redux-framework.php :
    Line 1330: // wrappers and need to be appened to using add_submenu_page.
    Line 1381: $this->page = call_user_func( 'add_submenu_page', $page_parent, $page_title, $menu_title, $page_permission
    Line 1439: call_user_func( 'add_submenu_page', $this->args['page_slug'], $section['title'], $section['t
    File redux-framework.php :
    Line 1330: // wrappers and need to be appened to using add_submenu_page.
    Line 1381: $this->page = call_user_func( 'add_submenu_page', $page_parent, $page_title, $menu_title, $page_permission
    Line 1439: call_user_func( 'add_submenu_page', $this->args['page_slug'], $section['title'], $section['t
    File redux-framework.php :
    Line 1407: $this->page = call_user_func( 'add_menu_page', $this->args['page_title'], $this->args['menu_title'], $this
    File redux-framework.php :
    Line 1330: // wrappers and need to be appened to using add_submenu_page.
    Line 1381: $this->page = call_user_func( 'add_submenu_page', $page_parent, $page_title, $menu_title, $page_permission
    Line 1439: call_user_func( 'add_submenu_page', $this->args['page_slug'], $section['title'], $section['t
    File bakery-options.php :
    Line 3014: // For a full list of options, visit: http://codex.wordpress.org/Function_Reference/add_submenu_page#Parameters
    File welcome.php :
    Line 196: $page = 'add_management_page';
    File class-tgm-plugin-activation.php :
    Line 641: $this->page_hook = call_user_func( 'add_submenu_page', $args['parent_slug'], $args['page_title'], $args['menu_t
  9. Deprecated functions : wp_get_http wp_get_http found in file wordpress-importer.php. Deprecated since version 4.4. Use WP_Http instead.
    Line 905: $headers = wp_get_http( $url, $upload['file'] );
  10. Deprecated functions : get_currentuserinfo get_currentuserinfo found in file form-edit-address.php. Deprecated since version 4.5. Use wp_get_current_user instead.
    Line 18: get_currentuserinfo();
  11. Included plugins : Zip file found Plugins are not allowed in themes. The zip file found was bakery-main-slider.zip bakery-cpt.zip envato-wordpress-toolkit.zip revslider.zip js_composer.zip ._bakery-main-slider.zip ._envato-wordpress-toolkit.zip ._revslider.zip ._js_composer.zip ._bakery-cpt.zip.
Warning
  1. core scripts deregistered : Core scripts deregistrationFound wp_deregister_script in redux-framework.php. Themes must not deregister core scripts.
    Line 564: wp_deregister_script( 'wpb_ace' );
    Found wp_deregister_script in enqueue.php. Themes must not deregister core scripts.
    Line 213: wp_deregister_script( 'jquerySelect2' );
  2. theme tags : Presence of bad theme tagsThe tag dark has been deprecated, it must be removed from style.css header.The tag light has been deprecated, it must be removed from style.css header.The tag fluid-layout has been deprecated, it must be removed from style.css header.
  3. Text domain : Incorrect use of translation functions.Found a translation function that has an incorrect number of arguments. Function _e, with the arguments 'Please set up the menu location for this theme. <a href="', >Click here to go to the menu location settings &raquo;</a>, 'bakery' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'This theme requires the following plugin: %1$s.', 'This theme requires the following plugins: %1$s.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'This theme recommends the following plugin: %1$s.', 'This theme recommends the following plugins: %1$s.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'Sorry, but you do not have the correct permissions to install the %s plugin. Contact the administrator of this site for help on getting the plugin installed.', 'Sorry, but you do not have the correct permissions to install the %s plugins. Contact the administrator of this site for help on getting the plugins installed.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'The following required plugin is currently inactive: %1$s.', 'The following required plugins are currently inactive: %1$s.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'The following recommended plugin is currently inactive: %1$s.', 'The following recommended plugins are currently inactive: %1$s.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'Sorry, but you do not have the correct permissions to activate the %s plugin. Contact the administrator of this site for help on getting the plugin activated.', 'Sorry, but you do not have the correct permissions to activate the %s plugins. Contact the administrator of this site for help on getting the plugins activated.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'The following plugin needs to be updated to its latest version to ensure maximum compatibility with this theme: %1$s.', 'The following plugins need to be updated to their latest version to ensure maximum compatibility with this theme: %1$s.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'Sorry, but you do not have the correct permissions to update the %s plugin. Contact the administrator of this site for help on getting the plugin updated.', 'Sorry, but you do not have the correct permissions to update the %s plugins. Contact the administrator of this site for help on getting the plugins updated.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'Begin installing plugin', 'Begin installing plugins' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'Activate installed plugin', 'Activate installed plugins' in file vu-actions.php.Found a translation function that is missing a text-domain. Function esc_attr_x, with the arguments 'Type and hit enter', 'bakery' in file searchform.php.Found a translation function that is missing a text-domain. Function esc_attr_x, with the arguments 'Search', 'bakery' in file searchform.php.Found a translation function that is missing a text-domain. Function __, with the arguments 'Payment Method' in file payment.php.Found a translation function that has an incorrect number of arguments. Function _n, with the arguments '%s download remaining', '%s downloads remaining', downloads_remaining, 'woocommerce' in file my-downloads.php.Found a translation function that is missing a text-domain. Function __, with the arguments 'woocommerce' in file shipping-calculator.php.Found a translation function that is missing a text-domain. Function __, with the arguments 'woocommerce' in file cart-totals.php.More than one text-domain is being used in this theme. This means the theme will not be compatible with WordPress.org language packs. The domains found are bakery, redux-framework, bakery_options, framework, wordpress-importer, radium, themecheck, tgmpa, nav-menus.php?action=locations, >Click here to go to the menu location settings &raquo;</a>, woocommerce, downloads_remaining.
  4. Plugin territory : Plugin territory functionalitiesThe theme uses the add_shortcode() function. Custom post-content shortcodes are plugin-territory functionality.
  5. Unwanted files : hidden file(s) or folder(s).ds_store was found.
  6. PHP short tags : Presence of PHP short tagsPHP short tags were found in file parsedown.php. "This practice is discouraged because they are only available if enabled with short_open_tag php.ini configuration file directive, or if PHP was configured with the --enable-short-tags option" (php.net), which is not the case on many servers.
    Line 14: # Modified by Dovy Paukstys to remove <? shortcode-like declaration.
    PHP short tags were found in file ._wrapper-end.php. "This practice is discouraged because they are only available if enabled with short_open_tag php.ini configuration file directive, or if PHP was configured with the --enable-short-tags option" (php.net), which is not the case on many servers.
    Line 1: 
    PHP short tags were found in file ._form-login.php. "This practice is discouraged because they are only available if enabled with short_open_tag php.ini configuration file directive, or if PHP was configured with the --enable-short-tags option" (php.net), which is not the case on many servers.
    Line 1: 
  7. Comment reply : Declaration of comment replyCould not find the comment-reply script enqueued, however a reference to 'comment-reply' was found. Make sure that the comment-reply js script is being enqueued properly on singular pages.
  8. Custom elements : Presence of custom headerNo reference to custom header was found in the theme.
  9. Custom elements : Presence of custom backgroundNo reference to custom background was found in the theme.
  10. Editor style : Presence of editor styleNo reference to add_editor_style() was found in the theme. It is recommended that the theme implements editor styling, so as to make the editor content match the resulting post output in the theme, for a better user experience.
  11. I18N implementation : Proper use of ___all(Possible variable $cvalue found in translation function in shipping-calculator.php. Translation function calls should not contain PHP variables.
    Line 57: echo '<option value='' . esc_attr( $ckey ) . '' ' . selected( $current_r, $ckey, false ) . '>' . __( esc_html( $cvalue ), 'woocommerce' ) .'</option>';
  12. CSS files : Presence of .screen-reader-text class.screen-reader-text css class is needed in your theme css. See : the Codex for an example implementation.
  13. Screenshot : Screenshot fileScreenshot size is 880x660px. Screenshot size should be 1200x900, to account for HiDPI displays. Any 4:3 image size is acceptable, but 1200x900 is preferred.
Tip-off
  1. favicon presence : Favicon managementPossible Favicon found in vu-actions.php. Favicons are handled by the Site Icon setting in the customizer since version 4.3.
  2. Static links : Presence of hard-coded linksPossible hard-coded links were found in the file bakery-options.php.
    Line 81: <p>Please refer to our <a href='http://milingona.co' target='_blank'>online documentation</a> for more inst
    Line 90: <p>Please visit <a href='http://milingona.co' target='_blank'>milingona.co</a> to keep up to date on
    Line 81: <p>Please refer to our <a href='http://milingona.co' target='_blank'>online documentation</a> for more inst
    Line 90: <p>Please visit <a href='http://milingona.co' target='_blank'>milingona.co</a> to keep up to date on
    Line 1255: 'desc'   => __('Please find here all the map options. To convert an address into latitude & longitude please use <a href='http://www.latlong.net/convert-address-to-lat-long.html'>this converter.</a
    Line 2775: 'default'  => date('Y') .' '. __('All rights reserved. Powered by <a href='http://themeforest.net/user/milingona_/portfolio' target='_blank'>Milingona
    Line 2869: 'desc'     => 'Possible modes can be found at <a href='http://ace.c9.io' target='_blank'>http://ace.c9.io/</a>.',
    Line 2881: 'desc'     => 'Possible modes can be found at <a href='http://ace.c9.io' target='_blank'>http://ace.c9.io/</a>.',
    Line 2869: 'desc'     => 'Possible modes can be found at <a href='http://ace.c9.io' target='_blank'>http://ace.c9.io/</a>.',
    Line 2881: 'desc'     => 'Possible modes can be found at <a href='http://ace.c9.io' target='_blank'>http://ace.c9.io/</a>.',
  3. Optional files : Presence of rtl stylesheet rtl.cssThis theme does not contain optional file rtl.php.
  4. Optional files : Presence of front page template file front-page.phpThis theme does not contain optional file front-page.php.
  5. Optional files : Presence of home template file home.phpThis theme does not contain optional file home.php.
  6. Optional files : Presence of term template file taxonomy.phpThis theme does not contain optional file taxonomy.php.
  7. Optional files : Presence of date/time template file date.phpThis theme does not contain optional file date.php.
  8. Optional files : Presence of attachment template file attachment.phpThis theme does not contain optional file attachment.php.
  9. Optional files : Presence of image template file image.phpThis theme does not contain optional file image.php.
  10. Use of includes : Use of include or requireThe theme appears to use include or require : config.php
    Line 4: require_once('shortcodes/products.php');
    Line 5: require_once('shortcodes/products-with-filter.php');
    Line 6: require_once('shortcodes/featured-products.php');
    If these are being used to include separate sections of a template from independent files, then get_template_part() should be used instead. Otherwise, use include_once or require_once instead.
    The theme appears to use include or require : redux-framework.php
    Line 414: require_once 'core/dashboard.php';
    Line 417: require_once 'core/newsflash.php';
    Line 1684: require_once 'core/enqueue.php';
    Line 2823: require_once 'core/enqueue.php';
    Line 2881: require_once 'core/panel.php';
    Line 3210: require_once 'core/panel.php';
    If these are being used to include separate sections of a template from independent files, then get_template_part() should be used instead. Otherwise, use include_once or require_once instead.
    The theme appears to use include or require : extension_customizer.php
    Line 140: include_once( ReduxFramework::$_dir . 'core/enqueue.php' );
    Line 749: require_once( $class_file );
    If these are being used to include separate sections of a template from independent files, then get_template_part() should be used instead. Otherwise, use include_once or require_once instead.
    The theme appears to use include or require : welcome.php
    Line 373: require_once 'views/about.php';
    Line 388: require_once 'views/changelog.php';
    Line 403: require_once 'views/extensions.php';
    Line 419: require_once 'views/support.php';
    Line 434: require_once 'views/credits.php';
    Line 449: require_once 'views/status_report.php';
    If these are being used to include separate sections of a template from independent files, then get_template_part() should be used instead. Otherwise, use include_once or require_once instead.
    The theme appears to use include or require : field_button_set.php
    Line 46: *              ['format']      string Formatting options for paginate fields. Options include ('currency','nice','niceShort','timeAgoInWords' or a valid Date() f
    If these are being used to include separate sections of a template from independent files, then get_template_part() should be used instead. Otherwise, use include_once or require_once instead.
    The theme appears to use include or require : class-ezTweet.php
    Line 148: require_once($this->lib.'tmhOAuth.php');
    Line 149: require_once($this->lib.'tmhUtilities.php');
    If these are being used to include separate sections of a template from independent files, then get_template_part() should be used instead. Otherwise, use include_once or require_once instead.

This is a ThemeForest theme. Since Themeforest items are all checked by a human before they appear on their website, ThemeForest verification rules are more permissive than themecheck's and can give a better verification score ( Themeforest requirements ).

0
Critical alerts
  1. Customizer : Sanitization of Customizer settings Found a Customizer setting that did not have a sanitization callback function in file extension_customizer.php. Every call to the add_setting() method needs to have a sanitization callback function passed.
  2. Title : Title No reference to add_theme_support( "title-tag" ) was found in the theme.The theme needs to have <title> tags, ideally in the header.php file.The theme needs to have a call to wp_title(), ideally in the header.php file.The <title> tags can only contain a call to wp_title(). Use the wp_title filter to modify the output.
  3. Security breaches : Use of PHP sytem calls Found shell_exec in file tmhUtilities.php.
    Line 1: <?php
    /**
     * tmhUtilities
     *
     * Helpful utility and Twitter formatting functions
     *
     * @author themattharris
     * @version 0.5.0
     *
     * 04 September 2012
     */
    class tmhUtilities {
      const VERSION = '0.5.0';
      /**
       * Entifies the tweet using the given entities element.
       * Deprecated.
       * You should instead use entify_with_options.
       *
       * @param array $tweet the json converted to normalised array
       * @param array $replacements if specified, the entities and their replacements will be stored to this variable
       * @return the tweet text with entities replaced with hyperlinks
       */
      public static function entify($tweet, &$replacements=array()) {
        return tmhUtilities::entify_with_options($tweet, array(), $replacements);
      }
    
      /**
       * Entifies the tweet using the given entities element, using the provided
       * options.
       *
       * @param array $tweet the json converted to normalised array
       * @param array $options settings to be used when rendering the entities
       * @param array $replacements if specified, the entities and their replacements will be stored to this variable
       * @return the tweet text with entities replaced with hyperlinks
       */
      public static function entify_with_options($tweet, $options=array(), &$replacements=array()) {
        $default_opts = array(
          'encoding' => 'UTF-8',
          'target'   => '',
        );
    
        $opts = array_merge($default_opts, $options);
    
        $encoding = mb_internal_encoding();
        mb_internal_encoding($opts['encoding']);
    
        $keys = array();
        $is_retweet = false;
    
        if (isset($tweet['retweeted_status'])) {
          $tweet = $tweet['retweeted_status'];
          $is_retweet = true;
        }
    
        if (!isset($tweet['entities'])) {
          return $tweet['text'];
        }
    
        $target = (!empty($opts['target'])) ? ' target=''.$opts['target'].''' : '';
    
        // prepare the entities
        foreach ($tweet['entities'] as $type => $things) {
          foreach ($things as $entity => $value) {
            $tweet_link = '<a href=\'https://twitter.com/{$tweet['user']['screen_name']}/statuses/{$tweet['id']}\'{$target}>{$tweet['created_at']}</a>';
    
            switch ($type) {
              case 'hashtags':
                $href = '<a href=\'https://twitter.com/search?q=%23{$value['text']}\'{$target}>#{$value['text']}</a>';
                break;
              case 'user_mentions':
                $href = '@<a href=\'https://twitter.com/{$value['screen_name']}\' title=\'{$value['name']}\'{$target}>{$value['screen_name']}</a>';
                break;
              case 'urls':
              case 'media':
                $url = empty($value['expanded_url']) ? $value['url'] : $value['expanded_url'];
                $display = isset($value['display_url']) ? $value['display_url'] : str_replace('http://', '', $url);
                // Not all pages are served in UTF-8 so you may need to do this ...
                $display = urldecode(str_replace('%E2%80%A6', '&hellip;', urlencode($display)));
                $href = '<a href=\'{$value['url']}\'{$target}>{$display}</a>';
                break;
            }
            $keys[$value['indices']['0']] = mb_substr(
              $tweet['text'],
              $value['indices']['0'],
              $value['indices']['1'] - $value['indices']['0']
            );
            $replacements[$value['indices']['0']] = $href;
          }
        }
    
        ksort($replacements);
        $replacements = array_reverse($replacements, true);
        $entified_tweet = $tweet['text'];
        foreach ($replacements as $k => $v) {
          $entified_tweet = mb_substr($entified_tweet, 0, $k).$v.mb_substr($entified_tweet, $k + strlen($keys[$k]));
        }
        $replacements = array(
          'replacements' => $replacements,
          'keys' => $keys
        );
    
        mb_internal_encoding($encoding);
        return $entified_tweet;
      }
    
      /**
       * Returns the current URL. This is instead of PHP_SELF which is unsafe
       *
       * @param bool $dropqs whether to drop the querystring or not. Default true
       * @return string the current URL
       */
      public static function php_self($dropqs=true) {
        $protocol = 'http';
        if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
          $protocol = 'https';
        } elseif (isset($_SERVER['SERVER_PORT']) && ($_SERVER['SERVER_PORT'] == '443')) {
          $protocol = 'https';
        }
    
        $url = sprintf('%s://%s%s',
          $protocol,
          $_SERVER['SERVER_NAME'],
          $_SERVER['REQUEST_URI']
        );
    
        $parts = parse_url($url);
    
        $port = $_SERVER['SERVER_PORT'];
        $scheme = $parts['scheme'];
        $host = $parts['host'];
        $path = @$parts['path'];
        $qs   = @$parts['query'];
    
        $port or $port = ($scheme == 'https') ? '443' : '80';
    
        if (($scheme == 'https' && $port != '443')
            || ($scheme == 'http' && $port != '80')) {
          $host = '$host:$port';
        }
        $url = '$scheme://$host$path';
        if ( ! $dropqs)
          return '{$url}?{$qs}';
        else
          return $url;
      }
    
      public static function is_cli() {
        return (PHP_SAPI == 'cli' && empty($_SERVER['REMOTE_ADDR']));
      }
    
      /**
       * Debug function for printing the content of an object
       *
       * @param mixes $obj
       */
      public static function pr($obj) {
    
        if (!self::is_cli())
          echo '<pre style='word-wrap: break-word'>';
        if ( is_object($obj) )
          print_r($obj);
        elseif ( is_array($obj) )
          print_r($obj);
        else
          echo $obj;
        if (!self::is_cli())
          echo '</pre>';
      }
    
      /**
       * Make an HTTP request using this library. This method is different to 'request'
       * because on a 401 error it will retry the request.
       *
       * When a 401 error is returned it is possible the timestamp of the client is
       * too different to that of the API server. In this situation it is recommended
       * the request is retried with the OAuth timestamp set to the same as the API
       * server. This method will automatically try that technique.
       *
       * This method doesn't return anything. Instead the response should be
       * inspected directly.
       *
       * @param string $method the HTTP method being used. e.g. POST, GET, HEAD etc
       * @param string $url the request URL without query string parameters
       * @param array $params the request parameters as an array of key=value pairs
       * @param string $useauth whether to use authentication when making the request. Default true.
       * @param string $multipart whether this request contains multipart data. Default false
       */
      public static function auto_fix_time_request($tmhOAuth, $method, $url, $params=array(), $useauth=true, $multipart=false) {
        $tmhOAuth->request($method, $url, $params, $useauth, $multipart);
    
        // if we're not doing auth the timestamp isn't important
        if ( ! $useauth)
          return;
    
        // some error that isn't a 401
        if ($tmhOAuth->response['code'] != 401)
          return;
    
        // some error that is a 401 but isn't because the OAuth token and signature are incorrect
        // TODO: this check is horrid but helps avoid requesting twice when the username and password are wrong
        if (stripos($tmhOAuth->response['response'], 'password') !== false)
         return;
    
        // force the timestamp to be the same as the Twitter servers, and re-request
        $tmhOAuth->auto_fixed_time = true;
        $tmhOAuth->config['force_timestamp'] = true;
        $tmhOAuth->config['timestamp'] = strtotime($tmhOAuth->response['headers']['date']);
        return $tmhOAuth->request($method, $url, $params, $useauth, $multipart);
      }
    
      /**
       * Asks the user for input and returns the line they enter
       *
       * @param string $prompt the text to display to the user
       * @return the text entered by the user
       */
      public static function read_input($prompt) {
        echo $prompt;
        $handle = fopen('php://stdin','r');
        $data = fgets($handle);
        return trim($data);
      }
    
      /**
       * Get a password from the shell.
       *
       * This function works on *nix systems only and requires shell_exec and stty.
       *
       * @param  boolean $stars Wether or not to output stars for given characters
       * @return string
       * @url http://www.dasprids.de/blog/2008/08/22/getting-a-password-hidden-from-stdin-with-php-cli
       */
      public static function read_password($prompt, $stars=false) {
        echo $prompt;
        $style = shell_exec('stty -g');
    
        if ($stars === false) {
          shell_exec('stty 
  4. Malware : Network operations curl_init was found in the file tmhOAuth.php
    Line 637: $c = curl_init();
    curl_exec was found in the file tmhOAuth.php
    Line 705: $response = curl_exec($c);
  5. Deprecated functions : wp_get_http wp_get_http found in file wordpress-importer.php. Deprecated since version 4.4. Use WP_Http instead.
    Line 905: $headers = wp_get_http( $url, $upload['file'] );
  6. Deprecated functions : get_currentuserinfo get_currentuserinfo found in file form-edit-address.php. Deprecated since version 4.5. Use wp_get_current_user instead.
    Line 18: get_currentuserinfo();
  7. Included plugins : Zip file found Plugins are not allowed in themes. The zip file found was bakery-main-slider.zip bakery-cpt.zip envato-wordpress-toolkit.zip revslider.zip js_composer.zip ._bakery-main-slider.zip ._envato-wordpress-toolkit.zip ._revslider.zip ._js_composer.zip ._bakery-cpt.zip.
Warning
  1. core scripts deregistered : Core scripts deregistrationFound wp_deregister_script in redux-framework.php. Themes must not deregister core scripts.
    Line 564: wp_deregister_script( 'wpb_ace' );
    Found wp_deregister_script in enqueue.php. Themes must not deregister core scripts.
    Line 213: wp_deregister_script( 'jquerySelect2' );
  2. theme tags : Presence of bad theme tagsThe tag dark has been deprecated, it must be removed from style.css header.The tag light has been deprecated, it must be removed from style.css header.The tag fluid-layout has been deprecated, it must be removed from style.css header.
  3. Text domain : Incorrect use of translation functions.Found a translation function that has an incorrect number of arguments. Function _e, with the arguments 'Please set up the menu location for this theme. <a href="', >Click here to go to the menu location settings &raquo;</a>, 'bakery' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'This theme requires the following plugin: %1$s.', 'This theme requires the following plugins: %1$s.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'This theme recommends the following plugin: %1$s.', 'This theme recommends the following plugins: %1$s.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'Sorry, but you do not have the correct permissions to install the %s plugin. Contact the administrator of this site for help on getting the plugin installed.', 'Sorry, but you do not have the correct permissions to install the %s plugins. Contact the administrator of this site for help on getting the plugins installed.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'The following required plugin is currently inactive: %1$s.', 'The following required plugins are currently inactive: %1$s.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'The following recommended plugin is currently inactive: %1$s.', 'The following recommended plugins are currently inactive: %1$s.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'Sorry, but you do not have the correct permissions to activate the %s plugin. Contact the administrator of this site for help on getting the plugin activated.', 'Sorry, but you do not have the correct permissions to activate the %s plugins. Contact the administrator of this site for help on getting the plugins activated.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'The following plugin needs to be updated to its latest version to ensure maximum compatibility with this theme: %1$s.', 'The following plugins need to be updated to their latest version to ensure maximum compatibility with this theme: %1$s.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'Sorry, but you do not have the correct permissions to update the %s plugin. Contact the administrator of this site for help on getting the plugin updated.', 'Sorry, but you do not have the correct permissions to update the %s plugins. Contact the administrator of this site for help on getting the plugins updated.' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'Begin installing plugin', 'Begin installing plugins' in file vu-actions.php.Found a translation function that is missing a text-domain. Function _n_noop, with the arguments 'Activate installed plugin', 'Activate installed plugins' in file vu-actions.php.Found a translation function that is missing a text-domain. Function esc_attr_x, with the arguments 'Type and hit enter', 'bakery' in file searchform.php.Found a translation function that is missing a text-domain. Function esc_attr_x, with the arguments 'Search', 'bakery' in file searchform.php.Found a translation function that is missing a text-domain. Function __, with the arguments 'Payment Method' in file payment.php.Found a translation function that has an incorrect number of arguments. Function _n, with the arguments '%s download remaining', '%s downloads remaining', downloads_remaining, 'woocommerce' in file my-downloads.php.Found a translation function that is missing a text-domain. Function __, with the arguments 'woocommerce' in file shipping-calculator.php.Found a translation function that is missing a text-domain. Function __, with the arguments 'woocommerce' in file cart-totals.php.More than one text-domain is being used in this theme. This means the theme will not be compatible with WordPress.org language packs. The domains found are bakery, redux-framework, bakery_options, framework, wordpress-importer, radium, themecheck, tgmpa, nav-menus.php?action=locations, >Click here to go to the menu location settings &raquo;</a>, woocommerce, downloads_remaining.
  4. Plugin territory : Plugin territory functionalitiesThe theme uses the add_shortcode() function. Custom post-content shortcodes are plugin-territory functionality.
  5. Unwanted files : hidden file(s) or folder(s).ds_store was found.
  6. PHP short tags : Presence of PHP short tagsPHP short tags were found in file parsedown.php. "This practice is discouraged because they are only available if enabled with short_open_tag php.ini configuration file directive, or if PHP was configured with the --enable-short-tags option" (php.net), which is not the case on many servers.
    Line 14: # Modified by Dovy Paukstys to remove <? shortcode-like declaration.
    PHP short tags were found in file ._wrapper-end.php. "This practice is discouraged because they are only available if enabled with short_open_tag php.ini configuration file directive, or if PHP was configured with the --enable-short-tags option" (php.net), which is not the case on many servers.
    Line 1: 
    PHP short tags were found in file ._form-login.php. "This practice is discouraged because they are only available if enabled with short_open_tag php.ini configuration file directive, or if PHP was configured with the --enable-short-tags option" (php.net), which is not the case on many servers.
    Line 1: 
  7. Comment reply : Declaration of comment replyCould not find the comment-reply script enqueued, however a reference to 'comment-reply' was found. Make sure that the comment-reply js script is being enqueued properly on singular pages.
  8. CSS files : Presence of .screen-reader-text class.screen-reader-text css class is needed in your theme css. See : the Codex for an example implementation.
  9. Screenshot : Screenshot fileScreenshot size is 880x660px. Screenshot size should be 1200x900, to account for HiDPI displays. Any 4:3 image size is acceptable, but 1200x900 is preferred.
Tip-off
  1. favicon presence : Favicon managementPossible Favicon found in vu-actions.php. Favicons are handled by the Site Icon setting in the customizer since version 4.3.
  2. Static links : Presence of hard-coded linksPossible hard-coded links were found in the file bakery-options.php.
    Line 81: <p>Please refer to our <a href='http://milingona.co' target='_blank'>online documentation</a> for more inst
    Line 90: <p>Please visit <a href='http://milingona.co' target='_blank'>milingona.co</a> to keep up to date on
    Line 81: <p>Please refer to our <a href='http://milingona.co' target='_blank'>online documentation</a> for more inst
    Line 90: <p>Please visit <a href='http://milingona.co' target='_blank'>milingona.co</a> to keep up to date on
    Line 1255: 'desc'   => __('Please find here all the map options. To convert an address into latitude & longitude please use <a href='http://www.latlong.net/convert-address-to-lat-long.html'>this converter.</a
    Line 2775: 'default'  => date('Y') .' '. __('All rights reserved. Powered by <a href='http://themeforest.net/user/milingona_/portfolio' target='_blank'>Milingona
    Line 2869: 'desc'     => 'Possible modes can be found at <a href='http://ace.c9.io' target='_blank'>http://ace.c9.io/</a>.',
    Line 2881: 'desc'     => 'Possible modes can be found at <a href='http://ace.c9.io' target='_blank'>http://ace.c9.io/</a>.',
    Line 2869: 'desc'     => 'Possible modes can be found at <a href='http://ace.c9.io' target='_blank'>http://ace.c9.io/</a>.',
    Line 2881: 'desc'     => 'Possible modes can be found at <a href='http://ace.c9.io' target='_blank'>http://ace.c9.io/</a>.',
  3. Optional files : Presence of rtl stylesheet rtl.cssThis theme does not contain optional file rtl.php.
  4. Optional files : Presence of front page template file front-page.phpThis theme does not contain optional file front-page.php.
  5. Optional files : Presence of home template file home.phpThis theme does not contain optional file home.php.
  6. Optional files : Presence of term template file taxonomy.phpThis theme does not contain optional file taxonomy.php.
  7. Optional files : Presence of date/time template file date.phpThis theme does not contain optional file date.php.
  8. Optional files : Presence of attachment template file attachment.phpThis theme does not contain optional file attachment.php.
  9. Optional files : Presence of image template file image.phpThis theme does not contain optional file image.php.
  10. Use of includes : Use of include or requireThe theme appears to use include or require : config.php
    Line 4: require_once('shortcodes/products.php');
    Line 5: require_once('shortcodes/products-with-filter.php');
    Line 6: require_once('shortcodes/featured-products.php');
    If these are being used to include separate sections of a template from independent files, then get_template_part() should be used instead. Otherwise, use include_once or require_once instead.
    The theme appears to use include or require : redux-framework.php
    Line 414: require_once 'core/dashboard.php';
    Line 417: require_once 'core/newsflash.php';
    Line 1684: require_once 'core/enqueue.php';
    Line 2823: require_once 'core/enqueue.php';
    Line 2881: require_once 'core/panel.php';
    Line 3210: require_once 'core/panel.php';
    If these are being used to include separate sections of a template from independent files, then get_template_part() should be used instead. Otherwise, use include_once or require_once instead.
    The theme appears to use include or require : extension_customizer.php
    Line 140: include_once( ReduxFramework::$_dir . 'core/enqueue.php' );
    Line 749: require_once( $class_file );
    If these are being used to include separate sections of a template from independent files, then get_template_part() should be used instead. Otherwise, use include_once or require_once instead.
    The theme appears to use include or require : welcome.php
    Line 373: require_once 'views/about.php';
    Line 388: require_once 'views/changelog.php';
    Line 403: require_once 'views/extensions.php';
    Line 419: require_once 'views/support.php';
    Line 434: require_once 'views/credits.php';
    Line 449: require_once 'views/status_report.php';
    If these are being used to include separate sections of a template from independent files, then get_template_part() should be used instead. Otherwise, use include_once or require_once instead.
    The theme appears to use include or require : field_button_set.php
    Line 46: *              ['format']      string Formatting options for paginate fields. Options include ('currency','nice','niceShort','timeAgoInWords' or a valid Date() f
    If these are being used to include separate sections of a template from independent files, then get_template_part() should be used instead. Otherwise, use include_once or require_once instead.
    The theme appears to use include or require : class-ezTweet.php
    Line 148: require_once($this->lib.'tmhOAuth.php');
    Line 149: require_once($this->lib.'tmhUtilities.php');
    If these are being used to include separate sections of a template from independent files, then get_template_part() should be used instead. Otherwise, use include_once or require_once instead.
Other checked themes