unserialize(): Error at offset 0 of 15 bytes in bulletproof-security.php on line 237

[AITpro Admin]

Yes the message is coming back continuously, I also have a Connection refused message :

[12-Jul-2024 14:38:34 UTC] PHP Warning:  unserialize(): Error at offset 0 of 15 bytes in /xxxxx/xxxxx/domains/xxxxx/public_html/wp-content/plugins/bulletproof-security/bulletproof-security.php on line 237

[12-Jul-2024 14:38:39 UTC] Connection refused

[AITpro Admin]

Litespeed Cache was causing the problem. Redis was being used instead of Memcache. Changed Litespeed Cache setting and Port (11211) for object cache.

[AITpro Admin]

Response from another person experiencing this PHP error:

Hi,

Thank you for your prompt response.  Your comment about server-side caching helped.

While neither the memcache nor redis extensions were activated in cPanel I noticed for some unknown reason that the Object Cache setting in the LiteSpeed Cache plugin was ON (the extensions status said disabled).

I turned the Object Cache to OFF and have not had the above PHP error notice since; hopefully that’s it.

Thank you for your time.

[wpconvert]

Hi…I wonder if this might help anybody out with regards to the “PHP warning during update check: unserialize() error when response is not serialized”

Below are my findings…

Details

On PHP 8.4.15 (litespeed hosting, ModSecurity enabled), BulletProof Security Pro logs the following warning whenever WordPress checks for plugin updates (e.g. on admin login):

PHP Warning: unserialize(): Error at offset 0 of XX bytes .../bulletproof-security.php on line 237

This appears to happen when the update API response body is not a serialized PHP object (e.g. ModSecurity interference, license/auth response, or other non-serialized payload returned with HTTP 200).

In PHP 8.x this now logs warnings, whereas older PHP versions were more forgiving.

WordPress handles missing update data gracefully, so the update check should fail silently rather than logging warnings. Even though they are only warnings, over time they began to annoy me when I was confronted by an error notification every time I logged into a site – managing a number of sites where this was an issue became very testing.
The “//start checking for an update” section of code within the bulletproof-security.php file that’s referred to in the error needs to be replaced with the below….
Proposed fix (minimal patch)

--- a/bulletproof-security.php
+++ b/bulletproof-security.php
@@ -234,14 +234,32 @@
// Start checking for an update
$raw_response = wp_remote_post($bpsPro_api_url, $request_string);
- $response = '';
+ $response = false;

- if ( ! is_wp_error($raw_response) && ($raw_response['response']['code'] == 200) )
- $response = unserialize($raw_response['body']);
+ if ( ! is_wp_error($raw_response) ) {
+ $code = wp_remote_retrieve_response_code($raw_response);
+ $body = wp_remote_retrieve_body($raw_response);
+
+ if ( $code === 200 && is_string($body) && $body !== '' ) {
+ $data = @unserialize($body, ['allowed_classes' => true]);
+ if ( is_object($data) ) {
+ $response = $data;
+ }
+ }
+ }

- if ( is_object($response) && ! empty($response) )
- $checked_data->response[$bps_plugin_slug .'/'. $bps_plugin_slug .'.php'] = $response;
+ if ( is_object($response) ) {
+ if ( ! isset($checked_data->response) ) {
+ $checked_data->response = [];
+ }
+ $checked_data->response[$bps_plugin_slug . '/' . $bps_plugin_slug . '.php'] = $response;
+ }

return $checked_data;
}

Result

• Prevents PHP 8.x unserialize() warnings
• Does not affect valid update checks
• Update check simply fails silently if the response is invalid

This has solved my issues and made life a bit quieter when managing my sites – hope it’s relevant and helps others.

[AITpro Admin]

I’ll test your code with my API server and see if this works. I kind of gave up years ago with trying to get rid of the nuisance PHP error because every approach I tried broke the API server’s functionality. Got my fingers crossed.

[wpconvert]

It seems to work for me – it was really becoming very annoying
Setup (in case it’s relevant): Litespeed server, LScache, PHP 8.4.17, WordPress 6.9

I tried a couple of versions of the code – but there were a couple of edge cases where it didn’t work consistently. The refined, final version of the code has worked for me – it’s been applied for a few weeks now without issue. I overwrote the original file as there have been no updates to PRO of late. Perhaps I should have put it in an MU plugin just in case….

Whilst I’m here – I wonder if there are any updates planned going forward? For example, is all the code PHP 8+ compatible? Not that I’ve come across any issues personally – I’m just curious if there are any improvements planned?

I install Bulletproof Security Pro on every website I commission (and haven’t had a single problem yet with anything nasty) – it’s a go-to plugin for me. So thanks again for developing it – I find that such hard work rarely gets the praise it deserves 🙂

[AITpro Admin]

I will be testing your code soon. Been crazy busy on another project I am working on for the last year or so. In general, BPS Pro is a “completed” plugin in my opinion, but there are some things that I want to improve. When new versions of PHP are released, I install them on my Development server and test them with BPS Pro. The same applies with new versions of WordPress. If/when something critical needs to be changed or fixed in BPS Pro for compatibility with PHP or WordPress I prioritize that and will get that done ASAP.

[Author]

Posts