Safety issues with WP Hummingbird


Just installed Plugin Inspector and WP Hummingbird came in with ten yellow UNSAFE issues. here is a screenshot of the first two:

What does this mean? What do I do about it?



  • Adam Czajczyk

    Hello Neal,

    I hope you're fine today and thank you for bringing this issue to the forum!

    The "vulnerabilities" that Plugin Inspector reports after scanning Hummingbird's code are mostly related to functions that provide access to remote URLs/resources and that help execute other functions. Such functions could in may cases be used to perform some malicious actions/activites (often "hidden"/in background) but each of these functions itself is legitimate and not harmful. The potential risk therefore is how and what for they are used.

    In case of Hummingbird those reported functions are:


    it's a core WordPress function used to fetch content of a given external URL (e.g. content of other site or some important data); here it's used for a few different purposes:

    - to determine whether there's nginx webserver uses in front of apache webserver on the server (this is commonly used for proxy'ing, load balancing etc)

    - in minification modules to fetch content to be minified in case it was not accessible other ways (e.g. site's over SSL

    - to contact our servers to check for updates (via WPMU DEV Dashboard plugin only)

    wp_remote_post($url, $args)

    This is used to post data to external URL; here it's used both to send data to your site itself if there's no other way and to send data to our servers for analysis;


    This is similar to the "wp_remote_get()" except it's fetching only HTTP headers and not entire content of a given URL;


    These are standard PHP functions used for reading/writing content from/to a file; here it's used e.g. to write content to cache files; Frankly, I don't quite understand why this particular function is reported as it's a common and often used standard PHP function.


    This is another standard PHP function that's used to get "callback". It can be used in a malicious way (actually, pretty much everything could) but usually it's used e.g. to reduce an amount of redundant code/avoid code repetitions and speed up/simplify code; it's used this way here

    I think these are the only functions reported by Plugin Inspector in case of Hummingbird, hopefully I didn't miss any other. They are used in Hummingbird in order to "make Hummingbird make what it makes", so to say :slight_smile: Therefore in this case warnings can be safely ignored.

    I hope that helps!
    Best regards,

  • neal_umphred


    The weird thing abut the Plugin Inspector is that with each review it states, "You can ignore all Unsafe messages if you trust the author and the source of this plugin."

    I trust ALL the authors/sources of my plugins, otherwise I wouldn't have them on my sites.

    Anyway, I will ignore Plugin Inspector and probably sleep a little sounder tonight.

    Thanks again for your prompt and erudite response!


Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.