WordPress plugin security

It’s really bad. The amount of code that gets released and is vulnerable is shocking. WordPress you need to do something. Anything. Disable all plugins now, run a audit on the code or use a user security review process, even as a last resort run some sort of automation on the code. Is it really that hard? Scan for common vulnerablities like echo PHP_SELF, global injections and so on.

I’ve just reviewed yet another security report from Blogsec and some more vulnerable plugins. You boast about all those users. Do something to help secure their software.

5 Responses to “WordPress plugin security”

  1. Mike Willbanks writes:

    I agree fully. WordPress is one of those software packages that is almost too easy to not use it but yet the way they allow the plugins to be released is quite pitiful and their architecture is simply disgusting.

    There are easy solutions around this, something even as simple as having an official review process (could cost money even) to stamp it as an approved plugin.

    Secondly have a simple vulnerability scanner to look for common pitfalls as you speak.

    Lastly, there should really be something attached to it. You get these people that think they can write PHP that just installed wordpress and write a plugin they are not focused on security or even know what it is. All they think is, hmm, how do I get this to work – aka happy path testing.

  2. Jacob Santos writes:

    Do you mean the Plugins Extend on the wordpress.org site or just out in the open on any site? There are some plugin release review, but how extensive they are is unknown.

  3. Gareth Heyes writes:

    Well I’m referring to the official WordPress plugin page as I see that as their responsibility but really all plugin sites should provide some sort of security review or at least some automatation security testing.

  4. Log0 writes:

    Worse, the user submitted plugin is stored publicly accessible, and is never checked. It’s just about the user’s trust to your plugin… and if they believe you can’t be possibly harmful…

    you get it.

  5. Blogshop writes:

    Whoops, didnt realize you meant the read me files FAQ& never mind. Thanks, keep up the great work.