Comments on: Wordpress plugin security

By: Blogshop

Blogshop — Sun, 16 Nov 2008 10:33:49 +0000

Whoops, didnt realize you meant the read me files FAQ& never mind. Thanks, keep up the great work.

By: Log0

Log0 — Sat, 01 Nov 2008 08:22:48 +0000

Worse, the user submitted plugin is stored publicly accessible, and is never checked. It’s just about the user’s trust to your plugin… and if they believe you can’t be possibly harmful…

you get it.

By: Gareth Heyes

Gareth Heyes — Fri, 24 Oct 2008 07:56:27 +0000

Well I’m referring to the official Wordpress plugin page as I see that as their responsibility but really all plugin sites should provide some sort of security review or at least some automatation security testing.

By: Jacob Santos

Jacob Santos — Thu, 23 Oct 2008 22:50:43 +0000

Do you mean the Plugins Extend on the wordpress.org site or just out in the open on any site? There are some plugin release review, but how extensive they are is unknown.

By: Mike Willbanks

Mike Willbanks — Wed, 22 Oct 2008 20:44:55 +0000

I agree fully. Wordpress is one of those software packages that is almost too easy to not use it but yet the way they allow the plugins to be released is quite pitiful and their architecture is simply disgusting.

There are easy solutions around this, something even as simple as having an official review process (could cost money even) to stamp it as an approved plugin.

Secondly have a simple vulnerability scanner to look for common pitfalls as you speak.

Lastly, there should really be something attached to it. You get these people that think they can write PHP that just installed wordpress and write a plugin they are not focused on security or even know what it is. All they think is, hmm, how do I get this to work - aka happy path testing.