WordPress plugin security

Wednesday, 22 October 2008

It’s really bad. The amount of code that gets released and is vulnerable is shocking. WordPress you need to do something. Anything. Disable all plugins now, run a audit on the code or use a user security review process, even as a last resort run some sort of automation on the code. Is it really that hard? Scan for common vulnerablities like echo PHP_SELF, global injections and so on.

I’ve just reviewed yet another security report from Blogsec and some more vulnerable plugins. You boast about all those users. Do something to help secure their software.

The entry 'WordPress plugin security' was posted on October 22nd, 2008 at 3:10 pm and is filed under php, Security, Wordpress. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

5 Responses to “WordPress plugin security”

  1. Mike Willbanks writes:
    No. 1 — October 22nd, 2008 at 8:44 pm

    I agree fully. WordPress is one of those software packages that is almost too easy to not use it but yet the way they allow the plugins to be released is quite pitiful and their architecture is simply disgusting.

    There are easy solutions around this, something even as simple as having an official review process (could cost money even) to stamp it as an approved plugin.

    Secondly have a simple vulnerability scanner to look for common pitfalls as you speak.

    Lastly, there should really be something attached to it. You get these people that think they can write PHP that just installed wordpress and write a plugin they are not focused on security or even know what it is. All they think is, hmm, how do I get this to work – aka happy path testing.

  2. Jacob Santos writes:
    No. 2 — October 23rd, 2008 at 10:50 pm

    Do you mean the Plugins Extend on the wordpress.org site or just out in the open on any site? There are some plugin release review, but how extensive they are is unknown.

  3. Gareth Heyes writes:
    No. 3 — October 24th, 2008 at 7:56 am

    Well I’m referring to the official WordPress plugin page as I see that as their responsibility but really all plugin sites should provide some sort of security review or at least some automatation security testing.

  4. Log0 writes:
    No. 4 — November 1st, 2008 at 8:22 am

    Worse, the user submitted plugin is stored publicly accessible, and is never checked. It’s just about the user’s trust to your plugin… and if they believe you can’t be possibly harmful…

    you get it.

  5. Blogshop writes:
    No. 5 — November 16th, 2008 at 10:33 am

    Whoops, didnt realize you meant the read me files FAQ& never mind. Thanks, keep up the great work.

«
»