Early last year (an eternity ago, it seems), I wrote a series on PHP security that continues to be one of the top recipients of search engine traffic. Specifically, we talked about register_globals, remote file execution and the dangers of FTP.
Yesterday, I posted details about a cross-site scripting (XSS) exploit in a popular WordPress plugin which prompted Podz, support maven for WordPress to challenge the WordPress development community to contribute back to the community by detailing what makes plugins unsafe.
My goal is to tackle every one of his questions in a post dedicated to each question. As I post a new article, I’ll link to it from here so Podz and the rest of the good folks offering support can have a centralized location to find my answers. There may be other developers out there who will contribute to this exercise themselves, and I encourage them to do so.
This is a good exercise because most people think they will never get hacked. It won’t ever happen to me! WordPress as a blogging platform is a pretty secure piece of software. Every once in awhile, a flaw is discovered and patched. However, the plugin hooks allow anyone to write any code to add to WordPress that can make a blog a very dangerous place indeed. Hopefully these posts will demystify plugins a bit and give average folks some clues as to what exactly they are installing when they activate a plugin.
The questions Podz asks are as follows:
- What is Dangerous?
- Is there a bad combination?
- What should we not mix?
- How can we tell what is good and bad?
- Can we test these plugins to find out?
- Who Should we trust and how do we know we can trust them?
- How much research is enough?
- Should we ever not use plugins?
- Is it a permissions problem every time?
- What is “Best Practice”?
- Which plugins do you think are bad? Why ? Have your changed yours if you use it ?
Some of these questions will be answered overly simplistically, while others will take more in depth. I may even have a guest or two contribute. We’ll see…
Updates: Entries in the Series.
- WordPress Plugin Security: The Golden Rule
- WordPress Plugin Security: What is Dangerous?
- WordPress Plugin Security: Bad Combinations
- WordPress Plugin Security: Less is More
Table of contents for WordPress Plugin Security
- Understanding Implications of WordPress Plugin Security
- WordPress Plugin Security: The Golden Rule
- WordPress Plugin Security: What is Dangerous?
- WordPress Plugin Security: Dangerous Combinations
- WordPress Plugin Security: Less is More
{ 5 trackbacks }
{ 14 comments }
This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.
This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.
This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.
This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.
This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.
This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.
This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.
Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.
Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.
Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.
Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.
Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.
Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.
Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.
Comments on this entry are closed.