Technosailor.com Readers! Donate today to assist the Internews Haiti Earthquake Communications Effort in their efforts.

23 September 2006 19 Comments

Understanding Implications of WordPress Plugin Security

Early last year (an eternity ago, it seems), I wrote a series on PHP security that continues to be one of the top recipients of search engine traffic. Specifically, we talked about register_globals, remote file execution and the dangers of FTP.

Yesterday, I posted details about a cross-site scripting (XSS) exploit in a popular WordPress plugin which prompted Podz, support maven for WordPress to challenge the WordPress development community to contribute back to the community by detailing what makes plugins unsafe.

My goal is to tackle every one of his questions in a post dedicated to each question. As I post a new article, I’ll link to it from here so Podz and the rest of the good folks offering support can have a centralized location to find my answers. There may be other developers out there who will contribute to this exercise themselves, and I encourage them to do so.

This is a good exercise because most people think they will never get hacked. It won’t ever happen to me! WordPress as a blogging platform is a pretty secure piece of software. Every once in awhile, a flaw is discovered and patched. However, the plugin hooks allow anyone to write any code to add to WordPress that can make a blog a very dangerous place indeed. Hopefully these posts will demystify plugins a bit and give average folks some clues as to what exactly they are installing when they activate a plugin.

The questions Podz asks are as follows:

  1. What is Dangerous?
  2. Is there a bad combination?
  3. What should we not mix?
  4. How can we tell what is good and bad?
  5. Can we test these plugins to find out?
  6. Who Should we trust and how do we know we can trust them?
  7. How much research is enough?
  8. Should we ever not use plugins?
  9. Is it a permissions problem every time?
  10. What is “Best Practice”?
  11. Which plugins do you think are bad? Why ? Have your changed yours if you use it ?

Some of these questions will be answered overly simplistically, while others will take more in depth. I may even have a guest or two contribute. We’ll see…

Updates: Entries in the Series.

Popularity: 1% [?]

Tags: ,

19 Responses to “Understanding Implications of WordPress Plugin Security”

  1. Michael Hampton 23 September 2006 at 2:05 pm #

    This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.

  2. Michael Hampton 23 September 2006 at 2:05 pm #

    This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.

  3. Michael Hampton 23 September 2006 at 2:05 pm #

    This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.

  4. Michael Hampton 23 September 2006 at 2:05 pm #

    This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.

  5. Michael Hampton 23 September 2006 at 2:05 pm #

    This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.

  6. Michael Hampton 23 September 2006 at 2:05 pm #

    This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.

  7. Michael Hampton 23 September 2006 at 2:05 pm #

    This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.

  8. Andrew K. 24 September 2006 at 6:42 pm #

    Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.

  9. Andrew K. 24 September 2006 at 6:42 pm #

    Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.

  10. Andrew K. 24 September 2006 at 6:42 pm #

    Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.

  11. Andrew K. 24 September 2006 at 6:42 pm #

    Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.

  12. Andrew K. 24 September 2006 at 6:42 pm #

    Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.

  13. Andrew K. 24 September 2006 at 6:42 pm #

    Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.

  14. Andrew K. 24 September 2006 at 6:42 pm #

    Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.


Trackbacks/Pingbacks.

  1. WordPress Plugin Security: The Golden Rule » Technology, Blogging and New Media - 25. Sep, 2006

    [...] As promised, today I begin an open-ended series on WordPress plugin security. How do you know what is secure? What tell tale signes there might be? How to train an untrained eye on code? But before we begin, we must establish a premise. [...]
  2. WordPress Plugin Security: What is Dangerous? » Technology, Blogging and New Media - 28. Sep, 2006

    [...] Earlier this week, I began a series on WordPress plugin security. We established that the golden rule of web security is to check the “gateways”. That is, watch the areas of a website that an attacker can use to send data to your website. I’d like to elaborate more on this today. [...]
  3. WordPress Plugin Security: Dangerous Combinations » Technology, Blogging and New Media - 10. Oct, 2006

    [...] I have wrestled with this question since the last entry in tis series about WordPress plugin security. As I know this series will be used as a resource for the larger WordPress community, I think it’s necessary to abstract these issues enough that average non-technical users can understand and that doesn’t single out a single issue or two while leaving others unaddressed. [...]
  4. WordPress Plugin Security: Less is More » Technology, Blogging and New Media - 12. Oct, 2006

    [...] As I continue in my ongoing series on plugin security for WordPress, I’m going to diverge off the mapped out route and organically grow this series a little more. Hopefully it suits WordPress users everywhere. To reiterate, this series is designed for the non-developer, the “average guy” so to speak. Security is a mystifying area but it requires a good bit of demystifying. [...]
  5. Gefährliche WP-Plugins | nanoblogs[.de] - 26. Oct, 2006

    [...] Gefährliche WP-Plugins 26. Oktober 2006 – 20:50 Uhr  Der Technosailor stellt eine — nicht nur — interessante, sondern auch wirklich wichtige Serie zusammen, in der es um die Sicherheit im Zusammenhang mit WP-Plugins geht. [...]