As promised, today I begin an open-ended series on WordPress plugin security. How do you know what is secure? What tell tale signs might there be? How to train an untrained eye on code? But before we begin, we must establish a premise.
There are many kinds of security vulnerabilities. The most common vulnerabilities today lie in cross-site scripting, also known as XSS. Cross site scripting is generically defined as allowing malicious content into a site. Wikipedia defines XSS as, “Cross site scripting (XSS) is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is. From the trusted context, an attack can be launched.” This is still somewhat mysterious. Injection would be a better term because an XSS vulnerability is exploited by “injecting” malicious code, usually javascript, into a website.
The golden rule of web security, and by proxy, WordPress plugin security pertains to areas of a website that I refer to as “gateways”. Any place that allows information to come into a website is, by definition, vunlnerable. If a plugin developer has taken appropriate security measures, vulnerable areas are not dangerous. However, without precautions, these gateways are very dangerous. We’ll talk more about these precautions in the future. For now, any place (for instance, URLs, polls, form fields, etc) that allows the user to interact with a website is by nature dangerous. These are gateways to a website and they must be protected.
{ 1 trackback }
Comments on this entry are closed.