WordPress Plugin Security: The Golden Rule

As promised, today I begin an open-ended series on WordPress plugin security. How do you know what is secure? What tell tale signs might there be? How to train an untrained eye on code? But before we begin, we must establish a premise.

There are many kinds of security vulnerabilities. The most common vulnerabilities today lie in cross-site scripting, also known as XSS. Cross site scripting is generically defined as allowing malicious content into a site. Wikipedia defines XSS as, “Cross site scripting (XSS) is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is. From the trusted context, an attack can be launched.” This is still somewhat mysterious. Injection would be a better term because an XSS vulnerability is exploited by “injecting” malicious code, usually javascript, into a website.

The golden rule of web security, and by proxy, WordPress plugin security pertains to areas of a website that I refer to as “gateways”. Any place that allows information to come into a website is, by definition, vunlnerable. If a plugin developer has taken appropriate security measures, vulnerable areas are not dangerous. However, without precautions, these gateways are very dangerous. We’ll talk more about these precautions in the future. For now, any place (for instance, URLs, polls, form fields, etc) that allows the user to interact with a website is by nature dangerous. These are gateways to a website and they must be protected.

• 
• Stumble it!

About the Author: Aaron Brazell is the lead editor of Technosailor.com and a social media expert. His passion is to see companies and individuals use the internet and web technologies wisely and effectively to promote their brands and companies. He is Business Development Manager for Lijit and he worked as Director of Technology at b5media from 2005-2008 and is currently an independent consultant.