I have wrestled with this question since the last entry in this series about WordPress plugin security. As I know this series will be used as a resource for the larger WordPress community, I think it’s necessary to abstract these issues enough that average non-technical users can understand and that doesn’t single out a single issue or two while leaving others unaddressed.
What is a dangerous combination?
Plugins that depend on user permissions
Plugins that grant registered users the ability to do something should be scrutinized. With the advent of the WordPress 2.x series, many plugins that worked in the 1.5.x stream no longer worked as expected. This was because WordPress 1.5 used User Levels, a range of numbers from 0 to 10 that gave people various levels of access. In WordPress 2, user levels were deprecated in favor of Role and Capabilities that gave people roles such as Administrator, Editor, Author, Contributor or Subscriber.
Plugins that rely on user permissions can incorrectly grant access to functionality that is best left to an administrator. For instance, a plugin could place a submenu in the admin panel in the Manage or Options page that could grant access to other features in those areas. By default, WordPress restricts access to these pages to privileged users. A poorly written plugin, could throw all that away.
Careless Use of Role Manager
Owen Winkler wrote a popular plugin called Role Manager which, as powerful and useful as it is (I use it on some blogs), increases the chance of opening up a backdoor for a malicious user. I love this plugin as it allows me the opportunity to tweak user access to WordPress functionality. It even allows me to create whole new roles, such as “Designer” that might give my designer access to the Presentation menu without granting full administrative privileges.
However, if I’m not careful, I could tweak permissions in such a way to allow inappropriate access to areas of my blog. You may think that only a careless blogger allows anyone access to a blog. Some blogs legitimately restrict, say, commenting to registered users and if a user is registered, they have access to a limited admin panel (mostly to change passwords and other user profile options). Use of the Role Manager plugin, in conjunction with item #1 above, plugins depending on user permissions, could open your blog up to a world of hurt.
These are a few dangerous combinations. There are more and I could be even more specific. Maybe another post later on.
Table of contents for WordPress Plugin Security
- Understanding Implications of WordPress Plugin Security
- WordPress Plugin Security: The Golden Rule
- WordPress Plugin Security: What is Dangerous?
- WordPress Plugin Security: Dangerous Combinations
- WordPress Plugin Security: Less is More
Stumble it!
About the Author: Aaron Brazell is the lead editor of Technosailor.com and a social media expert. His passion is to see companies and individuals use the internet and web technologies wisely and effectively to promote their brands and companies. He is Business Development Manager for Lijit and he worked as Director of Technology at b5media from 2005-2008 and is currently an independent consultant.
Add New Comment
Viewing 1 Comment
Thanks. Your comment is awaiting approval by a moderator.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
I like many people have been using wordpress for nearly four years now. I have a lot of plugins running, namely for spam and security. But, I have to admit, I'm none to comfortable with that situation. On several occasions I have come to the conclusion that there is something amiss on the blog, but I can't quite put my finger on it. Things are not quite as they seem. Maybe its paranoid, then again, maybe something is amiss? Articles, like yours are a necessary tool for people to sit up and take notice of the dangers that are around.
Thanks for the articles and I will be keeping a close eye on your blog from now on as it is good to be informed :)
Many thanks
Add New Comment