WordPress Plugin Security: Less is More
As I continue in my ongoing series on plugin security for WordPress, I’m going to diverge off the mapped out route and organically grow this series a little more. Hopefully it suits Podz and WordPress users everywhere. To reiterate, this series is designed for the non-developer, the “average guy” so to speak. Security is a mystifying area but it requires a good bit of demystifying.
Tangent here: I was talking to my wife about this concept the other night. I was lost in thought trying to grab my thoughts on plugin security and attempting to post a useful entry. It was hard and we ended up talking about it. See, she is technically illiterate when it comes to this stuff. She understands bugs and the fact that there are flaws in programs. She’s been with me since I started down the development road six years ago. She knows when I say that something has a flaw that it is a bad thing. But she has no idea what is a flaw, nor could she identify one if it was staring her in the face. In other words, she is the perfect target audience.
But somehow I don’t think I’m doing a good job because her eyes still glaze over when I talk about XSS or spam attacks. It doesn’t compute. So I tangent a little more in the series and take a different tack.
There are quite a few people I know who setup WordPress for the first time so they can get into blogging. Many have never blogged before and are amateurs with code. Others I know, come to WordPress from another system because they’ve heard about the world class support, easy to use interface and, yes, the plethora of plugins available. Sounds like an excellent pot of gold at the end of the rainbow, right? Especially for people emerging from “plugin hell” on the Moveable Type platform.
Generally the first thing that I’m asked as the resident WP “expert” is, “Where do I get good plugins?” to which I respond, “Uhhh, to do what?” :-) (I’m just being honest!) There’s a couple things to know about plugins. First plugins should be used to meet needs and secondly, plugins should be sued in moderation.
Plugins Should Meet Need
The easiest thing for a new WordPress user to do is go crazy looking for plugins to install. IT reminds me of junior high school when the girls “personalized” their notebooks and bookbags. I’m dating myself here, but does anyone remember “NKOTB Rule” or “JK + {insert girls initials} = <3 4-EVER”… :-) Yes, I’m scarred from Junior High. People do the same thing with their blogs. The first thing to do is start customizing and adding features.
Stop.
Plugins should meet a need. Do you need to have that gizmo or doohicky? Maybe. Maybe not. See, everytime a plugin is activated, it creates another vector of attack. That doesn’t mean that an attack will be successful. It just means that an attacker has one more door to try to get in. If you don’t need that plugin, don’t activate it. Likewise, if you stop using a plugin, deactivate it.
Plugins Should be Used in Moderation
Following up on that point, plugins should be used sparingly. Depending on my needs, it’s not uncommon for a blog that I setup to only have 3-4 plugins. The more plugins used, the more avenues of attack, right? (Additionally, if the plugin allows you to put stuff in your template, you may just be cluttering your blog more, but that’s a different issue… an aesthetic issue).
So what recommendations do you have for the use of plugins?
Pick up your copy of the WordPress Bible, a wildly popular resource for beginners and experts alike.
Written by Aaron Brazell on October 12, 2006
Popularity: 1% [?]
Aaron Brazell
Steven Fisher
Ray Capece
Carlos Granier-Phelps
Andrew Feinberg
Mike Dougherty
Chris Bachmann
Leslie Poston
Jerald Sheets
Scott Goldblatt
Mykel Nahorniak
Peter Corbett
Jonathan Dingman
Geoff Livingston
Jeremy Toeman
Rachel James
Chris Parandian
Warren Sukernek
Joseph Hauckes
Shana Glickfield
Vinnie Garcia
David Nick
Duncan Riley
Carol Ott
Darren McLaughlin
Mike Oliver
Rico Masterson
Lou P. Nuts
(Oooo, you fixed your comments template. Nice!)
I’ve got maybe 15 active plugins, but I need all those features. :)
My recommendation is what it always was: Concentrate on writing content; that is, after all, the whole point of the blog! All the bells and whistles can come later.
Yep, I fixed it just because you wouldn’t leave me alone. ;)
I agree with you. Sometimes bloggers do stuff just because they can and that’s not always the best (or safest) approach.
(Oooo, you fixed your comments template. Nice!)
I’ve got maybe 15 active plugins, but I need all those features. :)
My recommendation is what it always was: Concentrate on writing content; that is, after all, the whole point of the blog! All the bells and whistles can come later.
(Oooo, you fixed your comments template. Nice!)
I’ve got maybe 15 active plugins, but I need all those features. :)
My recommendation is what it always was: Concentrate on writing content; that is, after all, the whole point of the blog! All the bells and whistles can come later.
The only plugins I’m really interested in are the ones that stop site spam. Anything else is just fluff that I could do without (in most cases).
Yep, I fixed it just because you wouldn’t leave me alone. ;)
I agree with you. Sometimes bloggers do stuff just because they can and that’s not always the best (or safest) approach.
Yep, I fixed it just because you wouldn’t leave me alone. ;)
I agree with you. Sometimes bloggers do stuff just because they can and that’s not always the best (or safest) approach.
The only plugins I’m really interested in are the ones that stop site spam. Anything else is just fluff that I could do without (in most cases).
The only plugins I’m really interested in are the ones that stop site spam. Anything else is just fluff that I could do without (in most cases).
/me points (again) to Akismet
:-)
/me points (again) to Akismet
:-)
/me points (again) to Akismet
:-)
You’ll also need Bad Behavior. :)
How did I know that was coming? :-)
And Michael, where can she download Bad Behavior? ;-)
Why, where else? You hit Google’s I’m Feeling Lucky button.
You’ll also need Bad Behavior.
You rang?
You’ll also need Bad Behavior. :)
You’ll also need Bad Behavior. :)
I’d sure like to customize my blog. I’d change the colors, create a new survey (thanks to your new improved plugin), and include a sidebar feed of other technology related b5media blogs: a grabbag so people could hop over to the microsoft weblog, etc.
How did I know that was coming? :-)
And Michael, where can she download Bad Behavior? ;-)
How did I know that was coming? :-)
And Michael, where can she download Bad Behavior? ;-)
Why, where else? You hit Google’s I’m Feeling Lucky button.
Why, where else? You hit Google’s I’m Feeling Lucky button.
You’ll also need Bad Behavior.
You rang?
You’ll also need Bad Behavior.
You rang?
I’d sure like to customize my blog. I’d change the colors, create a new survey (thanks to your new improved plugin), and include a sidebar feed of other technology related b5media blogs: a grabbag so people could hop over to the microsoft weblog, etc.
I’d sure like to customize my blog. I’d change the colors, create a new survey (thanks to your new improved plugin), and include a sidebar feed of other technology related b5media blogs: a grabbag so people could hop over to the microsoft weblog, etc.
The other thing I do (apart from minimising installed plugins), is maintain a bookmarks folder of all the plugins I’ve got installed on one blog or another.
I also have a monthly calendar item, to remind me to go through and check them all, to see if the version matches the one I have installed, and see if they’ve made any mention of security issues.
I probably won’t catch something right away, but I will catch it eventually. Hopefully before something gets terminally compromised :)
The other thing I do (apart from minimising installed plugins), is maintain a bookmarks folder of all the plugins I’ve got installed on one blog or another.
I also have a monthly calendar item, to remind me to go through and check them all, to see if the version matches the one I have installed, and see if they’ve made any mention of security issues.
I probably won’t catch something right away, but I will catch it eventually. Hopefully before something gets terminally compromised :)
The other thing I do (apart from minimising installed plugins), is maintain a bookmarks folder of all the plugins I’ve got installed on one blog or another.
I also have a monthly calendar item, to remind me to go through and check them all, to see if the version matches the one I have installed, and see if they’ve made any mention of security issues.
I probably won’t catch something right away, but I will catch it eventually. Hopefully before something gets terminally compromised :)
Great articles ;)
Any complaint about a translation to spanish (Spain) in my blog?
Great articles ;)
Any complaint about a translation to spanish (Spain) in my blog?
Great articles ;)
Any complaint about a translation to spanish (Spain) in my blog?