Early last year (an eternity ago, it seems), I wrote a series on PHP security that continues to be one of the top recipients of search engine traffic. Specifically, we talked about register_globals, remote file execution and the dangers of FTP.
Yesterday, I posted details about a cross-site scripting (XSS) exploit in a popular WordPress plugin which prompted Podz, support maven for WordPress to challenge the WordPress development community to contribute back to the community by detailing what makes plugins unsafe.
My goal is to tackle every one of his questions in a post dedicated to each question. As I post a new article, I’ll link to it from here so Podz and the rest of the good folks offering support can have a centralized location to find my answers. There may be other developers out there who will contribute to this exercise themselves, and I encourage them to do so.
This is a good exercise because most people think they will never get hacked. It won’t ever happen to me! WordPress as a blogging platform is a pretty secure piece of software. Every once in awhile, a flaw is discovered and patched. However, the plugin hooks allow anyone to write any code to add to WordPress that can make a blog a very dangerous place indeed. Hopefully these posts will demystify plugins a bit and give average folks some clues as to what exactly they are installing when they activate a plugin.
The questions Podz asks are as follows:
- What is Dangerous?
- Is there a bad combination?
- What should we not mix?
- How can we tell what is good and bad?
- Can we test these plugins to find out?
- Who Should we trust and how do we know we can trust them?
- How much research is enough?
- Should we ever not use plugins?
- Is it a permissions problem every time?
- What is “Best Practice”?
- Which plugins do you think are bad? Why ? Have your changed yours if you use it ?
Some of these questions will be answered overly simplistically, while others will take more in depth. I may even have a guest or two contribute. We’ll see…
Updates: Entries in the Series.
- WordPress Plugin Security: The Golden Rule
- WordPress Plugin Security: What is Dangerous?
- WordPress Plugin Security: Bad Combinations
- WordPress Plugin Security: Less is More
Table of contents for WordPress Plugin Security
- Understanding Implications of WordPress Plugin Security
- WordPress Plugin Security: The Golden Rule
- WordPress Plugin Security: What is Dangerous?
- WordPress Plugin Security: Dangerous Combinations
- WordPress Plugin Security: Less is More
About the Author: Aaron Brazell is the lead editor of Technosailor.com and a social media expert. His passion is to see companies and individuals use the internet and web technologies wisely and effectively to promote their brands and companies. He is the Director of Technology at b5media and is available for consulting.
This is why I keep my plugins as simple as possible. Obviously it’s not possible to prevent everything in advance, but XSS and the like are low-hanging fruit: anybody writing code should understand them and be able to defend their code from them.
Perhaps it should be suggested to plugin authors that they request a security review via the forum or IRC? I’m not sure about the forum as I don’t participate, but I know there are more than enough people who can check plugin security on the wp-hackers list and in #wordpress on freenode.
[...] As promised, today I begin an open-ended series on WordPress plugin security. How do you know what is secure? What tell tale signes there might be? How to train an untrained eye on code? But before we begin, we must establish a premise. [...]
[...] Earlier this week, I began a series on WordPress plugin security. We established that the golden rule of web security is to check the “gateways”. That is, watch the areas of a website that an attacker can use to send data to your website. I’d like to elaborate more on this today. [...]
[...] I have wrestled with this question since the last entry in tis series about WordPress plugin security. As I know this series will be used as a resource for the larger WordPress community, I think it’s necessary to abstract these issues enough that average non-technical users can understand and that doesn’t single out a single issue or two while leaving others unaddressed. [...]
[...] As I continue in my ongoing series on plugin security for WordPress, I’m going to diverge off the mapped out route and organically grow this series a little more. Hopefully it suits WordPress users everywhere. To reiterate, this series is designed for the non-developer, the “average guy” so to speak. Security is a mystifying area but it requires a good bit of demystifying. [...]
[...] Gefährliche WP-Plugins 26. Oktober 2006 - 20:50 Uhr Der Technosailor stellt eine — nicht nur — interessante, sondern auch wirklich wichtige Serie zusammen, in der es um die Sicherheit im Zusammenhang mit WP-Plugins geht. [...]