Early last year (an eternity ago, it seems), I wrote a series on PHP security that continues to be one of the top recipients of search engine traffic. Specifically, we talked about register_globals, remote file execution and the dangers of FTP.
Yesterday, I posted details about a cross-site scripting (XSS) exploit in a popular WordPress plugin which prompted Podz, support maven for WordPress to challenge the WordPress development community to contribute back to the community by detailing what makes plugins unsafe.
My goal is to tackle every one of his questions in a post dedicated to each question. As I post a new article, I’ll link to it from here so Podz and the rest of the good folks offering support can have a centralized location to find my answers. There may be other developers out there who will contribute to this exercise themselves, and I encourage them to do so.
This is a good exercise because most people think they will never get hacked. It won’t ever happen to me! WordPress as a blogging platform is a pretty secure piece of software. Every once in awhile, a flaw is discovered and patched. However, the plugin hooks allow anyone to write any code to add to WordPress that can make a blog a very dangerous place indeed. Hopefully these posts will demystify plugins a bit and give average folks some clues as to what exactly they are installing when they activate a plugin.
The questions Podz asks are as follows:
- What is Dangerous?
- Is there a bad combination?
- What should we not mix?
- How can we tell what is good and bad?
- Can we test these plugins to find out?
- Who Should we trust and how do we know we can trust them?
- How much research is enough?
- Should we ever not use plugins?
- Is it a permissions problem every time?
- What is “Best Practice”?
- Which plugins do you think are bad? Why ? Have your changed yours if you use it ?
Some of these questions will be answered overly simplistically, while others will take more in depth. I may even have a guest or two contribute. We’ll see…
Updates: Entries in the Series.
- WordPress Plugin Security: The Golden Rule
- WordPress Plugin Security: What is Dangerous?
- WordPress Plugin Security: Bad Combinations
- WordPress Plugin Security: Less is More
Table of contents for WordPress Plugin Security
- Understanding Implications of WordPress Plugin Security
- WordPress Plugin Security: The Golden Rule
- WordPress Plugin Security: What is Dangerous?
- WordPress Plugin Security: Dangerous Combinations
- WordPress Plugin Security: Less is More
Stumble it!
About the Author: Aaron Brazell is the lead editor of Technosailor.com and a social media expert. His passion is to see companies and individuals use the internet and web technologies wisely and effectively to promote their brands and companies. He is Business Development Manager for Lijit and he worked as Director of Technology at b5media from 2005-2008 and is currently an independent consultant.
Add New Comment
Viewing 2 Comments
Thanks. Your comment is awaiting approval by a moderator.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Add New Comment