As I continue in my ongoing series on plugin security for WordPress, I’m going to diverge off the mapped out route and organically grow this series a little more. Hopefully it suits Podz and WordPress users everywhere. To reiterate, this series is designed for the non-developer, the “average guy” so to speak. Security is a mystifying area but it requires a good bit of demystifying.
Tangent here: I was talking to my wife about this concept the other night. I was lost in thought trying to grab my thoughts on plugin security and attempting to post a useful entry. It was hard and we ended up talking about it. See, she is technically illiterate when it comes to this stuff. She understands bugs and the fact that there are flaws in programs. She’s been with me since I started down the development road six years ago. She knows when I say that something has a flaw that it is a bad thing. But she has no idea what is a flaw, nor could she identify one if it was staring her in the face. In other words, she is the perfect target audience.
But somehow I don’t think I’m doing a good job because her eyes still glaze over when I talk about XSS or spam attacks. It doesn’t compute. So I tangent a little more in the series and take a different tack.
There are quite a few people I know who setup WordPress for the first time so they can get into blogging. Many have never blogged before and are amateurs with code. Others I know, come to WordPress from another system because they’ve heard about the world class support, easy to use interface and, yes, the plethora of plugins available. Sounds like an excellent pot of gold at the end of the rainbow, right? Especially for people emerging from “plugin hell” on the Moveable Type platform.
Generally the first thing that I’m asked as the resident WP “expert” is, “Where do I get good plugins?” to which I respond, “Uhhh, to do what?” :-) (I’m just being honest!) There’s a couple things to know about plugins. First plugins should be used to meet needs and secondly, plugins should be sued in moderation.
Plugins Should Meet Need
The easiest thing for a new WordPress user to do is go crazy looking for plugins to install. IT reminds me of junior high school when the girls “personalized” their notebooks and bookbags. I’m dating myself here, but does anyone remember “NKOTB Rule” or “JK + {insert girls initials} = <3 4-EVER”… :-) Yes, I’m scarred from Junior High. People do the same thing with their blogs. The first thing to do is start customizing and adding features.
Stop.
Plugins should meet a need. Do you need to have that gizmo or doohicky? Maybe. Maybe not. See, everytime a plugin is activated, it creates another vector of attack. That doesn’t mean that an attack will be successful. It just means that an attacker has one more door to try to get in. If you don’t need that plugin, don’t activate it. Likewise, if you stop using a plugin, deactivate it.
Plugins Should be Used in Moderation
Following up on that point, plugins should be used sparingly. Depending on my needs, it’s not uncommon for a blog that I setup to only have 3-4 plugins. The more plugins used, the more avenues of attack, right? (Additionally, if the plugin allows you to put stuff in your template, you may just be cluttering your blog more, but that’s a different issue… an aesthetic issue).
So what recommendations do you have for the use of plugins?
Table of contents for WordPress Plugin Security
Stumble it!
About the Author: Aaron Brazell is the lead editor of Technosailor.com and a social media expert. His passion is to see companies and individuals use the internet and web technologies wisely and effectively to promote their brands and companies. He served as Director of Technology at b5media from 2005-2008 and is currently an independent consultant.
[...] WordPress Plugin Security: Less is More Share this Post:These icons link to social bookmarking sites where readers can share and discover new web pages. [...]
(Oooo, you fixed your comments template. Nice!)
I’ve got maybe 15 active plugins, but I need all those features. :)
My recommendation is what it always was: Concentrate on writing content; that is, after all, the whole point of the blog! All the bells and whistles can come later.
Yep, I fixed it just because you wouldn’t leave me alone. ;)
I agree with you. Sometimes bloggers do stuff just because they can and that’s not always the best (or safest) approach.
The only plugins I’m really interested in are the ones that stop site spam. Anything else is just fluff that I could do without (in most cases).
/me points (again) to Akismet
:-)
You’ll also need Bad Behavior. :)
How did I know that was coming? :-)
And Michael, where can she download Bad Behavior? ;-)
Why, where else? You hit Google’s I’m Feeling Lucky button.
You’ll also need Bad Behavior.
You rang?
I’d sure like to customize my blog. I’d change the colors, create a new survey (thanks to your new improved plugin), and include a sidebar feed of other technology related b5media blogs: a grabbag so people could hop over to the microsoft weblog, etc.
The other thing I do (apart from minimising installed plugins), is maintain a bookmarks folder of all the plugins I’ve got installed on one blog or another.
I also have a monthly calendar item, to remind me to go through and check them all, to see if the version matches the one I have installed, and see if they’ve made any mention of security issues.
I probably won’t catch something right away, but I will catch it eventually. Hopefully before something gets terminally compromised :)
Great articles ;)
Any complaint about a translation to spanish (Spain) in my blog?