Plugins…..
02:11 Saturday 23 Sep 06
Aaron Brazell has posted that a certain WP plugin has a vulnerability. The plugin has been fixed and a new release is here. I commented over there twice and asked what I consider to be two fair questions. I was subscribed to the comments so returned when some were made. This comment sticks out:
These plugins can be very dangerous. I think the WordPress culture is to install as many plugins as possible without doing a ton of research.
The guy that said that runs a WP blog. He also runs K2 and from what I know of K2 it has a fair share of javascript in it. That js will be perfectly safe because it’s been written by guys who know their stuff – but I’ll bet that 99% of users of that theme do not know js that well. But they do not need to because they trust the authors. A lot of people trust plugin authors because they don’t know PHP. I pointed out that statement above in #wordpress and someone said they broadly agreed. Fair enough – it was a coder who broadly agreed. So what we have is two people who know code saying plugins can be dangerous. I think that’s a bad thing to say without quantifying it.
- What is dangerous ?
- Is there a bad combination ?
- What should we not mix ?
- How can we tell what is good and what is bad ?
- Can we test these plugins to find out ?
- Who should we trust and how do we know we can trust them ?
- How much research is enough ?
- Should we not ever use plugins ?
- Is it a permissions problem every time ?
- What is “Best Practice” ?
- Which plugins do you think are bad ? Why ? Have your changed yours if you use it ?
The reason the above is important is because making blanket statements is not helpful. Another reason is that people doing support for the product will be on the receiving end of the “Are they dangerous ?” questions. It is they who spend the time helping and it is they who should be armed with the knowledge to advise and even try to make the situation better.
So for those coders who think that “These plugins can be very dangerous” here’s a challenge: Answer at least all of my questions above. Write it so forum helpers and others can use the knowledge positively. Write it to show you know. Write it to benefit WordPress. Improve the culture. Blog it.
1
’s been written by guys who know their stuff – but I’ll bet that 99% of users of that theme do not know js that well. But they do not need to because they trust the authors. […] Original post by Mark
23:11 Friday 22 Sep 06
2
[...] Yesterday, I posted details about a cross-site scripting (XSS) exploit in a popular WordPress plugin which prompted Mark, support maven for WordPress to challenge the WordPress development community to contribute back to the community by detailing what makes plugins unsafe. [...]
18:18 Saturday 23 Sep 06
3
This is a perfect example of what your post asks people not do. Your post is excellent and the questions are very relevant for people not involved in the development effort.
And the above comment, coming from Matt is even worse since he is the administrator/creator/ or WP and he should be more responsible especially after making WP a community effort.. Such attitude sucks and will turn off potential plugin writers :(
09:31 Monday 25 Sep 06
4
Followup to the above trac ticket. I think Skippy makes a very fair point.
Ps. I am in no way associated with Skippy except a very pleased and thankful user of his excellent plugin.
09:33 Monday 25 Sep 06
5
aJ – I have no problem with the core code. Never have. I have no particular problem with plugins either. I made the above post in response to a quote on Technosailor’s blog and it was directed very carefully at “those that code”. Notice how so far only Technosailor has taken up the challenge….
Skippy has one point, Matt has another and I think all hosts should allow cron jobs. Any plugin that requires regular user action will fail that user at some point – people just do not take enough backups. That’s not a plugin fault, it’s inertia and yes it applies to the new xml feature too.
Like I said though I do not have a problem with code code – there are too many people picking holes. You want to have a pop about this? Go poke the guy who called it a ‘security nightmare’ – I have dozens on people who call on me for services and skippy’s plugin has never been an issue.
As for the change? Like Matt says it will happen again with something and the forums will still recommend it.
09:54 Monday 25 Sep 06
6
[...] WordPress support maven, Mark, asks on his blog, “What is Dangerous?” [...]
17:06 Thursday 28 Sep 06
7
[...] What is a dangerous combination? [...]
04:17 Wednesday 11 Oct 06
8
[...] As I continue in my ongoing series on plugin security for WordPress, I’m going to diverge off the mapped out route and organically grow this series a little more. Hopefully it suits Mark and WordPress users everywhere. To reiterate, this series is designed for the non-developer, the “average guy” so to speak. Security is a mystifying area but it requires a good bit of demystifying. [...]
18:57 Thursday 12 Oct 06
9
[...] diverge off the mapped out route and organically grow this series a little more. Hopefully it suits Mark and WordPress users everywhere. To reiterate, this series is designed for the non-developer, the [...]
05:04 Monday 23 Apr 07
10
[...] WordPress support maven, Podz, asks on his blog, “What is Dangerous?” [...]
20:02 Saturday 29 Nov 08
11
[...] What is a dangerous combination? [...]
20:14 Saturday 29 Nov 08