WordPress Plugin Security Issues

Over on Weblog Tools Collection, Jeffro recently posted about Dean’s Permalink Migration Plugin which has a bug that can allow an attacker to force a user to perform an unsolicited action to allow the attacker to gain valid credentials, or basically, have access to your blog.

While someone stepped up to the plate and released a new, fixed version after the original author couldn’t be contacted, it still brings up the issue of continued WordPress plugin security.

As WordPress moves closer to the new 2.5 release, due out this spring, will plugin authors that develop the plugins we have come to depend on continue to support and develop their work s that the community can continue to benefit, or will new plugin authors have to step in to fill that role?

Who is responsible for the security of the plugins created? When will the WordPress community demand a group of standards to help improve the security of both WordPress plugins and themes?

I hope this issue is dealt with long before the next major version of WordPress. And while I hate to give Automattic more power and control over the WordPress open source project, I do think that they are the best suited to step up and hire someone to organize and check over WordPress plugins submitted to the plugin directory on WordPress.org.

I want to make this clear though, I don’t think the person from Automattic should become responsible for security issues related to plugins, but another set of eyes, focused on finding security issues, could help save many blogs from issues down the road.

3 thoughts on “WordPress Plugin Security Issues

  1. JamieO

    Perhaps Automattic *should* bring key plugin support into the code base to ensure that they receive the proper level of support required? If WP came with a set of plugins available for activation ‘out of the box’, which they agreed to support, that might be beneficial to a lot of users.

    That – in a way – happened to the Tag Warrior plugin which offered tag cloud functionality before WP did. Although it sucks to think that if you’re too successful – in this hypothetical – that your future user base will be consumed by the mothership.

  2. David

    JamieO – I would love to see Automattic taking responsibility for some key plugins. Maybe even just the top 10 downloaded ones from the current WordPress.org/extend/plugins. That would be life-changing for many businesses and regular bloggers.

    As for being consumed by the mothership. In one way, I do agree with you, but that’s part of the fun (or problem) when contributing to an open source project.

    I think that WordPress added tagging, just as much to remain competitive, as its popularity among WordPress users.

  3. Steven Snell

    I don’t think WP or Automattic is necessarily obligated to manage this, but if it is listed in their own directory it would be nice if you could have some assurance that it is safe. This is just one reason why I think it’s good to not use plugins excessively.

Leave a Reply

Your email address will not be published. Required fields are marked *