Duncan's Security Blog An enthusiasts musings

29Feb/160

WordPress plugin security

The WordPress framework makes it very convenient for website owners(both novice and experienced) to extend the core functionality by adding plugins. The trouble is, installing plugins could potentially increase the websites attack surface. In this post, I will discuss the reasons, and how to limit exposure.

WordPress does a good job of securing its framework(the core code), most often releasing security fixes within 24 hours of discovery. Securing the web server, and following good development practice though, is ultimately left to the website owner/maintainer. While WordPress does produce(and maintain) some plugins of their own, they are not responsible for the code of 3rd party plugins.

3rd party plugins
3rd party plugins can be made by anyone: individual, or company. While a company will typically continue to support their plugin(whether it is paid, or free), an individual may not. It is worth noting when last a plugin was updated, before installing it. If possible, it would be even more beneficial to see if the developer intends on maintaining the code(with bug fixes, or additional functionality). Security fixes are especially of concern here: if the code will not be maintained, then using the plugin will leave you indefinitely vulnerable.

Furthermore, be aware that you are essentially installing code from strangers(including companies). It would be beneficial to attempt to establish some kind of assurance that the developers are credible. Any assurance would of course be discretionary, but a little digging could be unsettling enough to look at an alternate option.

Guidelines for using plugins on WordPress
With that in mind, here are some guidelines to follow when considering installing a new plugin.

Install the minimum amount of 3rd party plugins needed. Ask yourself, "Do I really need what this plugin will give me?". The more plugins installed, the greater the chance that one of them could be used to compromise your website. I personally don't believe that most 3rd party code is intentionally vulnerable, but I certainly believe that some of it could be. There are plenty of developers with good intentions, contributing their useful plugins to the community. However good intentions do not mean the developer has taken security into consideration(or perhaps they do not know how).

Check the plugin for known vulnerabilitiesThankfully, there are online databases which keep record of known WordPress vulnerabilities. My personal favourite, is wpvulndb. Wpvulndb has a nice interface for checking not only plugins, but also themes and WordPress itself. Any plugin you are thinking of installing, should be checked against this database. In addition, all your existing plugins should be checked, and rechecked on at least a monthly basis. There some plugins that offer to check automatically against wpvulndb for you(via an API), but I have not used them(e.g. Vulnerabilities check, and Plugin security scanner. In theory, their use would be helpful.

If it's not activated, delete it. This goes for themes, too. If the plugin is not in use, then remove it from your webserver. Plugins exist as files on your webserver. If not deleted, they will remain there and could be forgotten. If a vulnerability is discovered in this unused plugin, an attacker could potentially access it directly from its location on your webserver.

Trust, but verify. As already mentioned, you should attempt to verify the credibility of the plugin developer. By this, I dont mean harassing the developer, hoping for a confession. I mean look at their previous work(does it look dodgy?), look at their activity(Recent updates? users complaining of no support?). A personal or company blog is often a good place to start, if one exists. One thing to note, however, is that just because a plugin has not been updated in a while, doesn't mean it is a problem. It may not have had any updates, because none were needed(the plugin ratings should help with this). You will never be able to fully verify a developer. As long as you are content with your analysis, thats as close as you will get.

Keep your plugins updated. As with all security guidelines, I will suggest keeping your plugins updated. This will ensure that any available fixes have always been installed. Since 80% of WordPress updates are security related, it is in your best interest to update when possible. Remember, that a security vulnerability may not just be something that allows an attacker access to your data. It could also be something that affects the performance and/or availability of your website.

 

The above guidelines will not guarantee the safety of your website, but they will go a long way toward understanding and limiting the risks associated with using WordPress plugins. Feel free to provide your comments below.

 

Please note: This article is written in the context of a WordPress implementation(specifically for private users or small companies), and not meant as general guidelines for using 3rd party code. In the case of a larger company(and for other use cases outside of WordPress), vetting the code and provider would include a more comprehensive analysis, most commonly site visits, code reviews, penetration tests etc.

 

 

Facebooktwitterredditpinterestlinkedinmail