Overall Status Of WordPress Security Among Popular Plugins

I have been a programmer for many years now and I recently came across a site that offers what I consider to be a major improvement to WordPress security concerns from the viewpoint of the plugin developer.

CheckMarx.com is a company that offers the ability to check source code for potential hacking vulnerabilities BEFORE the code is out into a production environment.

Being able to test for security issues before the public gets a hold of your source code is a considerable advantage when it comes to overall site security. This means that you can often avoid many of those zero-day attacks on websites simply because you missed coding something that seemed quite innocent to begin with.

But why CheckMarx?

CheckMarx has been quite busy keeping track of WordPress plugins over the last year or so. in fact, they published an extensive report on “The Security State of WordPress’ Top 50 Plugins” back on July 18th, 2013, in which they detailed a number of issues that are quite concerning for the WordPress Community. (Check out the Graphic at the end of the post)

In addition to the report by CheckMarx, Jeffro over at WordPress Tavern did quite a nice write up on the topic, located here: http://www.wptavern.com/disturbing-report-on-wordpress-plugin-security.

Here are a few key points of that post:

  • The research in this survey has nothing to do with the core security of WordPress but rather, the plugins available for it.
  • Checkmarx concluded that more than 20% of the 50 most popular WordPress plugins were vulnerable to common web attacks such as SQL injection.
  • The report revealed that 7 out of the 10 most popular e-commerce plugins for WordPress contained vulnerabilities.
  • They researched these top 5 types of vulnerabilities:
    • SQL Injection (SQLi) – wrongful sql code implementations
    • Cross Site Scripting (XSS) – scripts to bypass admin controls
    • Cross Site Request Forgery (CSRF) – admin script falsifications
    • Remote/ Local File Inclusion (RFI/ LFI) – uploaded malicious files
    • Path Traversal – vulnerability to access and map all hosted files
  • Only six plugins out of the 50 scanned in January were completely fixed during the six-month time period between scans

The report from Checkmarx goes into much greater detail and should definitely be read if you are a developer of WordPress plugins. As with any security issues, Checkmarx, WordPress Tavern and myself all agree that you should follow the best practices as users to help insure your security:

WordPress Plugin Security Best Practices

  1. Get your WordPress plugins from reputable sources: WordPress.org or trusted merchent
  2. Do your own security testing of plugins, such as Exploit Scanner plugin or the security plugins we use.
  3. Use Text Search Tools to check for unwanted Base64 Encoding (Grep for Unix or WinGrep for Windows)
  4. Keep Plugins Up-to-Date. Which is why we make sure to post updates to common plugins we use.
  5. Remove Unused plugins. Get rid of stuff your not using.
  6. Replace Outdated Plugins. This should be true for all plugins. If an author hasn’t supported it for a couple years, find a replacement. There could be many security holes in that old code.

In any case, WordPress Security may become an even greater concern in the future. Having a ton of WordPress plugins floating around the net with security vulnerabilities is just a ticking time bomb when it comes to potential security breaches.

Take a look at the image below from Checkmarx and check out Jeffro’s post for more details and then take a good hard look at any code you produce or any plugins that you are using on your own sites. The sooner you find any security issues the better off you will be. The more people we have as a community that are more conscious of security issues the quicker they will be resolved and become less of a threat.