Question

How does one check the security of a Wordpress add-on?

  • 18 December 2020
  • 8 replies
  • 137 views

I know less than zero about Wordpress. How does one check the security of a Wordpress add-on? Is security of add-ons an issue with Wordpress?


This topic has been closed for comments

8 replies

Badge

Sharing answers as I see them from that dev community:
https://sucuri.net/webinars/how-to-know-for-sure-you-can-trust-a-plugin/
tl;dw: without a full code audit you can't know for certain. Most people just base it on reputation (lot of downloads, frequent updates, etc) Subscribing to blogs/alerts from companies like Sucuri can at least alert you when there's a new/popular vulnerability in a plugin.


Open Thread in Slack

I asked my wife, who does project management for a WP dev company, how to check security of plugins, and I got ¯\_(ツ)_/¯



Open Thread in Slack
Badge

Pantheon and WP Engine both maintain lists of plugins they wont run on their system due to various issues
A tool that could be used to review the code directly:https://github.com/Automattic/VIP-Coding-Standards



Open Thread in Slack

that's helpful, thank you.



Open Thread in Slack
Userlevel 2
Badge +5

Yeah the research is pretty time consuming. I'd say if you can, subscribe to something that will let you know when an add-on is compromised (i think wordpress themselves have a blog dedicated to this), and figure out what you need to do to get them all to automatically update (by default, it's manual. I think we have a plugin that updates our plugins, honestly)



Open Thread in Slack
Userlevel 2
Badge +5

we're moving towards getting off of wordpress altogether in 2021-22 I think. It's just such a cluster of bad security.



Open Thread in Slack
Userlevel 3
Badge +1

same. trying to get off of wordpress unless it's maintained by php/wordpress developer actively.



Open Thread in Slack
Badge

I recommend anyone put strong compensating controls in place if WP is required, and strong limits to permitted use cases/minimal to no add-ons, etc.



Open Thread in Slack