WordPress can be hacked, is not secure; guilt by association.
It is true that WordPress developers strive to find and plug any leaks with the WordPress “Core”. Unfortunately the problem really isn’t with the latest release of WordPress; the problem is with any tertiary add-on or component that is used in conjunction with WordPress. Themes and Plugins are the biggest downfall of WordPress’s security.
Themes and plugins that you, as a user of WordPress use to customize your site with specific content or abilities are not policed or checked for security holes.
To put a plugin on the WordPress site all you have to do is request it then SVN / upload it to the wordpress.org repository. There isn’t any thing else. Joe Programmer can make a distinct functioning plugin that does something that users *might* want, however, unfortunately for that developer he overlooked some crucial parts of his code that let Joe Hacker come in and just make a mess of the end users site.
There isn’t any checks or balances code wise to determine if there’s any code problems. In the past that has also been how it is for the theme repository on wordpress.org as well. Until recently that is.
Well, let me just put a shout-out to the brand new Theme Review team volunteer’s who have recently been assembled.
The new, recent themes that have been added/updated to the wordpress.org repository undergo a very rigorous check by the theme review team. They’re checked for everything from bad coding, missing functionality of themes and even security issues. Unfortunately there are still a huge majority of old themes on the repository that could be problematic one way or another.
Some themes on the repository are so old they shouldn’t still be there. Their coding is outdated and do not make use of the functionality that WordPress currently has.
Which brings us back to plugins. There are some plugins on the wordpress.org plugin repository that were designed for WordPress ver. 2.0; With no ability to sort or separate those plugins that have been made for the current release of WordPress, the end user is gambling with the security and health of their blog.
That’s exactly what the end user is doing, they’re gambling on the usage of a plugin or theme that’s made for WordPress. At anytime, a Joe Malware can come around and inject a malware into your site. The blog owner’s users will then get screwed over by that malware and more then likely the user accounts on the blog will be all messed up, even worse things can be done to the site.
Is this WordPress’s fault? WordPress itself seems pretty solid security wise. However, that doesn’t stop it from being hacked if Joe User of WordPress adds a different theme or some plugins.
WordPress claims that themes and plugins made by anyone are under the same proprietary licensing as the WordPress core itself. With that in mind then without a doubt, WordPress is responsible for it not being secure.
What is WordPress doing to rectify the problem with itself being insecure? Almost nothing. I mean almost nothing because as of the inception of the theme-review team everything else tertiary to the WordPress core is still open to malicious intent.
To end the thought, make sure you read about the plugin or theme you’re adding to your site before adding it. One click of the activate button you could be in for a load of trouble.
For themes, the problem is the older themes that were never removed. There wasn’t a coding standard previous to the theme review team being created.
For the plugin repository, there needs to be some cleaning of old plugins, developers need to update them to keep them on the repository. To handle code quality; I’m thinking that there should be a ‘certified’ stamp on those plugins that have been checked out code/security wise. I am actually thinking about doing that for ComicPress/Easel users. Have a list of plugins that I’ve checked out personally.
– Phil
I like that “stamp for approval” idea, it would make me feel more comfortable about downloading certain plugins, though, unfortunately since a lot of plugins its near impossible to certify all of them. We can at least hope there can me some sort of check on the most used plugins (by comickers) :]
Very interesting point to consider. I believe you may have a very serious point with WordPress being culpable to a certain extent for the security and code validity of themes and plugins.
I know as part of the Theme Review Team we do what we can for new and re-submitted themes but there simply is not enough time at the moment to return to the repository and review all existing themes as well.
As to plugins, I would agree as well … any chance you might want to “ComicImpressed” certify mine? 😉
Well written, Phil. I think a “certfied” stamp would be great. I keep seeing people hollaring for help on Twitter because they’ve been hacked. And its always you who jumps in there and helps them out.
I hope you are feeling better really soon, too.
I would love to see a reviewed/certified note of some kind, definitely agree that it is lacking now. I also find it annoying (as you mentioned) that plugins for old versions show up (sometimes higher on the list) when searching, with absolutely no ability to sort by version number (the lack of sort by version number I find more annoying than anything.)
I think a nice thing to do for plugin/theme developers would be to have a checklist of common security issues set up, something that they could go “Oh yeah, I forgot to check for that” and then fix it before putting up the plugin/theme.