WordPress

Steve Gibson is a renowned security expert who appears on a weekly podcast called Security Now on the Twit.tv Podcast Network operated by Leo Laporte. Gibson is known for coining the term spyware and creating the first anti-spyware program. He is also the developer of popular Internet security tools and a best-selling hard disk data recovery utility called SpinRite. So when Mr. Gibson happens to opine about WordPress, I stop what I’m doing and listen.

In podcast No. 855, Gibson called out WordPress for its add-on ecosystem, which prioritizes cool features over security…

I think it’s becoming clear that WordPress, with its add-on ecosystem made a lot more sense when it was initially released 19 years ago, back in 2003, than it does today. There is zero control over the design of WordPress add-ons. Anyone can make one. And WordPress site admins love to add tasty bits to their sides. This means that it’s really not possible to care about online security while running a WordPress site with a bunch of add-ons.

Gibson correctly noted that WordPress is very popular. Considered a content management system, or CMS, it commands 62% of the market. “But it’s very clear that this 19 year old model of anyone producing add-on plug-ins for WordPress is both super-functional and super-insecure,” he concludes.

In podcast No.858, Gibson observed…

It’s clear that the base WordPress system itself is mature, was professionally written and is being professionally maintained. It’s secure and highly bulletproof. But that security doesn’t necessarily pertain, in any way, to anything that’s added to it.

Gibson is right but his observation begs a bit more explanation.

One way of getting plugins is to go to a third-party site that curates their list, or go right to the developer’s website for the plugin you want. Either way, the security risks are unknowable, so it pays to heed Gibson’s warning, perhaps by limiting the use of plugins to only what is absolutely essential, and vetting the ones you do select.

But when implementing plugins downloaded from the WordPress.org repository, users have a reasonable expectation that the listed plugins are secure:

When a plugin vulnerability is discovered by the WordPress Security Team, they contact the plugin author and work together to fix and release a secure version of the plugin. If there is a lack of response from the plugin author or if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.

Is it possible for a vulnerable plugin to escape notice by the WordPress Security Team?  Not only is it possible but it has happened plenty of times, leaving website admins scrambling for solutions, the most simple of which may be to deactivate the offending plugin until it can be fixed by the developer or replaced with a different one that offers similar features. No matter where they are sourced, using outdated plugins, or those that are no longer supported by developers, are risky propositions.

Security is something we all have to worry about, especially since virtually all the hardware, software and databases we use today touch the Internet. Throwing out the WordPress plugin ecosystem, if this was Gibson’s position, is not a realistic solution to the problem of security, but limiting plugin use and vetting them before installation should be best practices for any website developer.

---------------

Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.

Everything You Need. More Than You Expect.
703-407-4363  |  info@xpheria.us

Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.