Do you want to know a Secret about WordPress plugins (actually about any plugins)? Well, remember the last two questions in my post with 8 Questions to Ask about WordPress Plugins? Yes, I’m talking about the Security vulnerabilities in Plugins and whether or not we can trust plugin writers and believe that they address all those issues in their code. Most people never question the code in plugins because they’re not programmers, don’t know PHP and even if they might have some reservations about the security levels in plugins they don’t know how to test them.

There are different kind of security vulnerabilities, but the most common of them are XSS (Cross site scripting) and SQL injections. In both cases various flaws and weakness in a system are discovered allowing an attacker to inject a malicious code into a website or a database.

In most cases any form on a website that asks for user’s input and is not properly validating the input in the back-end presents a perfect gateway for a hacker to exploit the system. Make sure to check Some simple XSS Attacks by Example to see how some of these attacks can be performed. You will see that you don’t need to be a skilled programmer to hijack someone’s site or steal a cookie, etc. The existence of a Firefox extension called Web Developer Add-on, makes all form fields vulnerable. One of the examples there shows how you can add a simple JavaScript code to a text field that asks for an image source details. If not validated properly, the form accepts the JavaScript entry as valid and executes the code.

That’s what happened to a very well-known Democracy plugin for WordPress that allows you to create polls. Well, there’s an option to add your own answer to the poll question, and that text field hasn’t been properly validated in the plugin’s code, allowing to insert SCRIPT tags with the following window.location='http://anewsite.com'
As a result, it hijacks the vulnerable website by redirecting every user to a different website. Aaron Brazell from Technosailor posted all details about the flaws in the plugin. Fortunately the plugin’s author has already fixed the code and released the secure version of the plugin. Subscribe to comments plugin also had similar vulnerabilities, thankfully the author has patched the code as well and released the new and secure version.

While I was writing this article, I saw a notice on my Dashboard about the new version of WordPress 2.1.1 being dangerous and that everyone should upgrade to 2.1.2:

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

I’m glad I didn’t rush with upgrading my blog from WP 2.1.0. In my opinion it’s always a good idea to wait a bit before upgrading to a newer version.

Getting back to my post now. One of the ways to protect your form from XSS attacks is by converting all HTML meta characters (or angle brackets) < and > to the equivalent HTML entities, also stripping the <script> tag will help as well.

As I mentioned before, another common vulnerability is SQL injection. This one allows an attacker to perform unsolicited query to the database. Sometimes a query to delete an entire database or a table can be executed. Make sure to check an eye-opening SQL Injection Attacks by Example. There are various techniques that can be implemented in the back-end code to protect the database from an SQL injection. This topic is too broad to talk about in this one post, so I’ll write another post, where I’ll provide you with some very helpful and useful articles on this security topic for your Recommended Reading.

I really hope that this post has raised some suspicious flags in your head and made you to become more cautious with plugins before using them on your blog.

Recent Bits
Related Bits
8 Security Bits
8 Questions to Ask about WordPress Plugins
The Best WordPress Plugin Ever
Practical Information About WordPress Plugins
Handy WordPress Plugins
New Invaluable WordPress Plugin – WP Ajax Edit Comments
Getting to know you better
How to Become Digg’s Favourite Blog
Comment Bits

One Perspicacious Bit in response to “The Secret Truth About The Plugins Security”

Pingbacks and Trackbacks

  1. Readers Behaving Badly - The WordPress Joe Job » Reader Appreciation Project

    [...] Fortunately the WordPress community is very vigilant and something like this wouldn’t last long. But it is always a good idea to make sure the plugins or themes you install are legit. [...]

Selected Bits

PopularBits

RecommendedBits

FavouriteBits

PersonalBits

Hi, I'm Vivien. Thanks for visiting my Inspiration Bit. I often find myself scouring the internet looking for either answers to many questions I have or websites that inspire me, sites that I can learn from. On what topics you might ask — any topics that interest me, anything from web design to typography and art, from blogging to entrepreneurship, from programming to open source.
read more…
When I'm not blogging, I design web sites, teach, play with my daughter and try to balance family, work, friends and a somewhat active social life on