Comments on: do you trust all wordpress plugins?

By: Robert

Robert — Sat, 11 Aug 2007 04:49:27 +0000

Excellent exercise in exposing the true flaws in *trusting* open source plugins.

As to the worries about the community keeping their cool, I’m more worried about the potential harm that could always be done by a malicious coder.

Still, it is interesting that few instances have appeared like this. There are a few plugin providers, however, that *have* put self-serving code in their offerings. Not so much malicious, as they were invisible and not revealed on the developer’s download/FAQ pages.

By: Jens

Jens — Tue, 31 Jul 2007 15:20:21 +0000

The security problem is clear… it would be fine, to have a central website, which certifies every plugin after checking. But this would cost hours, so they have to earn a lot of money by advertisment to kepp the project alive.

By: Andres J,

Andres J, — Thu, 26 Jul 2007 23:42:59 +0000

no english?

By: hipslu

hipslu — Wed, 25 Apr 2007 13:04:23 +0000

i absolutely agree – but what i wanted to say is that i am sure, that most of the wordpress users do not think about that…

By: Rirath

Rirath — Wed, 25 Apr 2007 12:53:59 +0000

“This could panic the entire community”

Surely you all realize this is nothing new what so ever and every “plugin” across every application / web app has had this exact same possibility?

Come on folks. Nobody can protect you from yourself. “Don’t download suspicious plug-ins from suspicious places.” is the obvious solution.

By: Sabo

Sabo — Sun, 22 Apr 2007 21:35:21 +0000

I understand, I will check for now and on every plugin source code, one short advice could be “don�t download and install plugins from supicious sources”, you know something like that.

And about your question, I don�t really understand it, or I don�t want to understand it maybe, it scares me a little. I can�t tell if this is theorical or somebody is doing it right now and nobody knows about it. How can we know?

Do you remember Sub7? the trojan horse, the owner wrote some code inside the application so it can search for a specific ICQ number and if the application was installed in a computer that has that ICQ profile installed, the Sub7 was made to destroy that computer using the “Hard Disk Killer” progam.

I don�t know, the sky is the limit for a person with PHP skills, if you let it enter to your server, giving him read, write, erase and execution permission.

This could panic the entire community, I hope everybody can keep it cool.

Regards!

By: hipslu

hipslu — Sun, 22 Apr 2007 13:13:23 +0000

i think due to the power of php and the power of the wordpress plugin mechanism it would be very difficult to automatically find out which plugin contains “evil code”. in fact everybody has to check the plugin code himself; but: not anybody has php skills… the question is: do you think that this risk is just theoretically?

By: Sabo

Sabo — Sun, 22 Apr 2007 08:02:39 +0000

WTF! no, I don�t always check all the plugins I download and install, but this one give us a clear example of what can a “script kiddie” can do to fuck an entire community.

Thank you very much for this clear example of weakness. Is there a way you can advice Wordpress developers about how can we protect agains malicious plugins?

Somebody should do a Anti-malicious Plugin, that protects our information from going out to an external source or e-mail.

Regards!

By: michl

michl — Sat, 21 Apr 2007 09:06:30 +0000

… das war mir nicht bewusst, auch wenn es eigentlich logisch ist; ich werde also in zukunft vorher mal einen blick in das plugin werden