[wp-hackers] WordPress plugin inspections

Kirk Wight kwight at kwight.ca
Wed Feb 19 20:35:04 UTC 2014 

I find the example "light-touch" (what does that mean?) inspection to be of
very little value at all. Phrases like "very likely to have", "contains or
is likely to contain", and "probably contains" mean nothing when it comes
to security: is it, or isn't it? More complete reviews with definitive
statements and examples would be of much more interest to myself.


On 19 February 2014 12:27, Jamie Currie <jamie at wunderdojo.com> wrote:

> I had the exact opposite reaction to Chris Williams. Literally a week ago
> I was talking to someone about the need for more rigorous evaluation of
> plugins. I find that I now use only a small handful of plugins that I have
> extensive experience with because of the lack of any quality standard.
>
> If that sounds a bit harsh, I'd suggest enabling DEBUG and mysql slow
> query (at something like 1 second) and then test out various plugins. And
> that's just the blatantly obvious stuff. I won't point fingers, but I
> recently had issues with one pretty popular plugin and when I went into the
> code to poke around I found that it is fundamentally flawed in the design
> -- so much so that I rewrote it and will be sending the author the new code
> and explanation.
>
> I understand that a cursory review is subjective and prone to
> misstatements, but it's at least a step in the right direction. Perhaps the
> next step would be for Harry to formalize some kind of process for
> responding to / contesting reviews and to encourage community involvement
> (maybe via this list) to "review the reviews" if you will. I'd be happy to
> get involved in a process like that if the end result were a base of
> plugins that had been scrutinized by some of the WP brains on this list.
>
> And if, at the end of the day, he harnesses that power to help build a
> business, I don't see anything wrong with that either. I think 99% of us
> are using WP to make money and it seems to me like he's identified a clear
> need and at least attempted to address it -- which is pretty much the story
> of every successful business.
>
> Jamie Currie
> Founder / CEO
> wunderdojo
> wunderdojo.com
> tel: 949-734-0758
> 1840 Park Newport, #409
> Newport Beach, CA 92660
> Master web & app developers
>
>
>
>
>
> ------ Original Message ------
> From: "Chris Williams" <chris at clwill.com>
> To: "wp-hackers at lists.automattic.com" <wp-hackers at lists.automattic.com>
> Sent: 2/19/2014 12:17:17 PM
> Subject: Re: [wp-hackers] WordPress plugin inspections
>
>> I certainly can't speak for others, but I would venture to say that your
>> business model is evil at best. You do fly-by character assassination
>> (oops, I mean "light-touch inspections"), based on personal bias ("this
>> plugin is large"), and then broadly publish the results as if they are
>> somehow authoritative. Worse yet, you then hold plugin developers at
>> ransom for changing the review: "If you would like to commission us to
>> inspect or review the latest version, please contact us."
>>
>> How this is of value to anyone, and how you sleep at night with this
>> specious business model, is completely beyond me.
>>
>> On 2/19/14 10:43 AM, "Harry Metcalfe" <harry at dxw.com> wrote:
>>
>>  Hello list,
>>>
>>> We write and publish light-touch inspections of WordPress plugins that
>>> we do for our clients. They are just a guide - we conduct some basic
>>> checks, not a thorough review.
>>>
>>> Would plugins which fail this inspection be of general interest to the
>>> list and therefore worth posting? Is the list also interested in
>>> vulnerability advisories, or do people tend to get those elsewhere?
>>>
>>> Here's an example report:
>>>
>>> https://security.dxw.com/plugins/pods-custom-content-types-and-fields/
>>>
>>> Grateful for a steer...
>>>
>>> Harry
>>>
>>>
>>> --
>>> Harry Metcalfe
>>> 07790 559 876
>>> @harrym
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list