[wp-hackers] How to check a new plugin?

Philip M. Hofer (Frumph) philip at frumph.net
Mon Nov 22 18:11:12 UTC 2010


I started a plugin certification program where I go through the plugin on 
request for security / code issues
http://frumph.net/plugin-certification/

If the plugin passes i'll post it's version and thats it's good to use 
without consequences, if I find issues in the code I email the author with 
the problems, checking for deprecated functions, security issues with 
posting(_get/_post/_server/_request) and whether or not it uses nonces 
properly on option screens including deprecated function use.

The reason for this is that there are too many plugins to go through every 
one of them on the repository but if I do it by request it's a lot easier 
for me to handle.

..of course i've only done a couple so far and the author's havent gotten 
back to me yet ;/ but thats how that goes.

- Phil

----- Original Message ----- 
From: "Patrick Laverty" <patrick_laverty at brown.edu>
To: <wp-hackers at lists.automattic.com>
Sent: Monday, November 22, 2010 9:56 AM
Subject: [wp-hackers] How to check a new plugin?


> When you want to add a new plugin to your system, what do you do to check 
> it
> out for it's safety and security on your blog?  I'm in charge of a ms
> instance at a University and I get requests for plugins all the time,
> especially for ones that are on version <1 or admit they're "alpha" or
> "beta" versions.  I don't want to simply reject something because of it's
> label, but I'm not totally sure how to evaluate a new plugin.  Do any of 
> you
> put them on a test server and then point a vulnerability scanner at the 
> new
> plugin to see what happens?  Advice?
>
> Thanks.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> 




More information about the wp-hackers mailing list