[wp-hackers] WordPress plugin inspections

Josh Pollock jpollock412 at gmail.com
Wed Feb 19 20:38:21 UTC 2014


The ability to easily do an independent security review of open source
software, is one of the strengths of the open source model. But publishing
vague results, and not contacting the developer, and/ or
security at wordpress.org, with any concrete details of a threat doesn't help
the developer, the community or the users. If anyone can identify a
specific security threat in Pods, please email Scott at pods.io and we will
address it, like any other responsible developer would.

Take care,

On Wed, Feb 19, 2014 at 3:27 PM, Jamie Currie <jamie at wunderdojo.com> wrote:

> I had the exact opposite reaction to Chris Williams. Literally a week ago
> I was talking to someone about the need for more rigorous evaluation of
> plugins. I find that I now use only a small handful of plugins that I have
> extensive experience with because of the lack of any quality standard.
> If that sounds a bit harsh, I'd suggest enabling DEBUG and mysql slow
> query (at something like 1 second) and then test out various plugins. And
> that's just the blatantly obvious stuff. I won't point fingers, but I
> recently had issues with one pretty popular plugin and when I went into the
> code to poke around I found that it is fundamentally flawed in the design
> -- so much so that I rewrote it and will be sending the author the new code
> and explanation.
> I understand that a cursory review is subjective and prone to
> misstatements, but it's at least a step in the right direction. Perhaps the
> next step would be for Harry to formalize some kind of process for
> responding to / contesting reviews and to encourage community involvement
> (maybe via this list) to "review the reviews" if you will. I'd be happy to
> get involved in a process like that if the end result were a base of
> plugins that had been scrutinized by some of the WP brains on this list.
> And if, at the end of the day, he harnesses that power to help build a
> business, I don't see anything wrong with that either. I think 99% of us
> are using WP to make money and it seems to me like he's identified a clear
> need and at least attempted to address it -- which is pretty much the story
> of every successful business.
> Jamie Currie
> Founder / CEO
> wunderdojo
> wunderdojo.com
> tel: 949-734-0758
> 1840 Park Newport, #409
> Newport Beach, CA 92660
> Master web & app developers
> ------ Original Message ------
> From: "Chris Williams" <chris at clwill.com>
> To: "wp-hackers at lists.automattic.com" <wp-hackers at lists.automattic.com>
> Sent: 2/19/2014 12:17:17 PM
> Subject: Re: [wp-hackers] WordPress plugin inspections
>> I certainly can't speak for others, but I would venture to say that your
>> business model is evil at best. You do fly-by character assassination
>> (oops, I mean "light-touch inspections"), based on personal bias ("this
>> plugin is large"), and then broadly publish the results as if they are
>> somehow authoritative. Worse yet, you then hold plugin developers at
>> ransom for changing the review: "If you would like to commission us to
>> inspect or review the latest version, please contact us."
>> How this is of value to anyone, and how you sleep at night with this
>> specious business model, is completely beyond me.
>> On 2/19/14 10:43 AM, "Harry Metcalfe" <harry at dxw.com> wrote:
>>  Hello list,
>>> We write and publish light-touch inspections of WordPress plugins that
>>> we do for our clients. They are just a guide - we conduct some basic
>>> checks, not a thorough review.
>>> Would plugins which fail this inspection be of general interest to the
>>> list and therefore worth posting? Is the list also interested in
>>> vulnerability advisories, or do people tend to get those elsewhere?
>>> Here's an example report:
>>> https://security.dxw.com/plugins/pods-custom-content-types-and-fields/
>>> Grateful for a steer...
>>> Harry
>>> --
>>> Harry Metcalfe
>>> 07790 559 876
>>> @harrym
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list