While we think there are a lot of problems in how WordPress handles the security of plugins, we also think is important that any criticism be fair. An InfoWorld article put out today wasn’t.
The article starts by speculating that the release of the Panama Papers was due in part to the poor security on the website of law firm involved. While it is possible that is the case, the article doesn’t actually cite any evidence to substantiate that the poor security of the website lead to someone accessing that information (lack of evidence doesn’t seem to be something that holds back security journalists these days).
What is really important to note is that the WordPress plugin being cited in the article as the potential source of the hack, Revolution Slider, is not something that WordPress makes available through the Plugin Directory. Instead this is paid plugin, that is also often bundled with other paid software (contrary to some people’s claims, paid software isn’t actually more secure). That is important because of the following paragraphs in the article:
Attacks targeting sites running outdated versions of a CMS or using vulnerable plugins are getting more and more common. Security experts point at the plugin ecosystem, with poorly coded and maintained plugins, as the culprit, but the core developers need to shoulder some of the responsibility. It’s not just WordPress — other popular CMS software such as Drupal and Joomla also need to consider how third-party software is affecting their platform and provide better mechanism to secure their customers’ sites.
There is currently no process to vet plugins or automatically update outdated plugins. Although WordPress and Drupal have made it easier to search and update some third-party plugins directly from the administrator dashboard, the core team can — and should — explore ways to keep the entire platform secure, instead of just focusing on the core codebase.
There is so much wrong with that.
Let’s start with the fact that plugins can actually be automatically updated. Back in WordPress 3.7, which was released in October of 2013, automatic background updates were introduced. This feature is best known for causing minor WordPress updates to be applied automatically. You can also enable plugin updates happen automatically, one easy way to do this with our Automatic Plugin Updates plugin. The people running the Plugin Directory also have the ability to cause a plugin to automatically update, which is sometimes used if a major security issue is found in a plugin. Since the Revolution Slider plugin isn’t in the Plugin Directory they can’t do that for that plugin.
It also isn’t true that there is not any vetting of plugins as the author claimed or that they don’t shoulder any of the responsibility. Beyond some limited reviewing they do, if the people running the Plugin Directory are made aware of a security issue in a plugin they will remove it pending a fix. We should know since we are the ones that report many of those vulnerable plugins to them. It isn’t clear why or how WordPress is supposed to insure the security of plugins that they don’t have any involvement with.
If the article wasn’t bad enough with that cluelessness, here is next paragraph:
Of course, part of the problem may lie with the culture of PHP development, which prides itself on being a hacky and quick-and-dirty way to get things done. PHP’s historic focus on getting something half-assed that works out the door means — no surprise — that security is going to fall by the wayside. And now all these websites are paying the price.
Considering that there a lots of security issues in software written across a lot of different programming languages, this seems misinformed at best.