11 Mar

Get Alerted When WordPress Plugin Developers Are Not Taking Security Seriously

With our service you get alerted if any of the WordPress plugins you have installed have a vulnerability in the installed version. You can also see what vulnerabilities they have had in other versions, which is something you might use to determine if you should continue you using it. The problem with trying to do that is that isn’t always easy. If you are not dealing with this type of thing on a regular basis there is good chance you wouldn’t have the knowledge as to what security issues are of little concern and what ones are a major concern going forward. You also would have dig in to see if the developer has a pattern of not responding in a timely fashion when a vulnerability is discovered, which can have a significant impact on whether the vulnerability will get exploited. Since we already come in contact with that type of information, we thought it would be useful to start using the knowledge we are collecting to make it easier to find out if security practices of plugin developers are lacking by putting out advisories for developers that have serious issues.

The idea for this also came up because unfortunately we are seeing developers who are doing a really bad job at making sure their plugins are secure. The first advisories we released involves a company that has not been taking basic security measures, had a really serious vulnerability in one their plugins,  doesn’t respond in a timely manner when contacted about security issues, and takes weeks to fix them. The subject of the second one has repeatedly only fixed part of the security issues reported to them.

You can view all of our advisories here and follow the RSS feed of them here. Having to check our website to see if a plugin developer is the subject of a security advisory obviously isn’t very convenient, so that is why we have rolled out a couple of updates to our software to allow those notices to be seamlessly shown when you are looking at new plugins:

Advisories in WordPress

Today we released a new version of the Plugin Vulnerabilities plugin that adds a warning message with a link to these advisories to the details page of plugins in the Add New plugins section of WordPress:

developer-advisories-in-wordpress

For already install plugins you can click the “View details” link on the Installed Plugins page to see if there is an advisory as well.

This feature is built in to the plugin, so it works even if you haven’t signed up for our service (though you really should do that).

Advisories on WordPress.org

But what about if you are taking a look at plugins on the Plugin Directory on WordPress.org? If you are doing that in the Chrome web browser you are in luck. We also have released an update to our Plugin Vulnerabilities extension that adds the advisories to the website:

developer-advisories-on-wordpress-website

The extension also adds notices to the URL of plugins that have been removed from the Plugin Directory due to security issues:

plugin-removed-with-vulnerability-warning

If we see increased interest in the extension we plan to release versions for other web browser, so if you want it for ones of those, please let us know which one in the comments so that we can properly prioritize the order of which browsers to bring it to in the future.

23 Feb

Our New Companion Chrome Extension

With our service you get an email alert if an installed plugin has a vulnerability in the version you are using (the alert is also shown on the Installed Plugin page). In cases where the vulnerability hasn’t been fixed in a newer version of the plugin by the time we become aware of it we take steps to rectify that, because alerting you of a vulnerability without a solution has limited usefulness. We first try to get in touch with the developer to make sure they have been made aware of the issue (often they haven’t) and offer to help them fix it. In cases where that isn’t possible or doesn’t work our next step is to notify the people running the WordPress Plugin Directory. At that point the plugin is usually removed from the directory pending a fix. While that will often get the developer to deal with the issue (and quickly), it doesn’t always.

As we first discussed almost four years ago WordPress admins are not being made aware that their websites are using plugins that have been removed from the Plugin Directory due to security issues (it has also been almost that long that the people running it have they said that they were working on a solution, but it still hasn’t happened). With our service you get notified for plugins you have installed, but what if you head over to the plugin’s page on the WordPress Plugin Directory? You will just get a page indicating that it can’t be found:

Plugin Directory Page Shown When Plugin Has Been Removed

That obviously isn’t very useful, so we have now put together a simple Chrome extension that when installed will augment that with a message that indicates the plugin had existed and that it has a security vulnerability in the most recent version (based on the data from our service):

plugin-removed-with-vulnerability-notice