Since we introduced our Plugin Security Checker, which does limited automated security checks of WordPress plugins, in late October we have had a lot of interest in that and it has brought in additional business for both our main service and our separate security reviews. That is good for us, but also for everyone using WordPress as it allows us to do more to improve the security of WordPress plugins (which it looks like we already doing much more than anyone else).
We are currently waiting on several plugins to have security issues identified in part based on the results of our recently introduced tool for doing limited automated security checks of WordPress plugins to be fixed to be able to discuss real world examples of how the tool can be play a useful role in checking on the security of plugins.
Last week in discussing a couple of examples of things that are not actually ways you can determine if you should use WordPress plugin from a security perspective, we mentioned that the only good way to determine if a plugin is secure is to have a security review done. While that isn’t something that seems like it could really be automated at this time (or does it seem that it would be any time soon), based on some of the work we do as part of our service we know it is possible to identify the possibility of some security issues in plugins in an automated fashion, which can help to identify if a plugins is in greater need of a proper security review.
As part of the work we have been doing for the service we have been steadily increasing our ability to spot security vulnerabilities and lesser security issues in plugins. That is due to a variety of different activity that we do, from our reviewing reports of vulnerabilities discovered by others, when adding them to our data, to finding vulnerabilities that hackers would target in plugin that we see hackers are probing for usage of. In the past we have used some of the knowledge we have gained through that to check for specific issues vulnerabilities in wider sets of plugins and found a number of vulnerabilities. That knowledge could also be used to more thoroughly review a single plugin and check it for a number of security issues, which is something we have decided to start doing.
Recently we have been looking at ways that we can improve the data we provide on WordPress plugin vulnerabilities through our service. Three weeks ago we started including data on false reports of vulnerabilities in the plugins you have installed. Today we have added a rating of the likelihood that a vulnerability will be exploited to the service’s data we present in the plugin and in the email alerts you receive if you the currently installed version of one of your plugins has a vulnerability. Once you have updated the service’s companion plugin to the newly released 2.0.22 you will start getting that.
When adding a new WordPress plugin vulnerability to the data set for our service we test out the vulnerability. That allows us to do several important things for our customers, which you won’t get with other data providers, who don’t do that.
With our service you get alerted if any of the WordPress plugins you have installed have a vulnerability in the installed version. You can also see what vulnerabilities they have had in other versions, which is something you might use to determine if you should continue you using it. The problem with trying to do that is that isn’t always easy. If you are not dealing with this type of thing on a regular basis there is good chance you wouldn’t have the knowledge as to what security issues are of little concern and what ones are a major concern going forward. You also would have dig in to see if the developer has a pattern of not responding in a timely fashion when a vulnerability is discovered, which can have a significant impact on whether the vulnerability will get exploited. Since we already come in contact with that type of information, we thought it would be useful to start using the knowledge we are collecting to make it easier to find out if security practices of plugin developers are lacking by putting out advisories for developers that have serious issues.