Login

Tag Archives: Plugin Security Checker

17 Jan 2018

It Looks Like Our Plugin Security Checker Caught a Vulnerability That Was Missed by a WordPress Plugin Directory Review

In continuing to work on improving our Plugin Security Checker, which does limited automated security checks of WordPress plugins (and is now accessible through a WordPress plugin of its own), we have been interested to see where it can already provide value over what is already being done to improve the security of plugins. We recently got what looks to be an example of it catching something that was missed by the team managing the Plugin Directory.

Last Tuesday we were contacted by one of our customers, J.D. Grimes, to let us know that he had noticed that an attempt to fix a vulnerability in the plugin Media from FTP looked like it had failed to fully fix the vulnerability, but he didn’t have time to verify that or contact the developer about that. We took a look, confirmed that the fix was incomplete, and then worked with the developer to implement a better fix. A new version with that second fix was released later the same day. [Read more]

9 Jan 2018

Our Plugin Security Checker is Now Accessible Through a WordPress Plugin

When we introduced our Plugin Security Checker, which does limited automated security checks of WordPress plugins, in late October, one of the future enhancements we mentioned we were looking into was making the results available through our service’s companion plugin. After thinking it over we decided it would be better to create a separate plugin for that, so that way websites that use that the existing plugin that don’t have an interest in that functionally are not increasing the amount of code on their website and alongside that, the increased security risked that creates (that is something that makers of a lot security plugins look to have not considered in throwing in lots of different functionality in a single plugin, maybe not surprisingly there have been plenty of security vulnerabilities found in security plugins).

As of this morning our new Plugin Security Checker plugin has been included in the Plugin Directory, and can be directly installed in WordPress or downloaded from the plugin Directory. [Read more]

5 Jan 2018

You Can Now See the Details of Possible Issues Identified by Our Plugin Security Checker

Since we introduced our Plugin Security Checker, which does limited automated security checks of WordPress plugins, in late October we have had a lot of interest in that and it has brought in additional business for both our main service and our separate security reviews. That is good for us, but also for everyone using WordPress as it allows us to do more to improve the security of WordPress plugins (which it looks like we already doing much more than anyone else).

One of the things there has been a lot of interest by users of the tool involves an area of plugin security that we hadn’t really considered in the past, custom plugins. Unlike plugins in the Plugin Directory where they can be checked for a particular issues en masse by anyone (with the ability to handle the results being limited by the amount of time it would take to contact the developers and possibly work with them to fix the issues) or even commercial plugins that can be checked to some extent by outside parties, custom plugins can’t take advantage of that. With our tool, custom plugins can get closer to that kind of checking, while also helping to improve the security of publicly available plugins as the capability to check plugins in the Plugin Directory is freely available, while checking plugins not in it requires using our service. [Read more]