The world needs a more secure WordPress ecosystem

It’s staggering to consider that 43.2% of all websites worldwide are powered by WordPress. With such significant power comes the need for great responsibility.

And yet, just this year, nine WordPress plugins exposed over 1.3 million sites to exploits, and a WordPress plugin security audit unearthed dozens of vulnerabilities impacting 60,000 websites, just to name a few of the public reveals.

This post is not meant to question the security of the WordPress platform itself, as it is likely that the company behind it is doing its best to ensure its security, as any other private company would. Rather, this post is focused on the vast ecosystem of WordPress, specifically the large repository of nearly 60,000 plugins that are available to WordPress users.

Why should we care about WordPress plugins security?

It is rare to see a WordPress-powered website or blog that does not have any plugins installed. This is because plugins are an integral part of WordPress websites, and as such, their security should be just as important as the security of the core platform. When a plugin is vulnerable, it can potentially compromise the security of the entire website.

It does not matter whether the vulnerability is in the core WordPress platform or in a plugin, as there is no segregation between what a plugin can do and the website’s scope. Some plugins have been found to have vulnerabilities such as XSS or SQL injection attacks, which can potentially give a hacker complete control over a website or its database.

When reading the WordPress Plugin Developer FAQ and Guidelines, the following statement made me worried: “Security is the ultimate responsibility of the plugin developer, and the Plugin Directory enforces this to the best of our ability“.
So as a WordPress website owner, who should I trust? The platform doesn’t take any real responsibility, and the plugin developer is (worst-case-scenario) a potential hacker, so …

What do I suggest?

There are several actions that can be taken to increase the trust of website owners in WordPress plugins and reduce the risks they pose:

  • Plugins should auto update with security fixes – Currently, it is the responsibility of website owners to manually update plugins by clicking the upgrade button in the admin panel. This means that even if a vulnerability is discovered and a patch is available, many WordPress websites may not be aware of it or may not apply the update.
    To address this issue, it may be helpful for WordPress to implement a differentiated upgrade mechanism that allows security fixes to be automatically applied to websites, while still allowing website owners to control when regular plugin upgrades are applied in order to preserve the functionality of their websites. This would ensure that websites are always kept secure.
  • Identify and verify plugin owners – “Hackers often try to remain anonymous. One way to deter hacking attempts and make it more difficult for hackers to succeed is by requiring identity verification before allowing a plugin to be uploaded to the WordPress repository. This can help to block or deter hackers, and it can also increase the trust that users have in verified plugins (blue check? 😀), as they will know exactly who is the actual plugin owner.
  • Transparent security analysis – When a plugin is submitted to the WordPress repository, it goes through a review process to ensure that it meets certain standards, including security. However, this process is not transparent to the community and website owners, so it is not clear exactly what happens during the review or how thoroughly the plugin is tested. Additionally, the review team is made up entirely of volunteers, so it is unclear what their incentive is to find security issues or how well-trained they are to perform security analysis. I trust that those volunteers are doing their best to do an amazing job, but I think that increasing transparency around this process could help to build trust in the plugin review process.
  • Automatic and ongoing security checks – If a plugin is successfully reviewed and added to the WordPress repository, it is not uncommon for it to go years without any updates. Over time, the security landscape can change and new vulnerabilities and attack vectors may be discovered that could potentially affect the old code in the plugin repository. To address this issue, it would be helpful to implement automatic static and dynamic security checks, as well as periodic manual reviews, to ensure that the security of plugins in the repository is continuously monitored and updated. If this process already happens behind the scenes, I believe that transparency is key here, as I believe this information should be in the public domain. This would help to increase the overall security and trust in the WordPress plugin ecosystem.
  • Less is more – Managing a repository of nearly 60,000 plugins is a super challenging task, and it can be especially challenging for a small group of people to ensure the security of such a large number of plugins. One way to address this issue is to reduce the number of plugins in the repository in different ways, while still maintaining the functionality provided by the most widely used plugins. This can help to increase the overall security of the WordPress platform in the internet.

Summary

We can make the internet safer. Making the WordPress ecosystem safer is a large step towards that, as a large portion of the internet is powered by WordPress.

This post is just a thought exercise, and I’m happy to hear any comments and discuss this more.