Independent Digital

Be careful when installing plugins. It is a dangerous world out there with many strange people doing strange things. Now not all plugins are dangerous and neither are their authors. Some plugins, however, have simply not been tested enough with the result that malicious hackers manage to find flaws, which they can exploit to do their dirty deeds. They then search the net for WordPress sites running that plugin. When they find it, they?re in and before you know it, your WordPress blog is performing erratically or your database has been deleted.

One example of this plugin security issue is the wp-forum 1.74 plugin. According to the securityfocus website, ?it is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. (This would allow an)? attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.?

Another example is the wp-db-backup plugin, which had a serious vulnerability issue. Now I am not saying that it is the intention of the plugin author to create plugins containing devious code which allows a security breach. It is more likely that the authors themselves are unaware of the security flaw. As far as I know, there is no standardized validation of plugins to ensure that they are not a security problem. So we need to be very careful before we install any plugin. Do research, check on the web and within forums to see whether others have experienced security issues when using that plugin. If there are no known issues, make sure that you have backed up your website and database before installing the plugin. The WordPress team are continually upgrading WordPress to ensure that it is as secure as possible so remember that the most important step that you can take to secure your site, is to ensure that you are running the latest version of WordPress.

Have a look at this excellent article on plugins and security issues.

Some plugins with known issues

• WordPress BackUpWordPress plugin Php File inclusion vulnerabilities 2007-11-06

• WordPress WP Photo Album Plugin “photo” SQL Injection 2008-02-20

• WordPress Search Unleashed Plugin “s” Script Insertion Vulnerability 2008-02-5

• WordPress DMSGuestbook Plugin Multiple Vulnerabilities 2008-02-05

• Wordspew Plugin for Wordpress “id” SQL Injection Vulnerability 2008-02-04

• WordPress WP-Footnotes Plugin “admin_panel.php” Cross-Site Scripting 2008-2-04

• WordPress WassUp Plugin “to_date” SQL Injection Vulnerability 2008-01-31

• WordPress AdServe Plugin “id” SQL Injection 2008-01-30

• WordPress WP-Cal Plugin “id” SQL Injection 2008-01-29

• WordPress Permalinks Migration Plugin Cross-Site Request Forgery 008-01-24

• WordPress WP-Forum Plugin “user” SQL Injection 2008-01-21

• WordPress PictPress Plugin “path” Disclosure of Sensitive Information 2007-12-07

• WP-FeedStats Plugin for WordPress Script Insertion Vulnerabilities 2007-07-27

• WordPress AdSense-Deluxe Plugin Cross-Site Request Forgery 2007-05-22

• WordPress wp-Table Plugin “wpPATH” File Inclusion 2007-05-02

• WordPress wordTube Plugin “wpPATH” File Inclusion 2007-05-02

• WordPress myGallery Plugin “myPath” File Inclusion 2007-04-30

• WordPress WP-DB Backup Plugin Directory Traversal Vulnerability 2006-08-15

• FeedBurner FeedSmith Cross-Site Request Forgery Vulnerability 2007-10-04

Here?s a list of plugins that you can install to make your WordPress blog more secure.

Want to be notified when there is a new post?

Checkout these related posts

• WordPress themes are a security risk!
• MySQL general security guidelines. Part 3.
• MySQL general security guidelines. Part 2.
• Scan your WordPress site with Goolag to detect and fix security holes.
• WordPress Plugins – another great WordPress Plugin every blogger should have