How to Check if a WordPress Plugin is Secure

When you install a random WordPress plugin you are opening up your blog to security issues.

What happens is that all plugins intercept the delivery of your blog to the web browser. So at various points along the way of creating the web page, plugins are effecting the outcome of the web page that your visitors see.

Plugins can do almost anything to your blog including deleting it completely, so it pays to be aware of the implications of simply installing any plugin.

There are 4 aspects to a plugin:

Activation
Running code as a web page is rendered
Admin
De-activation
Activation is where the plugin may create extra database tables and maybe schedule timed events.

But on de-activation, does the plugin remove these features? So this is the first check, to see if the plugin contains code to remove itself entirely if you de-activate it.

To look at the code, you can go to the Plugins->Edit area and search for anything regarding deactivation.

Running the code is where anything can happen in response to events in the delivery of the web page. The way WordPress works is by diverting to the plugin code each time it comes across what’s known as an activation hook and a Plugin that registered a function related to that activation hook. A common one is the “content” hook where the post is about to be printed to the web page. So the plugin can modify the page content as it pleases at this point in time.

A worst-case scenario would be where you are not viewing the page (your IP doesn’t match) and some crazy Ad is displayed.

But, the highest security risk is maybe via the admin area.

This is where the options for a script are set.

The most basic form of security is to confirm that the visitor is allowed access to the admin area.

A very simple piece of PHP code is: if ( is_admin() ) { do this }

So a plugin should use this kind of code to restrict access to the admin features of a plugin.

Then, to actually change options via the admin area, there should be a check that the request came from the expected page and there is a unique access key code that propagates from the submit form to the processing page. This key code is temporarily generated and tracked while the admin user is logged in.

In WordPress terminology, they call it a NONCE which means Number used Once.

So in evaluating plugins in terms of security:

Look for good coding intention where the author implemented the NONCE scheme and they have deactivation code in place. Plus they should have some restriction to the admin area in place.

Leave a Reply

Your email address will not be published. Required fields are marked *