Good for you doing the research.
Yes, of course it’s a security risk. I say “of course” because all serious software that interacts in any way with the Internet is a security risk, including WordPress itself. With that statement, I’m a bit of an alarmist. But when even governments can’t keep their data safe, one just needs to determine the level of security they’re comfortable with and live life.
When an alarmist says something is a security risk, they can do so with smugness, knowing they’re right, always right. But they also know that, perhaps subconsciously, if they fail to say exactly why something is a security risk, then they really are nothing more than alarmists.
This is why Insert PHP is a security risk: Anyone who has access to your WP dashboard (including guest authors if they have any level of access) can insert PHP code into posts and pages. PHP code can wreck things and it can fix things. It can help and it can harm. So the first thing is to secure your dashboard as well as you can. Use a long password with a keyboard mix of types of characters.
If an unauthorized person has access to your WP dashboard, then there’s more to worry about than just one plugin. They can do anything you can do, but for their own reasons.
It comes down to this: If you’re uncomfortable with Insert PHP, then don’t use it. It may be good to trust your instincts after doing as much research as it’s reasonable for you to do.
Will
We’re currently running ‘Summer of Pwnage’. One of the participants noticed that with this plugin enabled any user with role Contributor or higher can run arbitrary PHP, which is normally only possible for Administrators. It may be good if the plugin allows you to control who is allowed to run PHP.
Eg, have a setting in the plugin and when parsing the shortcode check who is the author its roles.
Yes, anyone with access to the WP dashboard that can create or update posts or pages can use the Insert PHP plugin if it’s installed and activated.
Will
So there are no plans to change this design? Or maybe add a security warning?
It is not a security issue of Insert PHP’s. It is a security issue of the operator of the WP installation. Saying or implying otherwise doesn’t make it otherwise. It is clear in the Insert PHP description, or at least clearly implied, that WP dashboard access is how to use Insert PHP. If certain people or categories of people are not to have access to Insert PHP, then either remove those people from the dashboard or uninstall Insert PHP. You are welcome to hire a programmer to restrict the use of Insert PHP to certain people or categories of people or do it yourself; Insert PHP is open source; it is also short, succinct, and easily readable by proficient PHP programmers. But I am unwilling to suffer the opportunity cost of upgrading free software for a special use case.
Will
