Security Risk

  • Arno Welzel

    (@awelzel)


    7 years, 2 months ago

    The idea is just irresponsible.

    Many WordPress users are not experts in PHP. But by offering such a plugin you create the impression that it is no problem at all to include PHP code in a WordPress post or page. But his is of course not the case.

    Well – one may say, that embedding PHP is only for the pros who know exactly what they do. But even pros can do mistakes, as we all learned with WordPress 4.7.1 and the broken REST API. And a “pro” should be able to create his own plugin to embed scripts in a safe way – e.g. as shortcode and within a separate namespace and not the global one etc..

Viewing 4 replies - 1 through 4 (of 4 total)
  • Vitor Madeira

    (@vitormadeira)

    7 years, 1 month ago

    Are you:
    a) Reviewing the plugin?
    or
    b) Reviewing the fact that the WordPress.org team actually accepted and approved the plugin and made it available into the repository?

    Please understand that what you made, was actually the irresponsible action.

    Thread Starter Arno Welzel

    (@awelzel)

    7 years, 1 month ago

    I reviewed the plugin – what else?

    And why is it “irresponsible” to rate a plugin low if it increases the risk of getting hacked because people may add poorly written PHP code to their post or pages or even attackers may hack a site because the manage to add a post with their own code as part of it?

    That the WordPress.org team allows such plugins in their repository – well – that’s another story and nothing to be discussed here.

    Vitor Madeira

    (@vitormadeira)

    6 years, 11 months ago

    This is so wrong…

    Let’s all go to the biggest shop doors and forbid them to sell knives.

    You know? Knives kill people… Oh wait, people kill people… With knives…

    So who’s the fault? Is it the knife maker, the seller or the one who actually kills someone?

    To make it a bit short: The plugin directory is supposed to let people get here and have a right to choose, right?

    One should suppose that people who runs selfhosted WordPress websites should know what they are doing.

    Oh no… You see, I need this plugin, but you don’t want it to be available, so I must not have the right to have it available, because you don’t want to.

    People here need to become a bit more neutral.

    If you don’t want to use the plugin, don’t.

    I would agree with you if a “WARNING” sign (and description) should be added on the plugin’s main page, but a bad rating ‘just because’, I feel it’s just not right.

    Thread Starter Arno Welzel

    (@awelzel)

    6 years, 11 months ago

    If anyone needs to be able to run PHP code as part of WordPress posts or pages he should add one or more custom shortcodes, this is really not that hard:

    https://codex.wordpress.org/Shortcode_API

    Allowing PHP code without any restriction as part of posts and pages means there is no security at all! Any user of the respective WordPress site can add any code – even those who are only allowed to write posts and nothing else. InsertPHP just does a plain eval() of the shortcode content without any security check at all!

    And that’s my reason for giving a bad rating – because offering something which makes literally any security check in WordPress obsolete is nothing I can rate as “very good”.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Security Risk’ is closed to new replies.