D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Wordpress plugins was Re: DCGLUG Website glitch

 
On Sat, 6 Feb 2021 at 19:57, Simon Waters <simon@xxxxxxxxxxxxxx> wrote:
> And good luck with your request. I like Wordpress a lot, but its very
> design means that any plugin that is broken can stop Wordpress in its
> tracks.  Devs are very aware of this but have never been able to protect
> Wordpress core from its plugins. They're both Wordpress's biggest strength,
> and its biggest weakness.

In this instance the PHP files in the plugin didn't pass the PHP parser due to
use of short tags for PHP, I suggested PHP's "syntax-checking" option could be
a SVN checking hook for ".php" files, since they use Subversion for release
management of plugins, but the Plugin lead didn't seem keen. Since that would
at least ensure that PHP files can be parsed without error.

There's no release checking for plugins other than what their own devs, they're entirely separate to Wordpress core. WP devs have long taken the view (correctly in my opinion) that Wordpress plugins are nothing to do with Wordpress Core. If people want to add them, great, but you get to hold all the pieces when it breaks.  
 
I was pleasantly surprised that the WordPress instance emailed me to tell me
it was broken, but I didn't find that email that till after I'd picked up the
down monitoring alert and fixed it, and it feels like release checks are far
too weak.

What release checks? On core? But that didn't break.  On the plugins? What resources would Wordpress have to check and test every plugin that's released? (And please don't suggest relying just on automated checks - they're easy to work around)

I fear WordPress plugins should be treated a bit like browser extensions, they
are useful, but you have to trust the authors, so use them sparingly and with
focused purpose.

Totally, and that is by far the biggest mistake users of Wordpress do. A typical new site owner has all the restraint of a particularly spoiled child in a very well stocked and unguarded sweet shop. "Ooh, shiny, click! More shiny, click! Click!" and install all kinds of badly written, insecure - and nearly always pointless plugins that they then forget about. 

But you can't blame /wordpress/ for that, other than perhaps making it easy to install a plugin.
 
There are some basic issue with WordPress which can't readily be fixed. The

The big one is that plugins can change every aspect of Wordpress. They can hook into pretty much every stage of a rending page, and if any of that returns invalid php, it's generally game over. If wordpress prevented plugins from its core aspects, most of the plugins around today would stop working. 
 
lack of content security policy is a nagging one for me, as I do a very basic
security plugin and people want it to do CSP, but CSP really requires every
Plugin author to declare what resources they use. I can hack a CSP in place
but it will be either too broad to be useful or fragile and break stuff.

I'm not sure an architecture that protects you from rogue plugins is
desirable, as I suspect it could be too unwieldy for plugin authors or make
plugins less useful.

There are probably a hundred other CMS around that do offer greater security, robustness and control than Wordpress. They're not as popular, or have as much support (or plugins) because they're harder to use. (Plus Wordpress has a solid and easy to understand funding model)

That's pretty much why I said "Good luck" because those very design decisions that caused your site to crash are what's made Wordpress so immensely popular.
 
However a plugin that declares some sort of contract including CSP resources,
would at least make it practical to enforce further controls. Such a contract
would include; endpoints, resources, possibly more on the URLs.  The idea you
can exploit any upload vulnerability to dump a file randomly in a plugin
directory and it just works seems very naughties (as in 2000-2009). WordPress

Well, you can also go through their plugin marketplace and do it in a few clicks. 

But adding files to the filesystem under ../plugins is extremely common, even in many enterprise products.  I don't think I agree with you that it's dated, it's a common and widely used way to add bespoke content to a framework.  It's no less secure than any other method, unless somebody's messed up with the file permissions. Or the box has been compromised and someone with evil intent has root. If that's the case, having them install a plugin to Wordpress is probably only one of your problems.

S
-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dcglug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq