• Resolved darkpixel

    (@darkpixel)


    What can it be done to prevent a plugin developed by a 3rd party from maliciously leaking sensitive data?

    For example, say I install an ill-intentioned plugin that sends my wp-config.php to a malicious site.

    I guess this kind of protection needs to be provided by either the webserver or the OS. Ideally a way to block all incoming/outgoing connections to the Internet from within the plugin folder. Is there a way to accomplish that?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Kartik Shukla

    (@kartiks16)

    Hello,

    Maybe you can try https://www.ads-software.com/plugins/health-check/ it helps to identify if there is anything critical or if any plugin or theme is creating an issue.

    Give it a try and see if that helps.

    Thank you!

    Thread Starter darkpixel

    (@darkpixel)

    Hey there, thanks for the quick reply.
    The plugin you suggested looks good for general protection, but it won’t protect plugins from leaking data out.
    I guess what I’m looking is to have all plugins behind a “firewall” for both incoming and outgoing connections. This way I can whitelist certain plugins, allow connections to certain servers, ports, etc.

    catacaustic

    (@catacaustic)

    There’s nothing like that available at this point.

    The best thing that you can do is only install plugins from trusted sources that have been reviewed and tested (like this site of course).

    The simple way to do it is… if you can’t/don’t trust the plugin or the develpers behind it, don’t install it. There will always be something else that will work for you.

    Thread Starter darkpixel

    (@darkpixel)

    @catacaustic thanks, I was afraid of that.

    Definitely I only install plugins that have many good reviews and come from the WP plugin site, but it’s too much trust to give full access to a site to 3rd party devs.

    I guess for now I’ll try to set up docker to restrict internet access.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘How to protect a WordPress site from malicious plugins?’ is closed to new replies.