Just how bad is WordPress? Plugins?

I don’t think it’s really fair to view WordPress, itself, as having security issues if the security problems tend to be with the plugins. Security issues with the base WordPress system are issues with WordPress, itself, and should be the only issues considered when judging how good or bad WordPress is, as a software application.

Thanks for posting the link to the article. Adobe Flash is a different beast since Flash exploits are exploits in the “base” software, developed by Adobe.

I tend not to run many plugins in the WordPress sites I maintain and I tend not to have many security issues or successful breaks or exploits.

Thanks Tom, good point. Fairness in my opinion is not the issue here, being realistic is the issue. It’s somewhat of a “philosophical” issue. If WordPress is designed to function in a way that most if not virtually all users are forced to use plugins for basic needs, and the plugins repository is run as a branch of WordPress by the same people who create and provide the software that’s creating 20% (or, more?) of the websites in the world, then in my view any flaw with the plugin system is a WordPress flaw. I guess to be more specific it could be said that the company, Automatic, is the culprit behind the mess that the plugin repository has become, as well as the barrage of WordPress flaws and updates we’ve had to endure for years. MTN

and the plugins repository is run as a branch of WordPress by the same people who create and provide the software that’s creating 20% (or, more?) of the websites in the world,

It’s not though.

I guess to be more specific it could be said that the company, Automatic, is the culprit behind the mess that the plugin repository has become, as well as the barrage of WordPress flaws and updates we’ve had to endure for years. MTN

I think you’re confusing WordPress.com with the software distributed at www.ads-software.com. www.ads-software.com is an open-source project, completely separate from Automattic.

My bad, apologies. Not the first time them using the same name has confused me!

To be fair, I continue to be confused because just a few days ago I was sitting here installing plugin software that had Automatic listed as one of the developers. As well as several months ago attempting to use the Automatic Vaultpress blog backup system…

I guess proper terminology would be for me to say “perhaps a better term for the culprit would be www.ads-software.com, because they provide both the self hosted version of WordPress, as well as running the plugin repository” ??

MTN

perhaps a better term for the culprit would be www.ads-software.com, because they provide both the self hosted version of WordPress, as well as running the plugin repository

No, this is an open source project ran by volunteers, known as “the community”. The community develop, maintain and support WordPress core and plugins and themes that are distributed on www.ads-software.com.

How bad are WordPress plugins? This is not a useful question and it can’t actually be answered. There are so many ways I could address your concerns, but I simply don’t have time to explain it.

I encourage you to read up on better resources for understanding security and WordPress:
https://www.ads-software.com/about/security/
https://codex.www.ads-software.com/Hardening_WordPress
https://blog.sucuri.net/category/wordpress-security/

Ok, thanks for taking the time to clarify. I totally understand that WordPress is an open source project done by volunteers. MTN

Sorry I haven’t had any time to respond as I’ve been busy. ??

From the standpoint of being realistic, I think it’s even more important to differentiate between _Wordpress_ issues, meaning issues with the WordPress core, and WordPress plugin issues. We occasionally hear about security fixes being made in the WordPress core and those are obviously “WordPress” issues. However, a poorly developed plugin isn’t the responsibility of the WordPress core developers/maintainers.

It’s up to those choosing plugins to do proper research to determine if they plugin they’re interested in meets their standards to be deemed worthy of installing. The reality is, a lot of people either don’t know how to do the research or simply choose not to do any research before installing something that they think will enhance their site.

I tend not to install many plugins in the WordPress sites I maintain, but that’s not to say I never look at plugin that are available.

Also, look at the sheer number of plugins that offer the same functionality. Different approaches to providing a feature or function that has value. Not all of them will be developed the same or with the same level of quality (or lack thereof, in some cases :)). So, it’s really up to the WordPress site maintainer to make better decisions about which particular plugins to install or not.

Of course, we’re not talking absolutes here. I’m _not_ saying there will never be another security issue found in the WordPress core nor am I saying one shouldn’t install any plugins. I’m saying it’s important to be aware of the differences between an issue with the WordPress core and with any given plugin one chooses to install.

Lastly, NONE of my comments directly apply to WordPress.com.

Tom, I understand what you’re saying. But to the average user, when the open source software contributors who operate www.ads-software.com contol the plugin repository as well as providing WordPress, in my opinion most people are going to look at both things as being so intertwined as to be one in the same. I’m clear they are not, and that most plugins are third party (though some seem to be kinda vague about their association between Automatic and the open source side, such as VaultPress backup plugin, or for that matter that strange Hello Dolly plugin that comes bundled with an install, or used to, anyway).

In any case, I hope the plugin system is improved soon. As for WordPress, I’m sure we’ll see improvements soon, we’ve already had 8 versions in 2016 alone and I wouldn’t expect them to slack on the pace.

MTN

But to the average user, when the open source software contributors who operate www.ads-software.com contol the plugin repository as well as providing WordPress, in my opinion most people are going to look at both things as being so intertwined as to be one in the same.

Let’s get this clear:
www.ads-software.com is just a domain that distributes the “WordPress” software. The domain is completely separate from the “WordPress” software and the volunteers that contribute to it. Who maintains the www.ads-software.com website and plugin repository is irrelevant.

This is how security works with WordPress plugins:

When the plugin is submitted to the repository, one or more volunteers review the plugin against a set of plugin criteria. If there are any issues, the plugin will not be accepted into the repository.

The bit that can slip is when a plugin is updated, there is not a review process. It is wrong to assume that security vulnerabilities are all bugs in code, some vulnerabilities would not be picked up in a code review.

Vulnerabilities are inevitable, you ought to instead focus on the response of the vulnerabilities.

When someone spots a security vulnerability in a plugin, they have a responsibility to report to the Plugins team at www.ads-software.com (which review plugins). The plugins team can escalate the problem and take action, such as revoking the plugin from the repository and even stepping in to fix the issue.

I don’t understand where this topic is leading to.

Andrew, whatever the actual reality is, even the “About” on www.ads-software.com states that “Everything you see here, from the documentation to the code itself, was created by and for the community.”

Perhaps there needs to be a better effort by the community to communicate just exactly who does what.

That’s interesting about how the Repository works

As to where this topic is leading, I regard it as a discussion that’s useful, so thanks. Happy to let it fade out, but good it’ll be here in the archive to help folks such as myself get clear on what they’re getting into with plugins, etc.

MTN