Marcin Probola conducted a PHP static code analysis of the top ~1000 WordPress plugins, and the results showed 103 plugins were vulnerable to at least one vulnerability type (XSS, SQL injection). This is roughly 10 percent! Marcin Probola writes that scanning results were manually verified in his spare time and delivered to official email@example.com from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, some are not. Vulnerable and not patched plugins are already removed from official wordpress plugin repository.
You can find Marcin Probola list here, which is an interesting read. Kudo’s for this one!
WordPress, on their Codex, provides a lot of functions and information about input & output sanitization, hardening WordPress, and a lot of information is freely available on the Internet about secure PHP programming, SQL injection, Cross Site Scripting (XSS), and so on.
Therefore I don’t understand why so many plugins are written so poorly. Is it time? Money? Knowledge? Functionality? Who knows… Enlighten me! :-)
If you want to step in to help me cover the costs for running this website, that would be awesome. Just use this link to donate a cup of coffee ($5 USD for example). And please share the love and help others make use of this website. Thank you very much!
My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.
A plea for WordPress plugin developers to stop supporting legacy PHP versions
Clear PHP opcode caches before WordPress Updates: ease the updating process
Tips to speed up WordPress, serve gzip compressed static HTML files
17 Valuable WordPress snippets you never knew you couldn’t live without
Optimize WordPress MySQL tables through Cron, behind the scenes
Deny vulnerable WordPress plugins using Windows Server File Server Resource Manager’s File Screens