Develop more secure WordPress Plugins

Presenter
Now let’s go with a series of mini-talks. The first turn is for David Perez, who is a passionate WordPress developer since 2010 and co-founder of Close agency, where he leads the technical area and develops plugins, with special focus on Gutenberg. He has had a very active role in the WordPress community, participating in WordCamp, collaborating with WordPress TV Spain and since 2023 he is part of the plugin review team, contributing to improve its security and quality. And also, on a personal level, he organizes a solidarity race in Granada in honor of his father. In his talk, entitled Develop in WordPress, more secure plugins, David is going to introduce us to the Plugin Check Plugin. Is it called that? Yes, it is,

David
plugin, check plugin. A

Submitter
free tool that performs automatic code reviews of your plugins to detect vulnerabilities and suggest best practices. This solution allows you to improve code security and quality while easily integrating into your workflow, saving time and making it easier to comply with WordPress development standards. So, here we go.

David
Thank you very much. Well, good afternoon everyone. I’m going to tell you a little bit about a tool that we’ve developed from the community that was a project that was initiated by the Performance team that as you know is also doing a lot of things in the core of WordPress recently in the 6-8 I’ve taken a lot of little performance things and they started it and along with us the Plugin Review Team we’ve put a series of checks that we call it to detect issues in your code. When you make a plugin, either commercially or to put it in the official repository, if you send it to the official repository we do a manual review also with an automated T and above all that kind of checks that we do in the code you can do before. So, the good thing about this tool is that you can use it at any time and we are going to see. I’m also going to show you how serious vulnerabilities in certain plugins could have been fixed very easily using this plugin. Also, giving you some tips that I want you to take away, at least, if you are developers. This team has also participated in this plugin. If you look in the official directory, it’s called Plugin Chef Plugin or PCP. And the meta team has also participated, if you don’t know the team behind wordpress.org, we are also there, so currently this plugin we got in September last year that if you upload a plugin to the wordpress repository it is automatically verified by this plugin, so it is becoming very important and there is a project that is going to take a little bit that all wordpress updates because right now we are a reactive team, that is, when they ask us or send us a plugin, we check it. So the idea is that we are much more proactive, so that when there is any update of the plugin, it is reviewed by this plugin. So, we have a very consistent and reliable tool to use that will be used by the whole community sooner or later. If not voluntarily as it is now, it will be forced because it will not come out in our plugin update issue. Well, as you can see it is not an AI talk, but well, it is true that we are using more and more AI and there are just a couple of AI touches left because it was not fully thought out, but well, just to let you know a little bit that the plugins that we review when they are sent to us, we are finding that from last year to this year has doubled the average weekly plugin submission. Last year it was about 100, 120 and now it’s about 250. In fact, yesterday was one of the records this year, about 45 plugins sent. It’s usually on Thursdays or Fridays, yesterday or the day before yesterday. And what we are using the guide a lot is also when you send a plugin, it has a very generic name, to check with all the 60,000 plugins that we have published in our repository that it does not conflict in name. So we’re using it quite a bit. How does this plugin work? We’re going to do a little demo and we’re going to show how it works. If it gives us time, which we have to go very quickly. First we install it on our WordPress. Obviously this to use it in our local environment. When we have our local environment, we install the plugin plugin-check-plugin And along with our development we can analyze the code. It has different categories. We have a lot of checks or a lot of checks. And those checks are occupied by categories that are not exclusive. I mean, there can be… You can check the security and maybe in the plugin repo, which is the one that we use and the one that is enabled by default, they also have all the security checks. They are not exclusive, but they are focused. So, then they say, well, I want to get security in. So, if you have a commercial plugin or you have a client plugin and you’re also interested in, for example, auditing the performance side, accessibility I don’t recommend it because it’s very green. There are not a lot of accessibility checks. So you can hit it and it will do a series of issues on your plugin, okay? Okay, those checks or checks that we are warning are performed dynamically or statically. or based on the standard coding code styles. Static means that according to the code in which it is, it reads the PHP and automatically tells you the problems that are found in that check and dynamic is that it executes code. It executes code and expects a variable and on that it will tell you if they should be correct or not. So, there are a lot of them. We currently, and over here I have Fran Torres who is the main person involved in our checker that we have, Internet Scanner, which we call it when we receive a plugin and we check it, we have a tool, approximately there will be about 200, right? Roughly. Yes, we had… how many? 200 or so already, we lose control, it is not counted. Well, out of those 200 or so, and apart from the manual process that we carry out, we have been able to get about 83 so far. That is, not all of them are carried out by the team, but a large part, 83 are quite a lot. And of that, there are times when we are not quite sure what the machine is doing. That is to say, it tells us the non especially, the security check when they are post requests, etc. Well, as we are not very sure, we put it with a little less demanding level so that it does not, even, as I was saying, it can block the upload of a plugin so that it does not block it. So, there are about 31 errors, 24 warnings and standard coding rules. I wanted to quickly go over, and if I want to go into a little bit of how it’s used, so that you get a little bit of this tool that works great, the main tools. These are the checks that we currently have. We do translation checks. Currently the plugins, if we want them to be translatable, there are a number of functions where we then have to put the domain of that translation. All those checks. Then there can also be code injections through those functions, so we also give that the safe or escaped version is used. This also, as far as you know, no code obfuscation is allowed in the WordPress repository. This also helps a lot with security because you don’t have code that you don’t know is running. That’s critical for us and we actually edit it and give it as an error if you use any type of encode base or any type of file. For example, executables.bat. You’ll say, well, who puts a .bat, an .exe or a .sh? There are a lot of people who do. That is totally blocked, besides the libraries that are used for development. For example, we can put in our Composer libraries that are used to audit our code, to make PHP unitary, and so on. Well, all these libraries should not go in a plugin already final. That’s why we give strategy and we give help. The headers, the typical, if you’ve published… Who here has a plugin in WordPress repository? Do you want to raise your hand? One, two. Well, I encourage you to post because you learn a lot. And I have a few myself. And above all, the model that is working very well is freemium. Well, on the one hand, free in its entirety or freemium. And when we upload a new version in the Realme header, you have to put a version and it has to be the same as the PHP header. It’s a simple thing, but this is already warning you. And here I am going to go into a little bit more detail on security measures, which are, in the end, 80% of the security measures is when it receives information that sanitizes it and when you execute code it echoes that it escapes. That is one of the main principles of security and in that sense we are going to see a little bit. This is here, thanks to the Coding Standard tool, which if you don’t know it, is a repository that analyzes our code. We can even implement it in our code editor and it doesn’t do like, for example, in Word, which gives you a little red line if the code is wrong. I also use it a lot for the code style, when we have a work team, so that not everyone writes in one way or another, the code looks uniform, we can even have customized rules for the team, because maybe the arrays, I like the closed arrays with the little keys, because the standard code gives you an error, so you can customize it. They are little things like that that they have, in code style and in many more checks. For example, the subject of the SQL. I’m going to show you how to report serious vulnerabilities in known plugins. I’m going to put the questions together with… Oh, okay, okay, perfect. More checks and we go a little bit into direct database requests. They always have to go with the Prepare. And well, here’s a few more performance ones. I’ll leave them on the slide, on the WordCamp website. Above all I want to go into detail about two checks that you always have to do when you work with your plugins. Especially Sanitize. Sanitize means that, for example, if we have a form, we have an input, when that form is executed, the information that comes to you should be sanitized. It has to be sanitized. There are different functions when it comes to sanitize and what they do is that they decompose if there is a code that is not executable or that does not store malicious code. They decompose it. So in summary there are many types of sanitizing functions for example, if we get an email to sanitize email, they have certain rules but in the end the main one is the SanityZtexField and if there is an Array, you have to go through the whole Array and do SanityZtexField in each value of the Array then this and the next one well, these.

David
three,

David
Sorry The next one is the escaping, the escaping, which is when we echo a script, a title, we’ll have to pass it through a WordPress function that’s called HTML, that’s the basic one and then we can use it. What it does is that it does not execute malicious code. With those two functions and you know them well and you use them massively, the code is going to be much more secure. You can use it with a WP-CLI, you can use it as a Gijas action. I highly recommend this because we can do automated T on our plugin when we make a release or a pull request and it is analyzed by the plugin-check-plugin. And to finish, here it says thank you very much, but not yet. To finish, I wanted to show you, because many times we talk about security and we think it’s something complicated and it must be something very sophisticated. and I wanted to show you first how the plugin check plugin works that if you see more or less well when we install it gives us an option in tools plugin check and gives us a select of the plugins that we have installed in our installation as you can see well it is more or less simple and I choose the plugin and I give it to check it the plugin repo is the one that is indicated by default with that for me is more than enough and look at this is a fairly well-known planning had the number of results that gives to be fixed here as you see have an error these have to be fixed tells you but there is a burger below tells you the file line and well with the line enough and gives you the typical error check. You can even see it in the editor if you want to see it and this was done at the time. It gives you a guide on how to fix it and have more information on how to fix it. So as you can see, here you have a lot. And I wanted to go into detail, and this is just to finish. Here we have, there are several security companies, one of them is Patestack and they do some reports on plugin. The plugin team, which we have a small sub-team that is security, that receives those reports and notifies the authors. This is what Patestack does, it notifies us and with a reasonable amount of time it says to the author, hey, fix this patch. Unfortunately they don’t always fix it, but hey, and they don’t make it public until it’s fixed. Here, for example, we see that version 2.26, the minor version of 2.26 has a fairly serious vulnerability, which is cross-site scripting, code execution. Even notice that it gives us a little bit more detail of the vulnerability. This plugin is called vpSocialWidget, how would we have fixed it? If the author had used this tool, I would have automatically told him that he should have been escaping. Certain functions. And notice that it doesn’t happen once, it happens many times. Using this tool and leaving it clean, especially the errors, the warnings is for you to say, is this right or wrong? Because as there is no manual process that we can recommend, it is true that there is a little bit of criteria on how we can solve it. So, well, the report is quite large, this is a bit worrying. It can also help us to audit the security of certain facilities. Hey, maybe we are interested in, I am going to pass you the plugin and if it is a known plugin I will send it to the author. hey, the authors are usually involved in making this work so they are interested in making it as secure as possible so yes, from there to know here for example the one that I was saying about croissants scripting that is only associated that does not use the escaping this one for example is vulnerable with sql that is a plugin that is called order splitter that apparently what it does is that I think that it splits the orders. And here in order splitter we give it and indeed you will see that if you had used this tool, apart from having escaped that here for example has translation, also it would have found that it would have done well now it is not going to come out because there are a lot of incidences but if we look for it here you are seeing that it has used a query and it has not used the pp that what it does is that the variables that we bring it sanitizes in some way so that it enters directly in a query sql because if it had used our tool it would not have had this problem. I have used our tool I would not have had this problem and finally of aposar widget I have taken three more or less that I saw some put the priority another high priority because here if we see that the one of dashboard well the time that is an example it is not to use it and to leave running well here as you see because this one was of cross-site request forgery this one I don’t know this one I don’t know this one I don’t know this one as well as here escaped as you see almost all the security in one

Submitter
very high percentage

David
high it is sanitized and escaped and the nonsense that did not have the detail to count it but also help a lot because if you have any question

Question 1
Does the plugin that you have shown us to check the security only serves to check the security of a plugin or serves to check the security of a code that you have to check the security of a code that you have shown us?

David
insert? Only for plugin

Question 1
First you convert your code to a plugin

David
private Acuerdas

Question 1
from the conversation before and then you check it out I noticed that all the ones you put have a lot of security holes is that the case with all of them?

David
I hope not I mean this is searched well but we don’t have it right we don’t know exactly we what we have is that I say our team works reactively when we have notifications from users or we analyze the code and close the plugin to say cut the bleeding

David
le

David
we tell the author to fix it and as soon as he makes an update it is done as to a community usually it is usually

Question 1
ok and finally if

David
detected

Submitter
errors

Question 1
He reported them to the author and he doesn’t get them.

David
of the eggs to use another plugin

Question 1
use another one yes yes yes just

David
a

David
ti

Question 2
Good, I more than question, recommendation I have used the plugin since you announced it, you have already thrown me a plugin back.

David
we are going to run away

Question 2
no, actually it’s three silly things but I haven’t had time to correct them

David
post

Question 2
a new one but I will give you a recommendation.

David
Paco was around here too, taking pictures when

Question 2
you get an error alert

David
is

Question 2
I think that sometimes the recommendations that you give to solve it are true in my point of view.

David
are not at all no

Question 2
they are all clear and do not go directly to the nougat that is to say

David
it

Question 2
we are

David
talking about the

Question 2
the problem is with the exhaust system, so take me the exhaust system, tell me of course.

David
because it sends you

Question 2
the best thing is a gigantic documentation

David
than

Question 2
I don’t really like it either

David
solve it

Question 2
go to

David
that in the internal channel if we have it done in fact it is done with an example we show you where you can what line that in planche we do not have it but well I take the suggestion and we will work on it in fact I encourage in daughter if you look for it and do your own issue and well there are people of google of I do those motifs of very big companies that are very interested in the topic

Question 3
hello I really like the tool but also

David
I think

Question 3
in a hacker you are also giving the information of how to hack no

David
well don’t think because really they are going to I mean we are always ahead in the sense of looking for possible holes is like I make a quick simile is like in the office my office building there was a robbery and where were the ones who went to steal well in the office that had no alarm I mean the plans that care about making new security patches well normally they are going to have less attack they go where it goes to what they have it easier then

Question 3
you can’t really

David
do if you could see hey and in these plans some

Question 3
beach and not so I see I look it up and

David
clear indeed well I don’t know clear the audita says look this plan is a hole yes yes yes they also have to their own tools. Then you tell me. There you go, thank you very much. Thank you very much.