Skip to main content
February 14, 2013

Plug ‘n Play's Promiscuous Culture

Are You Playing with Promiscuous Plugins?Platforms like WordPress and Drupal have made publishing and building a web site a breeze, but plug’n play has led to lots of buggy code. Is it time for secure alternatives?

I’m a big fan of WordPress, the amazing and flexible content management platform that makes setting up a sophisticated, classy Web site available to anyone who can use a keyboard and mouse. The most amazing thing about the platform and others like it - including Drupal, Moveable Type - is the incredible diversity of add-ons and plug ins that allow you to integrate cool new features without any coding. This is a huge improvement from the days when building a sophisticated web site required intimate knowledge of HTML as well as scripting languages like Javascript, PHP and - ideally - SQL and other database programming tools.

The appeal of this is undeniable. WordPress is the choice of millions of small time bloggers and online opinionaters. But it also powers some of the Web’s most prominent sites, including, and

So what’s the downside? Well, like anything else, the very popularity of these platforms makes them easy targets for malicious actors. Why while away your precious time trying to poke holes in some bespoke, custom content management system when finding an exploitable hole in a WordPress plugin might give you the keys to hundreds of thousands -even millions of sites that use that platform?

Back in 2011, for example, three popular WordPress plugins - AddThis, WPtouch and WP Total Cache) were found to have had malicious backdoors added to them, giving unknown attackers the ability to run malicious code on the same server running WordPress. WordPress's team caught the changes and pulled the plug-ins, then encouraged all users to change their password and update their plugins.

As recently as December, W3 Total Cache, was in the news again, after it was discovered to be leaving cached web site content available for browsing using specially crafted search queries.

What gives? Well, in one sense: this is the price of convenience. Most WordPress plugins are offered free of charge and, often, you’re getting what you paid for. Even extremely popular plug-ins like W3 Total Cache might be written as a side project by a single developer working out of his or her home, not a fully staffed development shop with quality assurance, customer support and the like.

And, as with other online application marketplaces (Google Play, Apple’s AppStore), the sheer volume of plug-ins can make it difficult to do meaningful security audits on any one. There’s no security rating system that WordPress uses to differentiate plug-ins and no easy way to assess the underlying quality of any given plug-in - nor even whether it does what it is billed to.
In short, Caveat emptor is the word of the day in WordPress, as in so many other areas.

The question now is: in a market that’s characterized by free stuff that works, can you make a case for free stuff that works and that’s secure, also?

In a blog post yesterday, Veracode’s Fergal Glynn started that conversation by releasing SmartShare, a Veracode tool that’s a secure alternative to the ubiquitous social plug-ins that are used to allow blog readers to link posts they enjoy out to a wide range of social networks.

These kinds of tools are incredibly useful but, Glynn told me, often link blindly to a dizzying array of web properties and, as a result, can be vulnerable to manipulation or attack. The SmartShare plugin, in contrast, offers secure links to a limited range of reputable (but popular) social networking sites. It doesn’t do user tracking, its hosted locally and its code was audited thoroughly for security holes. Veracode is now offering the tool for free to the world along with other security tools: DNS checker and AdiOS - a tool for checking whether mobile apps are tapping into your personal information and contacts.

Of course, the problem of vulnerable applications and code re-use is bigger than buggy social sharing applications. But sounding the alarm about software vulnerabilities is only of so much value if vendors don’t respond. And vendors won’t respond if there’s not a safer, more secure place for concerned web publishers or web surfers to go to. This is a small step - but a step in the right direction.

Related Content

Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe,, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.