Signing WordPress Plugins

Sep 2, 2022 7:57 PM

This was a comment on Facebook about a discussion in regards to security and vulnerability disclosures being ignored by third party WordPress plugin developers.

Patrick Gallagher WordPress plugins have one of the worst vulnerability notification to resolution times out there. There isn't a way to punish plugin vendors who are slow to respond aside from pulling their free plugin from the WordPress repository, and that's if they have a free version available.

Many platforms require some sort of security signing to install a third-party application with multiple levels of trust. I know Calvin Akn mentions this all the time; there needs to be a system for signing all plugins, even ones not on the WordPress directory. If a plugin isn't signed, it's considered unsigned, and you get a bunch of warnings about installing unsigned plugins.

When a vulnerability is discovered, it can be disclosed to the WordPress security team, and the clock starts ticking. If there's no movement or the issue isn't solved, then additional measures can be implemented. Disabling a plugin would be the last and final step before they could warn users with admin notices, emails, etc.

As for your own response time, little easier when you control the code on your own servers. It's easier to manage security issues when you have a SaaS product. The attack service on your customer's instances is tiny. You're only really going to be patching those due to other vendors' security issues Ubuntu/Nginx/PHP/MySQL etc.