quality of wordpress plug-ins: an overview of security and user ratings
DESCRIPTION
Slides from my SocialCom-PASSAT/ 2012 presentation: Teemu Koskinen, Petri Ihantola, Ville Karavirta (2012). Quality of WordPress Plug-Ins: An Overview of Security and User Ratings. In: SOCIALCOM-PASSAT ’12: Proceedings of the 2012 ASE/IEEE International Conference on Social Computing and 2012 ASE/IEEE International Conference on Privacy, Security, Risk and Trust. Washington, DC, USA: IEEE Computer Society, pp. 834–837. ISBN: 978-0-7695-4848-7. doi: 10.1109/SocialCom-PASSAT.2012.31TRANSCRIPT
Teemu Koskinen, Petri Ihantola, and Ville Karavirta Aalto University, Finland
Quality Of WordPress Plug-‐Ins: An Overview of Security and User Ra>ngs
The Problem Do plugin ra>ngs predict the amount of implementa>on related vulnerabili>es in WordPress plugins?
Data collection and analysis 1. Download a set of random plug-ins. 2. Collect their download statistics
and ratings from wordpress.org. 3. Use the RIPS vulnerability scanner
to detect potential vulnerabilities 4. Compare the the number of
potential vulnerabilities and vulnerability densities to the star ratings
We also reviewed some potential vulnerabilities to find out if those are real
Preliminary Results
Sample of 322 plugins • total of 3,792,711 downloads • total of 2,783 user ra>ngs • 179,393 lines of PHP code 860 poten>al security bugs were discovered from 127 plugins.
Preliminary Results
60.6% of the plug-‐ins were “clean” and most of the others had only few vulnerabili>es
Preliminary Results
3,792,711 downloads and 2,783 ra>ngs Only 7 ra>ngs/reviews for every 100 downloads
Preliminary Results
Ra>ngs are not good at explaining the amount or density of the vulnerabili>es,
although there is a weak nega>ve correla>on.
Preliminary Results
Light manual review revealed real problems from a popular (>4k downloads) plugin
Conclusions
"Based on our findings, we are confident that there are real risks involved when using third-‐party plug-‐ins on a WordPress site. Many plug-‐ins appeared not to be vulnerable, but as the user ra6ngs and download counts do not assist in finding secure plug-‐ins, proper inspec6on should be done by sta6c analysis or manual review before using any plug-‐in on a WordPress site. The cost of soGware development and fast schedules in the industry make installing plug-‐ins an aHracIve soluIon, but we hope our findings encourage developers to take the 6me to inspect the code before using it."
h]p://www.flickr.com/photos/simonehudson/6101238497 h]p://www.flickr.com/photos/stria>c/229531275/
h]p://www.flickr.com/photos/23950335@N07/6032357954 h]p://www.flickr.com/photos/kareneliot/2710464400 h]p://www.flickr.com/photos/21572939@N03/2090542246/
Ladybug photo ©Kimmo Roimela used with a permission
Thank you!