As a member of the WordPress community for the past 10+ years I’ve seen the growth of WordPress and seen a steady backlash of concern for the security of the platform. As a technologist I’ve seen the world of security go from an afterthought to being the first question that is asked. However given the recent uncovering, by the Wordfence security plugin team, of the dubious activities by a WordPress plugin maintainer over the course of 4.5 years it’s very obvious that more focus on security is required by both the WordPress Core team and the community.
Given that I’m currently working on a new plugin, and I just listened to a recent WP-Tonic podcast discuss the subject, I couldn’t help but start to think about the future of WordPress security.
My thoughts quickly went to the world of DevOps and Continuous Integration & Deployment. One of the major pieces of DevOps is automated testing. I could easily see a future where all plugins and themes wouldn’t be accepted to the repo without a testing suite to accompany it. Running the automated tests, and looking at the code coverage for those tests, could begin to shine a light security issues. I’d like to think that reading through the test suite would help a review team understand the intent of the developer(s). Also, it would seem that malicious attempts might be more easily be caught as well. Using something like code coverage could even help to classify plugins and themes by their “quality”. Sure this may seem to be a larger technical hurdle, writing a test suite, but in today’s development environments I see automated testing as no longer something that is optional.
I also saw WP Tavern‘s article that WP-CLI is looking to expand their checksum security measures to plugins and themes.
While this is something that is wildly used in the Open Source Software world there are many, like Security Now‘s Steve Gibson, that see this practice as a false sense of security and one that can easily be falsified.