Last week, the WordPress team fixed a pretty nasty bug and released version 2.8.4 of their blogging engine. Prior to that, version 2.8.3 fixed a security bug in version 2.8.2 which was a security update for version 2.8.1 which itself fixed a number of security issues in version 2.8. The WordPress team has certainly been busy!
With such a strong record of fixing flaws, WordPress’s security does not worry me. What worries me are all the WordPress plugins…
Part of WordPress’s popularity has to do with its robust library of plugins. Rather than design the platform to be all things to all people (which would probably make it nothing to anyone), the WordPress team chose to make it very simple while allowing others to write plugins to solve problems as needed. That’s why WordPress can be the basis for some of the world’s biggest blogs, photo journals, and even e-commerce sites!
Plugins are certainly a blessing, but they’re also a curse. Anyone can write a plugin to solve just about any need, which is great for flexibility. On the other hand, a plugin may only have one or two authors who lack the security and bug fixing prowess of the WordPress team. While the WordPress code has “many eyes” watching it carefully for problems, there are so many plugins that it’s impossible to imagine that more than a few eyes have considered the code behind each one.
WordPress is a core product of Automattic, a company which has a vested interest in creating a solid product. Plugins could be written by anyone for a variety of reasons including solving a problem, learning something new, or simple boredom. A plugin with a serious bug might be fixed “whenever,” and that’s only if the original developer hasn’t lost interest and moved on to other projects.
There are a lot of ways to overcome these issues, but I want to get some community feedback first. We’ve all worked with software that uses plugins (web browsers are a great example), and some of you may have even designed or tested plugin platforms. What are your thoughts about ways to keep plugins from turning into bug and security nightmares while still letting the core software be flexible?
I’ll followup with another post in a few days with my own thoughts as well as your suggestions. Comment below, or drop us an email at marketing AT utest DOT com.