 This is home one and you are in the session for evaluating plugins, strategies to effectively extend WordPress presented by Cathy's Hand. For 20 years, Cathy has built web applications for large Fortune 100 corporations, independent entrepreneurs, and everyone in between. Cathy has worked with a number of technologies that feels most at home working with web-based standard-driven applications such as WordPress. She is passionate about making complex technology easily acceptable for everyone, and Cathy loves WordPress for reasons to numerous to list here. She currently works for WordPress, where she's done everything from operations to site cleanings and focuses on helping enterprise customers manage security. She currently lives in Phoenix, Arizona, but her heart resides in Mount Chesa, California. Please give a good welcome to Cathy's hand. Hi guys, thanks for coming to my talk about evaluating plugins. How many of you have installed a plugin from the repository? How many of you have purchased a plugin from a source other than the repository and installed an on-site? Cool. And how many of you have written a plugin? Awesome. Wow, so we've got a good group here. We're going to talk today a little bit about the power that's behind WordPress and that's plugins. I've been dealing with data-driven websites for a pretty long time. I started blogging and developing data-driven sites about the same time. The original blogging tools that came out didn't use a database, but WordPress came along and was using a database. I said, this is the way to do it because what the other blogging tools were doing were generating all of these HTML files, so managing these sites became very, very difficult. So having a database actually managing the site content behind the site made a lot of sense. At the time, there were no plugins. I had one plugin called Hello Dolly, which I think you guys have all seen on your Russian installs of WordPress. And the idea behind plugins had been planted, but not fully explored the way it is today. I have been working for WordPress for the past few years. I started cleaning sites. I thought that sounded fun. It was a lot of fun. And then moved into doing a number of different things. I've seen some things and from my work there, I've learned a lot about why plugin management is important. And I wanted to share that with Tovalli today. So our goals today are to learn some strategies to really extend WordPress. I mean, what did WordPress start out doing? It was a blogging platform. It was not designed initially to be a data-driven website that was having commerce happen. And all kinds of other things. But with the power of plugins, WordPress really turned into the ability to have small site owners develop data-driven sites that really extended the power of what they can do. So we're going to look at which plugins are right for the job. If a plugin is high quality, if it's actively being developed, will it last? Because once you plug in a plugin into your site, you start entering data into the system. And so extracting that data and bringing it into a new system can be kind of difficult. So it's important to evaluate a plugin before you make a commitment, kind of like getting married. So we'd like to also look and see if plugins are safe. And we'll have some fun with some plugin horror stories. So what is a plugin? Now you've probably seen themes and plugins as ways to customize WordPress. Themes typically deal with the layout of the site and what it looks like to the end user that's visiting your site. Whereas plugins, generally speaking, deal with extending functionality. They can also add to your site's layout, however. So what can a plugin do? There's an added to the WordPress world of there's a plugin for that. Of the most popular plugins, some of the functionality that's added are contact forms, search engine optimization, making your site more friendly for Google, e-commerce, anti-spam, backup plugins, and also security. Those are the top plugins in the repository right now. So plugins, like we said, are something that turned a basic blogging platform into a fully functional data group in the website that supports your business. A plugin brings your site to life, much like Frankenstein's Monster. And of course, with that power comes great responsibility. I mean, playing with fire basically can start a fire and keep your home warm and a worth of wood stove, or it can burn your house down. So what happens on your site is your responsibility. And so you have to make good decisions based on good data so that what you are installing on your site basically becomes your responsibility. Just because somebody else wrote this code doesn't mean that you're not responsible for your site. You're basically taking this code that somebody else has created, putting it on your site, basically putting another room on your house, and you're going to have to clean that room. You're going to have to make sure that room is secure. You're going to have to make sure that that room is well taken care of. It's all about performance. What will a plugin do for you? Will it do what it says it's going to do? And will it do no harm? So speaking of monsters, at WordPress, we look at a lot of security issues. And an issue came up, it was about last year, with a man named Mason Soiza. What we started to see in our site cleaning business was that a plugin that was in the repository had not only backboards on it, but it had a number of links to spammy sites. Doing a little bit of research behind what was happening there was all pointing to certain domains. And obviously doing some domain research we figured out that it was all pointing to one person, Mason Soiza. This individual was in the UK, and he had a number of very spammy beach businesses and was making a lot of money. And these plugins were in the repository. So if you went to the repository and you found one of these plugins and you had it on your site, and you updated it after he had purchased that and installed all of his backboards and spammy content, your site was writing Mason Soiza's business. The community is a wonderful thing. And the repository is a wonderful thing because some of the people who had this plugin were noticing oddities happening from their site, and so it was reported to the community as a whole. And at WordPress, we started researching this individual and really started connecting all the dots. Mason has his own problems because he is now part of an investigation. And we have some breaking news today. Aren't you glad you're here? Sorry. And my CEO from WordPress, Mark Monder, is here in the room. And he knows more about what's happening today with the news story that broke with the Times of London. So I'd like to call him up to tell you a little bit about what's happened with Mason and the research that we've done and what Mason has been trying to do. This illustrates to you some of the importance of looking at the plugins that are on your site and to be a part of this community within WordPress in order to understand what has to impact your business. Mark. The trip working with Kathy, she was amazing. So just to give you some background with Mason, we haven't disclosed this in the past, but when we published our research on him, we were contacted by a person in the UK who had worked with police regarding Mason and some of the things that he was doing, marketing pharmaceuticals online. It's actually a pharmacist. And we ended up reaching out to FBI in Seattle and they referred us to National Cyber Crime in the UK. And they got us to collaborate with West Midlands Police to give them as much data as we could regarding this particular threat actor. And we did that and then kind of left the law enforcement folks to do their job. And nothing came of it, unfortunately. And he's done some pretty bad things. The plugins that he purchased and to ownership of, he was using them to inject ads for payday loans and for escort services in the UK. And one of those ads for the escort agency ended up on a school website in the UK, which is obviously not good. So he's not a good chat, but so that's what happened. And then we kind of left that and we published a pretty extensive research on him. But a professor from UCLA who I've been in contact with in the past from law school over there contacted me today and pointed me to an article in the Times of London that came out, I think it was today, talking about how this guy has been forging Supreme Court orders from the UK, sending them to Google to try to get our research de-indexed among other content, which is very flattering. And I think in the article it says that he claims that it's actually a company that he hired that was doing that. So my guess is law enforcement in the UK is probably already aware of that and if they're not we'll certainly make them aware of it and one of them is probably going to get into a lot of trouble. But that's the update, that's what we learned today and it was kind of interesting. And on my Twitter feed, and I think the wordfenster kind of retweeted it, we've got links to the articles there including the fake Supreme Court order. So that's one of the worst threat actors that I would say we've encountered and I must say it's tremendously gratifying to see the difference that's being made. BBC's Panorama did an investigation into SOEZA and he's pharmaceutical business about a year after we published our research on him. So we're pretty happy about that. So bringing things like this to light I think does good. And as Kathy was pointing out, if you're a plugin author, it's worth considering very carefully who you transfer ownership to if you plan to sell your plugin or give it away. You're giving that new author access to all of the websites that run your plugin. You're essentially giving them remote code access on all of those sites. So with that I'll hand it back to Kathy. Thank you Mark. That really illustrates, you know WordPress powers what? A third of the internet almost? It's a huge target. Your site is a part of that target if you have a WordPress site or multiple WordPress sites. Guys like this who are chomping at the bit, drooling at the exposure that they can gain by just basically exploiting plugins. So that's why it's so important for us to take a look at our plugins, pay attention to what's happening with them, pay attention to our site and evaluate our plugins. Some of the plugins that Mason had over 300,000 installs. So he was driving a lot of traffic towards his sites and is still active, such as something to watch out for. And the plugin team, you know, they're a bunch of volunteers. They are much like the contributors here at WordCamp Seattle. They are working out of the goodness of their hearts to watch the plugin repository and make sure that it's safe, to make sure your sites are safe. And that's one of the reasons that community powers WordPress. I mean, our company does some things. We keep an eye on things as well. Other security companies keep an eye on things too. But it's really the power of the community that helps keep things safe. So you're part of it and that's why we have this presentation. So the types of plugins. The repository is open source. So there's about 56,000 free and open source WordPress plugins. Some samples that you can find and install on your site. Contact form, duplicate post, WP Supercash, or just some of the examples. Some freemium plugins are also available on the repository. These are free plugins, but they also have a premium portion so that plugin authors can, you know, basically keep the lights on. Yoast, Smush, Updraft Plus, which is a backup plugin, and WordFence are all freemium plugins. The majority of the plugin is free to use, but there is a premium unlock code that will unlock additional functionality. There are also premium commercial plugins and they are not in the repository. They're only available after you purchase them. Commercial sources like Theme Forest and Code Canyon are some samples where you can get those plugins. And then there's a plugin type, Nulled Plugins. Has anybody ever seen a Nulled Plugin? Nulled Plugin is a freemium or premium plugin, something that you can get off Code Canyon or a freemium plugin that's available on the repository, but it's unlocked. And these are a trap, because usually when we find these plugins, they have backdoors, spam links. They're compromised, but they've been taken by a threat actor. They've been put on a website in Google for, you know, plugin name, free, unlocked, something like that. You can find these Nulled Plugins, but you need to be extraordinarily careful and I would advise against using those. So do you get what you pay for? Not necessarily. I mean, you've got these plugins from the repository that are open source and completely free that you can install on your site. Paid plugins don't have visibility in the marketplace. They don't have visibility with security researchers. Our security researchers download these plugins all the time and are looking for vulnerabilities within them and we'll talk later about how you can do that too. Not all paid plugins are bad, but you are reliant upon yourself to do the due diligence and investigate whether or not that plugin is safe. So it's really up to you. You know, we talked about how plugins are basically your responsibility. You're basically taking someone else's code and taking ownership of it in your house, of your site. So with the repository plugins, you have an entire community behind you in terms of investigating whether or not that plugin is safe and good. But the paid plugins are a little bit different, which leads us to another horror story. So I was doing site cleaning and this site comes in and it's hacked to the teams. It's just really a mess. And one of the things that we do in our site cleaning business is we look for the intrusion vector. So how did they get it basically? So I'm looking through the log files of all these accesses and I see all this malware access happening and then I come to an access called remote tunnel.php. And then before that, there's no malware accesses whatsoever in the log file. So I'm like, better look at this file and see what's going on with this. And it was a paid plugin. And well, developers don't like to talk to end users because then they have to ask difficult questions like what version of PHP are you using? What version of MySQL are you using? You know, parameters about your hosting environment. And then users often don't know the answers to those questions. So this guy, or these guys, wanted to find the answers out themselves. So every one of their plugins had remote tunnel and they had a password in there. But it was the same password on every site. So one app site, God knows where, I think at that password, they found our client site and they used that same password to basically install a backdoor and get into the rest of the site and basically take it over. So now if this plugin was in the repository, what do you think would have happened? Somebody would have found it a lot faster because you can download any plugin, the zip file from the repository, unpack it and look at the files and see what's in there. But with these paid plugins, you have to purchase it before you can actually see what you're getting. So with the paid plugins, and that's not to say that all paid plugins are bad, but it does miss the element of community that WordPress brings to plugins. So when you're researching plugins, there's some search phrases you can use, like plugin name hacked or vulnerability or plugin name broke or broken or slow site performance. If you've ever tried to do this, it's a lot of work. Thankfully, we've got the repository. So this sidebar that you see in the white here is on every single plugin repository page. So on it, you can see things like when it was last updated, the active installations and what version it was tested up to. So this is an older screenshot, but it shows you that this version of this plugin was tested up to version 498 and you can also see what the ratings are. There's also a link here for advanced views so you can look and see additional metrics about that particular plugin. So you can tell a lot of things. You can tell if this plugin is being updated, if it's been tested, if it's being supported and if it's loved by the community. I wouldn't say any one of those factors is the most important thing. I'd say all of those factors taken into consideration together gives you an accurate picture of what a plugin is going to do for you. So here's a plugin from the repository Limit Login Attempt. At the top, you can see that the plugin has not been updated for quite some time. So you look further. It's got an alert like a yellow bar. I'm not sure if you can see it on the screen there, but there's a yellow bar that basically tells you it hasn't been updated for the last few versions of WordPress. It says it's been last updated six years ago, but it still has 2 million installs. So is this plugin safe? It's not being actively maintained. It's not being tested. We don't know of any security problems with it. I may have this on a site somewhere. Still, I don't know of any problems with it. WordPress 5 is coming out in a few weeks. Is this going to work with WordPress 5? You just cannot trust that it's going to be forward thinking in terms of how it's going to work for your sites. So if you start seeing things like this, you have to be cautious about what you're installing on your site and see if it's going to work for you long term. Here's another plugin that had a 5-star review, but if you start looking at the support comments here, you see that it's not all the support requests on the forums are not being answered. And people are asking if it's dead, if it's being supported at all and over a year nobody's answered any of these questions. So you see that it's not being supported and it's not being updated. But it's got 5 stars. It's almost like an Amazon review. Another thing to look at is the change log. If you go under development on a plugin page and look for something called the change log, a change log is something that most of the software has so that software is updated with subsequent versions. This was from a plugin called Ultimate Member, which a few months ago had some security problems. And in the change log they're telling you exactly what they're doing. They told you that they fixed a number of security vulnerabilities that were being actively exploited and we've seen a lot of problems with this plugin in the past. But one thing that I really like about this plugin is that they're telling you what's going on. We've got some plugins out there paid plugins and plugins in the repository that are not necessarily being forthright about what's going on with their development process. They may have security problems but they're not telling you about it in the change log. A plugin author that's willing to stand behind their plugin are going to tell you what's happening with the development. So if you see things like this in the change log it means that you can trust that plugin going forward. Reviews Reviews are such a mixed bag, aren't they? You can have five star reviews and might not necessarily mean anything. It's really important to read reviews and look for patterns. If you see a number of different reviews saying the same thing that they're consistently having a similar problem across a number of sites, it's definitely a red flag. But you've got to take everything with a grain of salt. Here's a resource that you can use when you're researching security issues. This is the WordPress Vulnerability Database WPVolmDB and all my slides will be up on Twitter later so you don't have to write all this down. But just because a plugin's here doesn't mean it is currently vulnerable. Again, you're looking for patterns. So if you see a plugin that is consistently having security issues, it's definitely a red flag. Is that something that you want to have on your site if you constantly are seeing a plugin with security problems? Also, just because a plugin is in that database doesn't mean it's currently vulnerable. Obviously you see Yoast version 1.7 had some security issues, but Yoast has been updated subsequently and no longer has that. But if you're running that version and you know, look out. Everybody's updating their plugins, right? Manage WP has a great resource where you can take two plugins that are basically doing the same thing and compare them against each other. So here I took the SEO framework a small up and coming underdog and compared it against Yoast. The comparison will give you the same metrics that are in the repository but it will provide it to you in a view that might help you in a sense when you're evaluating two plugins that do similar things. So it's just another way to take the same information in the repository but see it in one interface. Rips has a site called CodeRisk and they have security, they have an algorithm that analyzes the code on the site or on the plugin and basically tell you they assess a score based on what they think the security risk is with those plugins. So they have a nice little green to red metric that they'll show you here and if you dive deeper into each individual plugin it'll give you some metrics that you probably find on the repository as well but that nice beautiful green with a zero code risk is very heartening when you know that contact form 7 is on 5 million sites. It'll also tell you the trends so if you go back to early versions of contact form 7 they felt that those early versions did have some code risk problems but in subsequent versions you're seeing very low risk. And here's a plugin that is kind of a mass says who they have a code risk of 100 but they're only on 4,000 sites but according to their metrics this is something that you should watch out for. So you can go enter in on that site enter in a plugin that you're evaluating and see what the security risk is according to their code risk score. You can also download the code of a plugin and actually unpack that zip file and look at those files yourself. There's a GitHub link that has some WordPress security testing metrics that you can use in order to evaluate that plugin. You can open up each of the files and look for anomalies. WordPress scans are my favorite I mean I was a customer before I actually started working there. I had WordPress on all of my sites because it helps you manage plugins and obviously the most important thing to do for your security is to keep everything updated but you have lives and maybe children and maybe you want to go out to dinner. You have lives that you want to live and you don't want to sit and constantly check your dashboard to make sure that all of your plugins are updated. WordPress does it for you. Basically tells you if your plugins need to be updated and it will alert you that if a plugin has a security problem. So I highly advise using WordPress scans to keep on top of your plugins. Well everybody's talking about Gutenberg these days. So there's a resource. It was a database for a while but it's not actively supported anymore. It's a CSV file which is kind of separated values. You can download that CSV file below and you can search for the plugins that you're using or evaluating and look and see whether or not that plugin is Gutenberg ready. Just because it's not determined to not be Gutenberg ready doesn't mean it's not. The plugins are only running on the back end and Gutenberg is only dealing with a small portion of what's showing up on the front of your site. Anything that's going through the editor. So not every plugin is going to need to be Gutenberg ready but if a plugin is dealing with content on the front end of your site this is a handy resource to go look and see if your plugins are ready. There's also a tab that has recently appeared on the repository for Gutenberg ready but there's only a couple of plugins that are actually using that. So resource utilization there is a plugin called the debug bar that's available on the repository as well. And you can you have to turn debugging on and your WP config file but once you do that you can see a number of different resource utilization metrics on your site. So this is just a screenshot that gives you some idea of what it's looking at but it's a handy tool if you're trying to figure out performance problems that are occurring on your site. So another thing that's really important when you're dealing with plugins is how user centric is this? Can you break up with the plugin? Is the data that's being stored in your database related to the functions of that plugin? Say for example a calendar plugin that basically is showing a calendar of events on the front end of your site say that plugin has a serious vulnerability or that plugin is no longer being actively supported by its developer. What are you going to do with that data? Can you pull it out of your WordPress site easily? Or is it going to take feats of superhuman strength in order to extract that data and get it into a plugin that is being supported? That's something that you need to look at before you make that commitment before you are actually going to start storing tons of data. When you're managing your site and you have a new plugin say you've got a site that's got 10 plugins and everything's going a lot of fine but you have a new feature that your boss has said you must have this on your site and you're concerned with how this might affect the functionality that already exists. It's really important to have a staging environment on which you can run tests. So basically take your production website, make a copy of it somewhere else, install the new plugin there and see how things work. One thing that's really important with staging sites from a security perspective if you are using something like a cPanel and you want to do staging.yourdomain.com and oh cPanel lets me do that but this is great, this is going to save me time. It's really important that you treat that staging site that you're putting in the same environment as your production site that you treat it with as much love, care and support as you do with your production site. We see a number of hack sites that somebody has a staging site that they just need to test something and then they're off doing something else and somebody will get into that staging site and it will cross contaminate the production site. So if you're doing something like that it's really important to take care. And it's really important to not test things on production. Your production site is something that is a reflection of your business and an integration of your business with your customers. It is the first thing your customers and your prospects are going to see. So it needs to be taken care of and needs to not have things breaking it. So you're looking for a staging environment on which you can test the effectiveness, addability issues and basically see that everything is going to be copicided before you put it into production. So you've got all of these plugins and say you moved a calendar plugin and so you're just going to deactivate the old one. It's really important to uninstall anything that you are not actively using. If you are just testing a few plugins and then decide you're not going to use them anymore and so you deactivate them and they're not active on the site anymore so they shouldn't be a problem. But if you're not actively maintaining them and there's a security vulnerability that can still be accessed the code is still existent on your site it can still be exploited if there is a vulnerability. It's kind of like digital clutter, porters, WordPress edition to have a number of plugins installed that are not being taken care of. So it's a good practice to take any plugins that you're not actively using and just delete them. Same thing with themes. The less code you have to deal with, the better. And it's really good to audit and review your plugins periodically. You can use all of these tools to manage your plugins but it's also good to every once in a while just a quarterly type of thing. Look and see what's on your sites see if it's still serving your needs see if it's something that is actively serving you. And look at other plugins that may have recently been like the SEO framework. Very light SEO plugin that I've been using Yoast Forever SEO framework was like very simple when doing everything I needed. So I kind of did a plugin audit and looked at both of them and to see the different functionality to see if maybe I wanted to switch and I did switch a few sites. The end result of good plugin management site, happy customers and good performance. Do we have any questions? One of the things that I've been about doing plugins is after I removed them I was cleaning up the database of one of my clients and I noticed for instance WooCommerce left all of us tables behind. And I installed an ad plugin that apparently had been installed on the site several years ago and the tables were still sitting there. And all of the ads populated from three years ago. So is there any other way other than watching my sql go again to know what they're doing? Is that part of getting your data out? Did they publish that information anywhere? You often see that kind of data or that type of experience on the reviews. Going through the trauma of having to clean up an old plugin, somebody else has probably gone through it too. That's one of the user centered coding types of parameters that I would look at to see if that plugins actually break up a little. Do we have a prenuptial agreement here where I can actually get out of this arrangement easily? A number of plugins that have extra database tables will have some kind of setting that will kind of deactivation will clean up after itself so that it's not leaving remnants behind. There's also a plugin called WP Optimize which is really handy for cleaning up database masses. It's really good for getting rid of like duplicate or autosave posts that can clutter up your posts table and other things like that. What about the plugin name? The plugin name? WP Optimize WP Optimize and it's just a database clean up tool. We'll get rid of spam comments and autosaves and things like that. Which is where I discovered the tables. Yeah, definitely. It also optimizes your database tables too which gives you better performance overall as well. Basically when I started Wordpress website I have my five plugins that I always install obviously Wordpress, I've seen enough. WP Optimize is one of them. Contact form very simple one. A lot of people don't like contact form because it's a little difficult to deal with and they like brownie forms and things like that but once you get used to contact form it's so simple and easy to use and stores things well. Yes. Depends on the site obviously. My personal blog I'll just update them all. It's really tempting when you go on that Wordpress update page where it tells you core needs an update your plugins need an update your themes need an update to just click all and update everything. It's really tempting to do that. It's really good practice to not do that and to go one by one and to do it on a staging server too because some plugins and another thing too is if you're updating from a plugin that's like 4.9 to 5.0 it's incredibly important those big number jumps means that there are big changes and you're going to want to run those big changes in an environment that's controlled where you can actually see what's happening you could have issues happen where a plugin updates and it's not taking into consideration which version of PHP you're using and if you're not aware of that you might run that update and get the white screen of death on your site and if you're updating all those plugins at once well which one of them caused that problem so it's really good practice to update one by one and if your site is critically important and most business sites are critically important you want to do it on a staging server that has an environment that is replicated from what you have on production that means the same version of PHP the same version of MySQL is running your production site you want an exact replica of that on your staging server so that when you do make that change if it finds on staging and breaks on production there's something amiss yes yeah I'm going to kick you in streaming I guess the plugin thing like you were talking earlier that you can read all those plugins but they don't pay when they're it's unlocked are you just getting a different plugin or are there parts you can't see like the freemium plugins freemium plugins so the freemium plugins typically the ones that are in the repository the way they work is that you install the free version and there's just probably a bunch of marketing asking you to upgrade because they want to keep the lights on but it's the same code base and all that the premium upgrade is doing is unlocking those features those additional features that aren't in I guess that's what I'm worried about though by unlocking it does that mean that I can't see what's going on and do that parts of it so the majority for most freemium plugins the majority of the functionality is there and then there's other just like additional valves and whistles that you unlock with freemium you know you can download any plugin from the repository freemium or whatever you can download the code on the files and you can see what's in there so it's just you know there's different ways of them doing the unlocking if you're a developer you probably will go in there and see exactly what how they're doing it but all that's really available the cool thing also about the repository is different versions are also available for download so you might be able to download the most current version but you can go into that advanced tab you can go back in time and look at what it looked like a year ago and see you know what's changed yeah um you're in favor of plugins that you have to use for like um building a form or building and so on there are a number of plugins that do that I can tell you that there are some paid plugins that do that that I wouldn't use but there are some in the repository some free plugins that will help you like Ultimate Mumber yeah they had a security issue they patched it but I've seen that that used fairly often that's the other thing is when you've got a plugin that's got a huge install base there's a big issue this week that some of you may have heard of it was a plugin WPGDPR compliance on 100,000 sites some very significant vulnerability vulnerabilities it basically disappeared out of the repository and then the next day came back and whenever something like that happens bells and whistles go off for us and we found some significant vulnerabilities in what was there before that word funds premium protects against but yeah so if it's got a large install base you can bet your bottom dollar that someone with a bot somewhere is going to find that vulnerability and start sending their bot out looking for vulnerable sites almost immediately when you've got anything over 100,000 they're just they're going to exploit it as best they can fast well a word fund well not to sell from the stage but you want to have something that's alerting to you to plugins that need updates and once a vulnerability is disclosed that WPVolmDB has an RSS feed and it's got a mailing list the RSS feed updates much faster than the mailing list does and that will tell you right away if there's a vulnerability that's been discovered and disclosed and it'll tell you the severity of it so you might see something like unauthenticated file upload what does that say unauthenticated file upload unauthenticated that means nobody has to put in credentials unauthenticated means it's anyone file upload it's just one PHP file that has a shell that allows them to do anything on your site basically and they'll find a way and you see something that says authenticated cross-site scripting that one has to be unauthenticated it's a vulnerability but it's a vulnerability that can only be exploited if someone is authenticated so somebody's logged in so those are things that you can look for but if you're keeping everything updated if you're going into your dashboard or using a tool that tells you to update you're going to be okay you just have to actively manage your site over here first I'll be right there that's just our old man that's just our old man you were probably the Mason soys a 300,000 installs when they were still there what mechanism is there to communicate to those people that they have a product installed what exists out there to notify those people and then that's kind of like a double-edged sword because this plugin changed hands right so somebody had it who was very responsible and was taking care of that code base to the point where it grew in reputation so that 300,000 people installed it that plugin developer said enough I'm done managing this code and sold it to someone and went on with their lives and so everybody who then updated after Mason took over control everyone who updated that plugin got Mason's code Mason built a room on their house and Mason was living in the wing so it's kind of a weird thing where there was no security problem with that plugin before so it was just like a normal update and so everybody updated but that's how the community protects you because people noticed hey why is escort services at the top of my site, why is this happening and so they start asking questions in the forums and they start saying hey look this is happening here hey this is I just downloaded the code and it's in the code they're in the house and so the community actually supports the people who are a part of it the community actually supports you because those things are alerted word fonts we have some some systems proprietary systems in place that we are watching when plugins change hands and our researchers who are constantly chomping at the bed for more data and more types of vulnerabilities to research they're looking at that code on a regular basis so you know we support the community we don't make money off of that we do it because we support the community and obviously it's good for our reputation but you have tons of people around the world who are looking at the code base of the repository which is why I think it's important that when you're looking for a plugin for a certain functionality in your site that you go to the repository first instead of looking at paid plugins that you never know what you're going to get until you bite into that chocolate and it's like oh no there's a cherry in there yeah I'm just kind of following up on the previous question if we can say word fonts find a folder will it there's no update on that yeah so when we discover vulnerability there's something in the security community responsible disclosure so we discuss if our researchers find something is a mess there's a couple of channels that we go through first of all we'll contact the author of that plugin and we'll disclose what we found we do something called the proof of concept which basically says this is what we found we thought it was funky so we decided to create this like method and we show how the vulnerability works so it's done behind closed doors it's not sent out to the world because there are ears listening and once that plugin author has been notified it will also notify the plugin team there's a team of volunteers through wordpress.org who are also monitoring these types of things we've seen a lot of times they'll remove the plugin from the repository at that time while things are being updated to kind of mitigate the risk so that some newbie isn't like oh I'm installing everything and accidentally installs the vulnerability and then once that vulnerability has been patched that's when the community has a whole hears about it that's when WP VulnDB publishes the proof of concept or publishes the details about that vulnerability so it's not like oh I found this thing anybody who does that is not doing what they call responsible disclosure anybody who's just like sprays it on twitter that hey this plugin's got a vulnerability a lot of times you'll see chatter of people finding things in the forums and another plugin team monitors that and will remove those types of comments so that a vulnerability disclosure doesn't happen spreading wildfire into the wrong hands so it's another way the community protects you yeah ding ding ding somebody will look at it pretty quickly if it's removed from the last twitter so if you're looking to select the plugin that doesn't have a huge user base but it looks like it's not it doesn't have high risk and it seems like it's well supported currently but it's also assuming that there's going to be kind of integral to your site in terms of functionality how can you judge whether or not or get an idea of whether or not it'll be supported many years into the future yeah so I've taken those risks I've gotten the login in times on the site somewhere yeah so I mean it's a big risk right because a lot of these plugin developers are not being you know they're freely putting their efforts into the community put this code out there and then oh my gosh I have to feed my family I can't support this there's a lot of plugins like that there are 55,000 plugins in the repository a lot of them that are doing basically the same thing but you know there may be like a niche type of activity that's really integral to your business integral to what you're trying to communicate to your customers and I would go through those steps I would plug it into the code risk site and see what kind of score it gets everything that's in the repository is in there so that code risk score is kind of interesting I know WordPress has there's a project called Tide that's kind of in flux right now but they're doing code analysis on the repository as a thing so I'd watch for that project and see what's happening there but I would look for I'd look for for support I'd look for the version number WordPress has been around 15 years so a plugin that's more tried and true has been around for a while and it has a low score in terms of the code risk and you know it's everything that you have in your site you're basically taking a risk but you're taking a calculated risk and also just you know backups because you know you never know what a vulnerability is 100,000 people who had the GDPR compliance plugin on their site that was found to have a vulnerability this week they have that on their site because they believe fully and they are trying to take care of their customers they're here to GDPR compliance issues they're trying to do the right thing they don't realize that there's a vulnerability until somebody discovers it and once that vulnerability is found update your plugins update your plugins yeah one more quick question if you're going to get a plugin and it doesn't have a lot of information you don't know it's going to be around it gets blocked it's not going to stop you from updating your plugin do you want the functionality? oh sure sure you can take any plugin and basically fork it and create your own version of that plugin and modify it I used to do that to Corb but don't tell anyone don't do that because then you know you're going to update things then you fork something and now it's yours right? anything changes WordPress 5 comes along and it's not compatible anymore guess who's responsibility that is yours so the repository is really the best of both worlds because you've got people who are actively watching it people who are actively maintaining it and the community that's watching this was fun you guys I really appreciate you coming to the talk