A couple of weeks ago, I had the opportunity to attend the CMS Security Summit in Chicago. For this event, Google brought together content management systems, security researchers, and hosting providers to talk about security. WordPress, powering a third of the web, was represented by security team lead Barry.
As a WordPress core committer and Noogler, this was a very insightful event for me. All the discussions with the attendees were super valuable—just the temperatures were a bit cold for my taste (-50 degrees, yikes!). If you wanna learn more about the event, some people published recap blog posts:
I think the key takeaway is that most projects are dealing with the same issues and that they all benefit from working more closely together. Some examples include:
- Automatic updates and package signing
- Code reviews and static analysis
- Collaborating with security researchers
For this blog post, I want to dig a bit deeper on code analysis and what it means for WordPress.
Static Code Analysis for WordPress Plugins
WordPress is only as strong and secure as its ecosystem. Part of that ecosystem are the 60,000 plugins and themes that are available for download on WordPress.org. It’s impossible to manually scan all these projects for potential security vulnerabilities.
At the summit, the RIPS code analysis platform was mentioned a few times. It’s a paid solution, but they also work together with open source projects. For example, Joomla uses RIPS to continuously scan their code base. At the moment WordPress doesn’t use that tool, but for RIPS the platform is of interest either way. The just recently demonstrated this via their WordPress Security Advent Calendar.
Another example is their security risk analysis platform, CodeRisk. According to the website, CodeRisk “rates the security risk of WordPress plugins by analyzing them with the RIPS static code analyzer and combining the results into an easy to understand value”.
I’m not sure how useful a plain number is, but I guess it works well for marketing. Anyway, I wanted to give the site a try to find out if there’s more behind that. It turns out that as a plugin developer you get free access to their static code analysis tool to scan all your plugins for security vulnerabilities.
This is a really nice gesture! I wondered if other people use that feature too, so I posted a quick poll on Twitter:
In that poll nobody said they use the CodeRisk platform, which was a bit of a surprise to me. Perhaps it’s not clear enough what the site does, or it’s just too complicated to set things up.
Tools like this demonstrate that there are lots of possibilities to improve security in the wider WordPress ecosystem and in the overall CMS landscape. I’m curious to see how this area evolves in the next few years.