I'm wondering what steps you utilize to help keep downloaded plug ins from being malicious?

For instance, exactly what does wordpress do to make sure that the plug ins you download don't simply execute unlink('/')

I am presuming it partially is dependent partially on downloader to set up plug ins to make use of his very own discretion, but do wordpress plugin systems take measures to reduce the safety chance of running third party plug ins?

Thanks! Matt Mueller

Simple answer: you cannot do that programmatically. Simply can not be done. Certainly Wordpress includes a validator of some kind to find out if the wordpress plugin is outright nasty, there is however not a way to express for several that it's safe.

I am an intern at Mozilla this summer time and I am focusing on the validator that scans add-ons as they are posted to addons.mozilla.org. I'm able to only suppose Wordpress includes a much the same tool on their own finish. The concept would be that the application outright rejects coldly malicious code (eval("evil nasty code")), as the relaxation from it is examined with a few simple heuristics. The calculations in position mark lower some potential red-colored flags according to what it really sees within the add-on package and submits individuals notes towards the editors, who then evaluate the code. It effectively eventually ends up as being a human-powered process, however the software helps you to take proper care of many of the heavy-lifting.

Some techniques the Mozilla validator uses:

  • Syntax checking
  • Code and markup parsing (HTML/CSS) to locate remote code weaknesses
  • Javascript parsing and analysis (parse the JS for an AST tree and evaluate each statement, evaluating static expressions as deeply as you possibly can)
  • Compatibility/deprecation testing

You should check out the code here:


Hope this can help!

unlink('/') wont inflict harm because it only removes files, you would need to use rmdir or even more precisely a recursive rmdir implementation. I do not think there's in whatever way to avoid malicious code from being performed because you will find many different ways to be malicious. You are able to restrict certain functions from being contacted php.ini but which will only enable you to a particular point. For example, str_repeat and unserialize are typical functions but when known as using the right arguments they are able to exaust all of the memory allotted for your PHP scripts very quickly. But this really is only a good example, a far more dubious you could behave as a backdoor or email all of the logins towards the developer. I suppose ultimately you will need to trust the developer and also the community if you won't want to audit the code on your own.

You will find tools for PHP that Static Source Code Analysis to be able to find weaknesses. Free analysis tools for php include RATS and PHP-Sitting.

If you've ever used a Static Source Code Analysis you already know these tools will create a TON of false positives and false disadvantages. No Source Code Analysis tool let you know 100% weather or otherwise a course includes a backdoor or could be malicious. Whether it could only then do we wouldn't have a lot of issues with websites getting compromised. Wordpress its self is very insecure, so might be all the plug ins, which is due to mistakes, not malice.

Malicious code could be obfuscated, hidden and undertake several forms. Looking for an accidental vulnerability is a great deal simpler problem than an intentional one. A backdoor in PHP is often as simple as adding or getting rid of 2 bytes.

Getting rid of 2 bytes:


"choose * from test where id=$id"


"choose * from test where id='$id'"

or adding 2 bytes: