During the course of learning how to write a plugin, I realize it is very easy for a plugin to access information inside WordPress. A plugin has unrestricted access. Here is a quick demo about what can be done.

I was writing a plugin to intercept comments with hyperlinks. The actual content or function of that plugin doesn’t really matter. In my plugin, I can make a sql call to $wpdb which will give me wordpress admin’s password hash.

It is an MD5 hash. With rainbow table or other techniques, the hash can be cracked in relatively short time. If the password is simple or a dictionary word, it will be cracked in no time.

Here is another one, which reads wp-config.php and gets the database credential.

The problem is there isn’t a layer of access control in WordPress to grant / deny access from a plugin. Once installed, it has full access. We’d have to rely on wordpress.org to review the code.

These may be more extreme cases. There are other cases which are not as obvious. I’ve seen plugins wrongfully utilize the wp_options table to store session information. There were like 25 million records in the wp_options table. As wp_options fill up, the site becomes unbearably slow. Pull up the schema of that table, the option_value field is a longtext, which stores up to 4GB on MySQL. It doesn’t take a lot to saturate the innodb buffer. And because how wp_options is structured, it’s impossible to trace which plugin inserted junk.

Take-away message

Install plugins with extreme care and only if absolutely necessary.

2 Thoughts to “WordPress plugin – do you know what they do?”

  1. Oh my goodness! Incredible article dude! Thank you so much,
    Howeve I amm having difficulties with your RSS. I don’t understtand why I cannot
    subscribe to it. Is there anyone else getting the same RSS problems?
    Anyone who nows tthe answer can you kindly respond?

    Thanx!!
    daftar namna universitas negeri di indonesia

  2. It’s amazing to pay a visit this website and reading the views of all colleagues on the topic of this post, while
    I am also eager of getting experience.

Leave a Comment