A quick note on this Sunday evening regarding third-party components.

Your site is only as secure as the software you install.

I’ll be posting some more info regarding some work I’ve done in this area recently, but I did want to make a quick post about the security of third-party components.

When you download that plugin or code written by somebody else, are you doing a sanity check to make sure it’s secure? Here are a few quick things to think about in order to identify the attack surface.

  • Does it write to disk?
  • Does it communicate with the database?
  • Does it interact with the user?

Why should you be asking these questions? To determine if it protects against the following attacks.

  • Can I modify the file that it reads/writes to?
  • Does it protect against SQL Injection?
  • Does it sanitize or validate input?

Security should definitely be a concern when installing any third-party components or plugins on your site. While it’s difficult to verify the security of external code, you can at least do a quick profile of it and understand what your primary risks are as noted above. A perfect example is the recent WP Comment Remix Security Bulletin – installation of that plugin allowed for both SQL Injection and Cross-Site Scripting.