Security in WordPress plugin development

What my ultimate goal is, other plugins be it infected(backdoor etc) or not cannot access the username/password/mail of my email, that is the main part of the question.

The only way to be sure of this is to not store them in a manner than can be automatically decrypted in the database/filesystem – which is to say, not store them in plain-text or an automatically decryptable fashion at all.

I’d recommend concatenating/hashing your own security salts and keys with those configured for WordPress itself – you should never distribute a plugin that uses hard-coded salts as anyone with the plugin is basically handed the keys to whatever’s been hashed for every installation. By adding in the WordPress installation’s own salts, should you discover that your plugin is vulnerable you can update the salts and invalidate credential stores of all installations when the plugin update is pushed. If an individual installation becomes compromised, a user can change their WordPress salts and likewise invalidate their credentials without altering the plugin.

Can other plugins access my plugin code? e.g. require("../plugins/mail/class.client.php') and call new Client()?

Yes.

If so, […] why is this allowed?

It’s not “allowed” so much as it is a consequence of interpreted scripting environments. “Extending WordPress” with themes and plugins is just that – it’s modifying WordPress’s execution using raw source to achieve the desired outcome. I know of no interpreted language that actually provides reliable mechanisms to “lock” portions of source-script from other portions within the same code-base. Operating systems, sure.

Rather this responsibility falls onto the execution environment and whoever controls it.

How do I prevent it?

It may be possible to achieve using some seriously complex sand-boxing and running different portions of WordPress in different threads – but this is not at all how WordPress is designed, and would take heavy environment re-configuration to boot. Even then, it would still be susceptible to some variety of attack – despite Google Chrome’s sandboxed JavaScript, malicious code still emerges capable of defeating the measures.

As with all information security, it should be assumed that if the environment is compromised, so too is everything in and on it, regardless of security measures in place. Even binary viruses in sandboxed environments and those executed in virtual operating systems can break out of their confines to harm the host system, if designed with such scenarios in mind.

If the consumers of your plugin fail to properly secure their WordPress installations or install compromised code, there is no portion of the filesystem or database that can be considered “safe” for critical information to reside. The same as if a virus finds it’s way onto your computer, no program or document can be trusted to remain unadulterated or unexposed – if you store passwords in a plain-text file, you must assume that all relevant accounts are compromised or vulnerable. Here as everywhere else in the IT security world, users should not install executables that they do not trust or understand – those who do not have a good basis to differentiate between trustworthy or well-implemented programs should have a limited ability to acquire and/or install such items.

In short, if you yourself do not directly control the WordPress installations on which your plugin is installed, you cannot prevent your plugin from becoming compromised beyond following good security practices in your implementation.

Can other plugin read the contents of the file as I’m storing the encryption key in Client class?

Yes. In fact, any plugin could parse the WordPress installation’s wp-config.php file and obtain the database information and salts should it’s author desire. The thing is, a plugin needn’t even do that to compromise an installation as the PHP and WordPress environment already give plugins what amounts to free-reign over the database and filesystem to achieve their ends, insofar as the database and filesystem themselves permit. Without these abilities, plugins would be extremely limited in scope.

If so can you recommend a place to store that so that only Client() class of this plugin can access this?

No. Credentials stored and/or transmitted as plain-text are never completely “safe”, period.

If your application requires such storage/transmission, then the credentials can only be as safe as the environment in which they’re stored. You can add additional hoops to obfuscate the credentials, but the fact remains that if your code has everything it needs to decrypt the credentials, then so too does any other code within the environment. It is essentially the same as storing an encrypted file containing passwords on your computer alongside a shell script that decrypts the file as soon as executed. The best way to keep them safe is to secure the environment.

I’m using current_user_can() and nonces but is this enough for add sufficient security to AJAX?

It depends on the specifics of your application and what’s being transmitted via AJAX. Generally, these mechanisms when implemented properly are sufficient to validate that AJAX requests are being made from a consistent source. However, they in and of themselves are only a component of AJAX security. As general rules of thumb:

  • Do not take any action until the request is “sufficiently” verified, including the use of current-user_can(), check_ajax_referer()
  • Escape, validate, and sanitize all the things that comprise dynamic data. These practices are imperative to prevent SQL injections, arbitrary PHP execution, and delivering malicious JavaScript to visitors. This includes $_GET, $_POST, and $_COOKIE data as well as anything retrieved from the database that will be evaluated as PHP or sent to the browser. Learn which WordPress functions handle the tasks for you – but when in doubt, perform them yourself until you can be sure.
  • If you control the server environment, Secure your site with an SSL certificate and operate over the HTTPS protocol in order mitigate the chances of man-in-the-middle attacks (the Let’s Encrypt project is well on it’s way to offering trustworthy certificates for free).
  • Ensure that your error-handling is implemented in such a manner that if your server-script chokes or is accessed directly by a client, no sensitive data is spat back to the browser.

Can nonces be expired ?

Yes – WordPress provides the nonce_lifetime filter for this purpose. By default a WordPress nonce is valid for 12-24 hours.

Can multisite create any additions problems from my scenario?

It depends on how your plugin is installed and you intend for it to be used in a multisite environment – the potential “problems” that could arise might actually be desire-able outcomes depending on what you’re gunning for.

You may want to store mail credentials as user or site-specific data depending on who should have access to which mail – you may even want to implement custom roles and capabilities to provide finer-grained access to mailboxes.

Related Posts:

  1. Create mobile site with same content just different theme
  2. How to hide or remove unwanted widgets on Multisite installation?
  3. How can I diagnose a slow WordPress admin?
  4. How to enable a site administrator to edit users in a WordPress network/ multisite setup?
  5. WP-Admin not working properly at WordPress multisite with subdirectories
  6. COOKIE_DOMAIN setting confusion
  7. Hide a theme on list of themes in wp-admin without editing core files
  8. Difference Between Admin and Super Admin in Database
  9. wp-admin slow in multisite
  10. Don’t allow access to wp-admin but allow admin-ajax requests to be fulfilled on frontend?
  11. Timeout While Upgrading Network in Multi-site
  12. Uploading Images to Multi-Site Causes Failure to HTTP Error
  13. Multisite wp-admin redirect loop
  14. WordPress network (multisite) /wp-admin/ redirect loop (ERR_TOO_MANY_REDIRECTS)
  15. Copy posts from one blog to another in multisite environment
  16. My subsites accidentally went from one multisite network to another. How do I change it back?
  17. Redirect loop (only for multisite network admin)
  18. Trying to migrate a WordPress Multisite with Domain Mapping
  19. Getting an ERROR: Cookies are blocked error when logging in to a site on a different domain?
  20. Manipulate list of themes in wp-admin
  21. Creating a Post form outside of the Admin
  22. Subsites in Multisite installation throwing 404 error on wp-admin in IIS 7
  23. How to remove Broken Link Checker widget from admin menu
  24. How to set Active plugins as the default screen?
  25. Why can’t I delete original user in multisite? Options for manual removal
  26. Multisite network admin – URL / redirect error
  27. Subdomain login problems
  28. Cookie nonce is invalid – Multisite
  29. WordPress mutisite migration
  30. Why does the My Site dropdown show only a single domain?
  31. Super admin access to a forgotten WP instance?
  32. Iframe being removed only for some users when publishing a page
  33. WP Multisite with Domain Mapping : Preventing User Access to Dashboard
  34. How to fix blocked cookies error that doesn’t let me log into wp-admin?
  35. Cookie signed verification failed – wp-saving-post
  36. 2 website 1 database… Local to online
  37. Login problems on multisite installation with different domains
  38. Moving wp-admin folder to a different host in a multisite environment
  39. Site’s admin created with wpmu_create_blog accessible only on 2nd attempt
  40. Error : Cookies are blocked or not supported by your browser
  41. Is There A Plugin to Create WP Multisite Installs programatically
  42. How do I stop exactly one blog from network ever setting cookies?
  43. Can’t log in to wp-admin after setting up Multisite
  44. Sharing /wp-content/ folder between different WordPress Multisite installs?
  45. Infamous admin login redirect
  46. Is there something I need to know in order to use WordPress on foreign (Swedish) TLDs?
  47. Multisite cookies are being shared across domains unwanted
  48. How can I create network with different domains?
  49. WordPress multisite second site admin resulting in too many redirects error
  50. Remember language choice on multisite website
  51. Multisite wp-admin redirecting to main wp-admin using NGINX
  52. WordPress Multisite: Login to all subsites at once
  53. How to Add Super Admin for WordPress multi-site
  54. Single sign on to sub-sites in Multisite Network
  55. network admin pages not linked to correctly
  56. Multisite – cannot remove specific sub-menu its parent menu. All sub-menus disappear
  57. How to have same admin login for more than one site?
  58. WP Admin Panel for Multi-site install not loading JavaScript for one Subdomain
  59. Backend freezing on certain pages of a subsite
  60. Admin user getting redirected to /wp-admin/user
  61. How to login a user with wp_set_auth_cookie on a specific blog within a multisite environment
  62. Pages redirect me to the homepage
  63. ERROR: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress
  64. Cookies in Multisite network where sites have their own domain name?
  65. Many big issues in the website, WP_Debug not showing
  66. WordPress Network / Multisite login to one site allow access to all
  67. WordPress MU: Cookie error when trying to login on network WP instance
  68. What could be changing my WP password and blocking plugins from installing?
  69. How to delete post revisions?
  70. How to get blog name, when using WordPress Multisite
  71. How to make a newly registered site on multisite network “live” only when the user is ready
  72. Multiple Domains and Subdomains Using Multisite Installation
  73. Global Parent theme for all sites
  74. Can you manage multiple domain names from a single WordPress multisite network?
  75. Installed domain-based Multisite but can’t access wp-admin (redirect loop)
  76. WordPress Multisite Strange Redirect on Primary Site
  77. My Media Library is broken across all my subsites
  78. WordPress stuck in deleting user
  79. How Can I Change The Name Of My Subdomain in WordPress Multisite
  80. Display site description instead of site name
  81. WordPress multi-site: How do I create the home page, the root URL?
  82. Multiple Websites that share some content types and not others
  83. Solving a get_user_meta() problem in Multisite
  84. In Multisite the users profile picture keeps disappearing for “the other site”
  85. Website not listed under Sites (in a Network environment)
  86. get_site_option / update_site_option – the main site and sub sites do not share the same storage
  87. Can I use the main Multisite as a backend only?
  88. Number of total comment does not tally with the number of comment?
  89. Downloading customized theme from wordpress
  90. Subsites in Multisite throw 404 in wp-admin
  91. WordPress theme to support single website but with 3 sections for 3 languages
  92. Multisite – site user limited only for this site
  93. Update siteurl and home in multisite subsites to https
  94. WordPress multi-domain with multiple sites with multiple languages
  95. Get variable from previous blog while using switch_to_blog
  96. Domain level problem for multisite?
  97. WordPress multisite not working
  98. How does adding custom meta to signup form work?
  99. Create a Network of Different websites with wordpress
  100. Why can’t I enter the wordpress admin interface?

Leave a Comment