In December, we wrote about how to check if WordPress plugins are secure. One of the things we mentioned that you can’t rely on is claims made by plugin developers about their handling of security. As a recent issue with one developer, 10Web, shows developers will continue making extraordinary claims about security even in spite of their poor security leading to websites being hacked.

Recently, we saw what appeared to be a hacker probing for usage of one of 10Web’s plugins. Here is part of what we wrote about what we found when we took a quick look over the plugin:

Looking into what might explain that, we found that the plugin is quite insecure, which shouldn’t be surprising, as we issued an advisory warning about using 10Web’s plugins in November based on repeated security problems on their part. The most serious issue we found in the plugin is that anyone can change the plugin’s settings (they don’t even need to be logged in to WordPress) and one of those settings stores JavaScript code to be run on frontend pages of the website.

After someone was complaining about being hacked on the plugin’s support forum, the developer finally addressed the vulnerability. After doing this, they made this claim:

We want to assure you that we have thoroughly investigated the matter and have taken necessary steps to ensure that the latest version of our plugin is free from any security vulnerabilities.

If that were true, that would indicate they did a lot of work, which seems unlikely to have happened in a day. The changes made in the referenced version of the plugin don’t match that at all. The only changes were to remove the code that starts the process of importing the plugin’s settings and to not have a single existing setting displayed on frontend pages of the website. You can tell that the developer didn’t actually thoroughly investigate and ensure that the latest version is free of security vulnerabilities, as you can find more vulnerable right above code they changed.

Right above the code they removed to disable being able to import the plugin’s setting, is similar code to start the process to export the plugin’s settings, which still has no security checks:

50
51
52
53
54
55
56
57

if(isset($_GET["two_export"])){
	$fileName =  "Optimizer_settings_".TENWEB_SO_VERSION."_".date("Y-m-d_H:i:s");
	$data = $TwoSettings->export_settings();
	header('Content-disposition: attachment; filename='.$fileName.'.json');
	header('Content-type: application/json');
	echo esc_html( $data );
	die;
}

And just lines above that is code to disconnect from the service that is needed for the plugin to function:

44
45
46

}else if(isset($_GET["disconnect"])){
	add_action('in_admin_header', array('\TenWebOptimizer\OptimizerAdmin', 'disconnect_from_tenweb'));
}

Again, there are no security checks.

Independent Security Assurance

10Web has a long history of not only having security problems in their plugins, but not properly addressing problems they have been warned about (and subsequently not properly addressing the security problems they have been warned that they didn’t properly address). In a situation like that, the best option is to avoid the developer’s plugins unless they have subsequently shown that are now able to handle securing their plugins. That is a situation where our security advisories on WordPress plugin developers can come in handy, as we issue advisories based on a pattern of problematic behavior like we have seen with 10Web.

For those looking for an assurance that a WordPress plugin is secure, developer claims are not going to deliver. What you should look for is the results of an independent assessment of the security plugin. That does have limitations, including it probably not checking for every theoretical security issue in the plugin and not ensuring that a security issue won’t be introduced in to a later version, but it can give you a fairly good idea of where the security stands. With another plugin that had been targeted by a hacker with an unfixed vulnerability recently, the developer hired us to do such a review to make sure the plugin was now actually free of vulnerabilities.