The BSD Cafe Journal

The BSD Cafe Journal: Your Daily Brew of BSD & Open Source News

Advertisement
Open Source World

It’s Not WordPress. It’s the Plugins.

Stefano Marinelli 3
black flat screen computer monitor

One of the reasons I’m always so happy to attend conferences and technical events (the real ones – not the flashy, sponsor-driven ones designed just to sell products or services) is because I get to meet amazing people and always come away having learned something new.

I’ve been using WordPress since 2006 and have been managing hundreds of installations from a sysadmin perspective. Over time, I’ve noticed a clear pattern: most hacks and compromises happen through plugins or outdated installations. And often, these installations (and plugins) become outdated because they’ve been patched together so messily that updating them becomes nearly impossible – especially when the PHP version changes.

In March 2025, I attended a fantastic conference: OSDay 2025. I gave a talk on why I believe it makes perfect sense to consider the BSDs in 2025, but many of the other talks were truly eye-opening.

To mark the launch of the BSD Cafe Journal, I’d like to share the link to a particularly interesting talk by Maciek Palmowski: “How we closed almost 1k plugins in a month — the biggest WordPress bug bounty hunt.”

What struck me right away was how much his analysis of WordPress security aligned with what I’ve seen over the years: WordPress, out of the box, is reasonably secure. It’s the plugins – often old, unmaintained, or poorly written – that make it vulnerable.

I highly recommend watching his talk. It’s definitely worth your time.

Stefano Marinelli

Website: https://it-notes.dragas.net

BSD.cafe "Barista", Founder and System Administrator, Unix enthusiast (FreeBSD, NetBSD, OpenBSD, DragonflyBSD, illumos and Linux), with a keen eye for everything happening in this world and the fascinating beings that populate it. I enjoy music, photography, and, of course, technology. My other blogs: https://it-notes.dragas.net (IT Notes) - https://my-notes.dragas.net (My Notes) - My main Fediverse profile is @stefano@bsd.cafe

Related Story
3 comments
James Seward

@stefano@journal.bsd.cafe @stefano@bsd.cafe When I took over operating a corporate WordPress install one of the first things I did was IP-limit access to wp-admin/ resources (there’s a few you have to allow-all for, or were back then) as a blanket mitigation for that kind of vulnerability. Not a complete defence, but it felt like a good start.

I’ve done similar for my snac instance – not that I think the code is insecure, but if you can’t reach the admin URL you can’t even try to credential-stuff it 🙂

`Da Elf

@stefano OMG This.

WordPress is groovy. FULL STOP
As a CMS it work flawlessly. You wanna do something interesting now you're in PluginHell.

I host a lot of WordPress too. I try not to butch because something something, food on my table something …
I hate plugin authors.

And WP plugin code is an orgy of stupid.

The worst code I read in a day is a WordPress plugin. Guaranteed.

Arcticulate

@stefano While I do maintain Linux servers at work, I don’t maintain their WordPress instance. I am however *using* it: I am part of a team which sometimes posts internal messages to a corporate-internal WordPress blog which employees rely on to keep track of certain important events.

I totally agree about the plugins. In fact, we installed a plugin which itself is a plugin maintenance tool, a way to notify ourselves whether plugin X or Y have vulnerabilities, basically.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.