Dev Branch

EP16 – WordPress Plugin Dependency Confusion

December 3, 2021

This month on the Dev Branch we’re going to be talking with Robert Rowley of Patch Stack about Dependency Confusion and what WordPress developers need to know to secure their sites and what’s to think about when building plugins. 


Show Sponsors

WP All Import works with any XML or CSV file, you can import images, and can easily import data to plugin and theme fields or anywhere else you need it. With WP All Import – import and export with ease, even schedule it too!

Are You Looking For Brand Awareness?

You could be a show sponsor. Let people know you’re still in business and supporting your products. Supporting podcasts is a great way to repurpose your in-person conference budget.

We have been sponsored by big brands such as Kinsta and Cloudways. Why not get your audience in front of the thousands of people who download this show every month?

Yes, WPwatercooler has thousands of downloads every month. We’re not just a YouTube Show.


Episode Transcription

[00:00:00] Steve Zehngut: 5 4, 3, 2, and Jason.

[00:00:06] Jason Tucker: This is episode number 16 of dev branch, WordPress plugin, dependency, confusion.

[00:00:15] Jason Tucker: WP all import works with all XML and CSV files. You can import images and you can easily import data into plugins and theme fields or anywhere else. You need it. With WP, all import and export with ease, even schedule it too check them out at

[00:00:34] Jason Tucker: Steve

[00:00:34] Jason Tucker: saying when Steve Zehngut on the internet.

[00:00:38] Steve Zehngut: whatever you guys do. I am.

[00:00:41] Jason Cosper: Hey, y’all know who it is. It’s your boy, Jason

[00:00:42] Jason Cosper: Cosper, AKA Fat Mullenweg.

[00:00:44] Jason Cosper: Back at it again on the number one WordPress podcast.

[00:00:48] Jason Tucker: Speaking of podcasts, leave us a review, maybe not on this episode, but leave us a review on apple podcasts, Google podcasts, and Spotify. And lastly, go over to discord. go to and make fun of us over there. We’d really appreciate that. So we have a friend on the show. Hey Rob Hey, how’s it going, Robert, how you doing?

[00:01:14] Robert: I’m good. Good.

[00:01:16] Jason Tucker: Awesome. Robert, could you give us a quick little intro who you are, what you do? All the fun.

[00:01:20] Robert: Yeah. Yeah. I’m my name is Robert Rowley. I’m the security advocate for patch stack. I had been working in the information security field for close to around two decades now, and I’ve known Jason over there for much longer than that. And I’ve enjoyed, I’ve been a huge supporter for open source working at DreamHost Pagely and I’ve also broken open source while I’ve worked at Trustwave and other companies.

[00:01:47] Jason Tucker: Very cool. Very cool. Cosper how did we, how do we get to this this topic that we are going to be discussing today? What was the origin of this? You gave me like this rundown and I was like, oh man yeah, I’m gonna have, I’m gonna have cost for explain this rundown.

[00:02:04] Jason Cosper: Yeah.

[00:02:07] Jason Tucker: Like who was the originating post? Like how did this.

[00:02:11] Jason Cosper: So I’m back in. Gosh, I want to say early, earlier 20, 21 there, there was this whole idea of dependency confusion that came out from Alex Burson. Is that right? Robert?

[00:02:28] Robert: think so the track tickets go a bit longer though. They

[00:02:33] Robert: More history.

[00:02:36] Jason Cosper: the initial, the idea of it yeah, it goes back a lot further, but the kind of name for it is this novel supply chain attack happened against apple, Microsoft, and a bunch of other companies back in early February of this year.

[00:02:54] Jason Cosper: And the writeup from Alex was like, here is. How I did it, everything else, but basically I, and I can let Robert take the ball on this one. They were spoofing packages that like a lot of people used to basically insert scripts into in, into very large parts of infrastructure.

[00:03:28] Jason Cosper: And it can be done basically with WordPress too, which is Robert comes in.

[00:03:36] Robert: Yeah. Did you want me to give like the quick rundown?

[00:03:39] Jason Cosper: Absolutely.

[00:03:42] Robert: That

[00:03:42] Jason Cosper: you’re you’re the professional here. I just talk bullshit. You’re the Professional.

[00:03:48] Jason Cosper: So please Professional.

[00:03:49] Robert: You’re way too endearing.

[00:03:51] Jason Tucker: You can tell from our intro is great.

[00:03:55] Robert: yeah the whole idea of this dependency confusion is basically a naming conflict of four libraries or software that you’re updating or managing on your site or that your site or software relies upon. And the conflict can happen. When you have a local development version, and then you have a package management service, which is like a cloud service for the WordPress world.

[00:04:18] Robert: This would like the plugin repository and when you’re local dev version, which doesn’t have basically has your awesome plugin name installed on it. That should be fine until an auto updated runs. If the auto updated runs and it looks for the official plug and repo to say, Hey, is there an update for my awesome plugin?

[00:04:38] Robert: And it finds an update? It might just apply that update. And if your update, if your code was never intended to be ran or updated from the WordPress plugin, repo, this can be where like the confusion starts. Which one is the right plugin? Where’s the source of truth, right? Where, what should we do here?

[00:04:55] Robert: And the. Until I think around WordPress 5.8 would just default to updating to whatever was on the plugin repo. And this is where, that 5.8 update, which was released in July this year. Basically added a new functionality, which kind of helps out a lot of plugin developers, especially fuckin developers who are doing custom plugins bespoke plugins for their clients.

[00:05:19] Robert: Things like that can help. Do some mitigation strategy, right? Change a one field in there. And they’re plugging one line of code will help prevent the risk of somebody later uploading a conflicting name or confusing dependency to the WordPress plugin, repo and cause sites to basically we can assume they’re going to break because I highly doubt that they’re there.

[00:05:42] Robert: They’re pushing valid updates to your bespoke code. But that’s basically how, generally how it works. I can do a good little example too. I did a writeup for the batch stack weekly, includes a nice little writeup. If you guys want me to go through that or any other questions?

[00:06:00] Jason Cosper: Okay. So the header you were

[00:06:02] Jason Cosper: the head, or

[00:06:02] Robert: Yeah,

[00:06:03] Jason Cosper: about is what was the update? Your URI, right?

[00:06:08] Robert: Yeah. I bet you are. I header, which is part of the plugging headers.

[00:06:11] Jason Cosper: And, if you set that to false, it won’t even check the repository. Is that what it is? And then but you can also set it to say a, get hub, repo, an EDD and point, something like

[00:06:25] Robert: It’s the post.

[00:06:27] Jason Cosper: Yeah.

[00:06:29] Jason Cosper: so

[00:06:29] Robert: extract the host’s name from that,

[00:06:31] Jason Cosper: right. Okay. Which is this is all great. I’m, actually curious we’ve talked previously on the show and we can get into to things a little more in depth about no plugins and these like no plug-in clubs where you don’t know what’s coming along with this plugin.

[00:06:55] Jason Cosper: That’s been like. The updates, the licensing, et cetera, has been stripped out. Could I don’t want to be sensationalistic here. I don’t want to poke any bears, but could an update URI be inserted? If you buy an old plugin that basically says, oh yeah, check this server for updates, wink, wink, nudge, nudge.

[00:07:18] Jason Cosper: And then at some point, yeah, at some point in the future a, an update can get pulled down to your site that inserts, whatever the nog plug-in club

[00:07:34] Robert: Yeah, that’s it, that’s a possibility yet. Part of the 5.8 update includes this new filter or isn’t an action which is the oh, it’s a filter. I had applies the filter called update, underscore plugins underscore, and then it extracts the host’s name. And eh, the old plugin clubs theoretically.

[00:07:55] Robert: Start mandating their own updates. Maybe they will. Maybe they won’t. I’m not sure, but the key point here is that for the non repository plugins this is a key function to know to include in your code now.

[00:08:08] Jason Cosper: Yes.

[00:08:08] Robert: apply, so your code can properly update and won’t try to update from the repo and it’ll update how you want your code.

[00:08:18] Jason Tucker: Yeah. This is a problem when you can, when you allow a slight sideloading you can essentially side load a whole new plugin and bring it in and then have it wait for the updates. And then if the slug is the same, then you’re going to end up with that updated that node plugin scenario that you just brought up Cosper.

[00:08:39] Jason Tucker: That’s super interesting that, that could. I can wreck some havoc

[00:08:45] Jason Tucker: if

[00:08:45] Jason Cosper: That

[00:08:47] Jason Cosper: and that’s why we said in that episode, like screw known plugins don’t be a cheapskate if you need the functionality by the actual plugin cause you’re just setting yourself up for a future scenario where things can go south real fast. And next thing your site is part of a botnet or

[00:09:14] Robert: You won’t even know it’s part of the botnet just days,

[00:09:18] Robert: right?

[00:09:19] Jason Cosper: Absolutely.

[00:09:20] Jason Tucker: So

[00:09:21] Jason Tucker: what is it that people can do, as a site owner and then has a

[00:09:25] Steve Zehngut: Okay.

[00:09:26] Jason Tucker: what can they do to either mitigate this or to determine what I know that there’s plugins that will detect some of the stuff. I think you were involved in some of those, if I remember correctly what could they do?

[00:09:41] Jason Tucker: can folks do to work through this.

[00:09:44] Robert: Yeah, I would say the number one thing is I want to get ahead of this is don’t fear, the updates, and update is not a bad thing. Most of the time, those are helping out Steve, but after. Yeah.

[00:10:00] Steve Zehngut: constructive to add.

[00:10:03] Robert: So I made the point, but after the after that aspect the updates are important is to ensure that if you’re using repository, you’re actually pretty much, if you’re using all plugins for, you’re pretty solid, right? The default behavior is to for the plugin updates.

[00:10:21] Robert: Your plugins are updating from the same source, but if you start using plugins from other sources or custom developing plus. And then you’re going to have to start considering it, right? If you’re pulling in plugins from theme four or themes from theme, forest, or plugins from other resources, you’ve got to make sure you can check yourself as the site owner, does this have this update, URA hitter does this look good?

[00:10:44] Jason Cosper: Yeah.

[00:10:44] Robert: you’re pulling down no plugins, if you just are that type of person. You mean, I really hope you’re really good at reading code. Cause you’re going to want to validate everything in that piece of code to make sure it’s looking good and it’s not doing anything to.

[00:10:57] Steve Zehngut: Now you said you should check yourself. Should you do that before you wreck yourself?

[00:11:02] Jason Tucker: Cause

[00:11:03] Steve Zehngut: Just curious.

[00:11:04] Robert: always. So yeah. You don’t wreck, you wreck yourself, I guess the bot, the bots wreck your site for sure.

[00:11:11] Jason Tucker: definitely.

[00:11:12] Robert: Yeah.

[00:11:14] Jason Cosper: Okay.

[00:11:15] Jason Tucker: okay. So there, we have this new header that’s been added in, and that, That sounds all fine and good. But there has to be like, I don’t know, this whole system is set up to with a level of trust. And we had this whole discussion at the beginning here with NPM modules and having someone who just goes I don’t want to deal with this anymore.

[00:11:38] Jason Tucker: And then just get rid of that. The same sort of thing could happen with this, right? You could have somebody who has a very popular plugin. They get tired of having that popular plugin. And instead of putting it up for adoption, they just delete it. And now the slug is just floating out there and someone can grab that slug and run with it.

[00:12:03] Jason Tucker: Right.

[00:12:04] Jason Cosper: Or your favorite example where a plugin gets sold Jason, and initially it’s about what changing or giving people custom user icons, if they don’t want to use a Gravatar. then all of a sudden your site has turned into some sort of membership site, because the person who bought this Gravatar plugin it into.

[00:12:31] Jason Cosper: Our whole membership plugin, like

[00:12:34] Jason Tucker: none of us would run this plugin though.

[00:12:35] Steve Zehngut: You’re basically

[00:12:36] Steve Zehngut: They’re hijacking the slug at that point.

[00:12:39] Jason Tucker: Yeah. Yeah. And there’s some there’s some people that we’ve even seen him where you let you see the, you see that slug and you’re just like, wow, they got that. Facebook, like really like they, they were able to get that name. Wow. Look at you. And it’s some like really jenky, whatever. There’s some that are out there where you’re just like, wow, this person really was able to, they came in early and they got this really great slug, and now they’re running with it.

[00:13:08] Robert: yeah. Were they came in early, they got this great slug, just like the domain name rush. And then they’re just sitting on it now to try to sell it to the highest bidder.

[00:13:18] Robert: Yeah. Becomes a, it becomes. At the end. Yeah, it’s definitely the, I don’t know. You guys mentioned the whole plug-in slugs can be taken over or sold and that’s something I’ve seen directly as well.

[00:13:31] Robert: Compromise sites after, the fact where

[00:13:33] Robert: a plugin was sold the developer wasn’t doing anything with it. Suddenly somebody came with, came in with an offer for a few grand. That sounds great. Unfortunately there’s a harm they’re going to that. Person’s going to make them.

[00:13:47] Robert: And normally it’s by doing some malicious stuff on websites.

[00:13:52] Jason Cosper: Yeah, I was going to say in not only your current job, but in previous jobs haven’t you sniffed out some of those plugins that have gotten taken over Robert. If I recall

[00:14:03] Robert: Yeah. Oh, absolutely. Just part of the job doing monitoring of plugins to make sure that they’re getting updated when there’s security updates, getting row purging plugins from a whole network of customers is something that I’ve had to do when the plugin author was clearly, I don’t know the right nicest word to say, maybe gone off the rails.

[00:14:26] Steve Zehngut: But that never happened. That never happens.

[00:14:29] Robert: Except for all the times,

[00:14:33] Jason Cosper: That’s because we don’t use rails. We use PHP. it’s a different set up and everything else, but.

[00:14:39] Steve Zehngut: know this is the developer track and I know Robert you’re a developer, so you know how to do this, but is there a way for the lay person to be able to this themselves? Is there any, any plugins or monitoring systems that are out there that can detect what you’re talking about

[00:14:57] Robert: of

[00:14:58] Steve Zehngut: for site owners?

[00:15:01] Robert: I, coincidentally worked for patch tech, which releases, which has a plugin that is available on the repository. And we do security notifications for all of our customers. It’ll appear in your WordPress. Dashboard, if you want to pay a little bit more, we’ve got an awesome little SAS app that allows you to get notifications for all sorts of security issues.

[00:15:22] Robert: But the key thing is though, is that this gives you. The, this empowers site owners to know when one of their plugins, it has a known vulnerability in it. If a plugin gets hijacked and it’s now a malicious considered malicious code that will now appear to that the site owner who has who’s running the patch stack app or patch sec plugin on their WordPress website, knowing that they’ve got to do something about this and even better is for the customers that pay a little bit more.

[00:15:46] Robert: We have a web application firewall, which automatically applies rules, which will protect the site as best as we can against some malicious activity.

[00:15:54] Steve Zehngut: Now again, I’m asking this, I already know this answer, but I’m asking this for the lay person is if, a if a plugin is hijacked, let’s just use that word because that’s how we’ve been describing it on this, on the, on, on the watercolors of far, is that code compartmentalize to just that plugging.

[00:16:13] Steve Zehngut: So meaning as long as I deactivate it, I’m in the clear, or can they do more permanent damage

[00:16:19] Jason Cosper: Yeah.

[00:16:19] Steve Zehngut: and to the rest of the code?

[00:16:21] Robert: Let’s say if a plugin is hijacked and you would think that deactivating, the plugin would dis disabled the functionality of the PHP files, but reality is you can still access those PHP files directly. a really an attacker, depending on the attack method they use could upload a backup.

[00:16:38] Robert: At some specific specified path and be able to reactivate there, or either access to the site. So the ideal thing is always to remove those plugins or have a web application firewall, which can disable access to those endpoints.

[00:16:52] Steve Zehngut: Okay, so let’s take it a step further, right? hear what you’re saying. I’ve now deactivated and I’ve removed the plugin.

[00:16:58] Steve Zehngut: Can the plugin leave a trace of itself even after I’ve removed the, just the files for that plugin?

[00:17:04] Robert: We can go down this road all day long, theoretically.

[00:17:08] Robert: But at that point in time, it’s no longer part of that piece of code. It’s another part of that plugging code. It could infect other pieces of code, and there’s been some really interesting attacks, which I’ve seen where they can jump around the place.

[00:17:20] Robert: A lot of the compromise sites will have a little line added to every PHP for. So you gotta think you gotta clean them all up. And I brought some tooling to do this before big pain in the butt, but there’s also methodologies where it can only update one P one file and then it hops around the file that’s being malicious.

[00:17:37] Robert: So there’s always a way for attackers to be there. And you always want to be able to thorough cleanups or go to the straight to the server layer. And live outside of WordPress and start scanning everything on the server layer. So that would be more leaning towards the hosting.

[00:17:53] Steve Zehngut: Now the code jumps around, but does it jump up and get down.

[00:17:58] Robert: I don’t know the rest of the lyrics, but Yes,

[00:18:01] Robert: Yes,

[00:18:02] Steve Zehngut: I’m on a I’m on like a rap lyric kick today.

[00:18:05] Jason Cosper: I believe

[00:18:06] Steve Zehngut: softballs.

[00:18:08] Jason Cosper: they, they just said jump, jump after that.

[00:18:12] Robert: Yeah.

[00:18:12] Steve Zehngut: All right. That’s the last, that’s the last question I’ll ask about compartmentalizing code. That’s all I had.

[00:18:18] Robert: Was that Chris?

[00:18:20] Steve Zehngut: No that’s house of

[00:18:21] Steve Zehngut: pain.

[00:18:22] Robert: the pain.

[00:18:23] Jason Cosper: That’s how

[00:18:23] Jason Cosper: some pain embarrassingly,

[00:18:26] Steve Zehngut: jumping.

[00:18:27] Jason Cosper: embarrassingly, the house of pain CD is the first CD I ever bought with my own money. That should

[00:18:35] Steve Zehngut: You should be embarrassed.

[00:18:37] Jason Cosper: yeah.

[00:18:39] Jason Tucker: Mine was too. All right.

[00:18:42] Steve Zehngut: I’m embarrassed that I knew what the crisscross song was, right? Like that.

[00:18:47] Jason Tucker: so you were talking about some Command line stuff that you could run as well. One of the links that we were putting in our show notes is that there’s a WP update confusion Python script that you could run that we’ll go through and check all of these things as well. So there are things that are out there that you could

[00:19:10] Jason Cosper: And.

[00:19:12] Jason Tucker: some stuff up and run through it and see how.

[00:19:15] Jason Tucker: How this is happening, but yeah there’s, a lot of different ways to go through and approach this.

[00:19:23] Robert: Yeah. There’s the link in, hopefully I don’t show up in the show notes. Yeah. For the

[00:19:28] Jason Cosper: Absolutely.

[00:19:29] Robert: Python script.

[00:19:30] Jason Tucker: Yeah.

[00:19:31] Jason Tucker: Yeah.

[00:19:33] Jason Cosper: There, there is a whole I, I know since this is like our more developer focused show hopefully a number of you out there, or a little more familiar with. Command line stuff with things like that. Something that just got acquired by automatic WP scan is a fantastic tool to, audit your own.

[00:20:02] Jason Cosper: Effectively and figure out where if you’re not if you’re not going to use something like the patch stack plugin that’s available in the WordPress repository, that you can figure out where some of your vulnerabilities lie. It, it actually does a really great job of presenting Presenting that information in a very plain text fairly easy to understand way.

[00:20:35] Jason Cosper: So I really, I got to give a shout out to them. Definitely. I think you’ve done some work with them as well.

[00:20:42] Robert: Yeah. yeah. The WPC and guys are great guys. And that piece of code has been around for forever basically. And it was the premier piece of software that could and what’s cool. What’s different is that it re remotely can detect a lot of the floodings that you have installed and themes you have installed, and then compares that against the WP scan database to find out for known vulnerabilities.

[00:21:06] Robert: That, and that’s a difference between patch stack, which lives on your site. So if you can’t install it on the site, you can always run PWP scan. you just don’t. If you’re a developer, you don’t have time to install some app or as a plugin on all your test sites that run WP scan, right? Deacon, pre-feed it with a lot of data, just go to WP, or pet and type in every one of your plugins by hand, if you’re into just making the work as hard as possible.

[00:21:32] Jason Cosper: May maybe you have an intern and you’re just trying to figure out like something for them to do. Hey, go ahead, do a little a little type, a typi and figure out what’s up.

[00:21:47] Steve Zehngut: This is related, but not exactly what you’re bringing up. I had a friend, not a client, but a friend called me recently and say my WordPress site. I haven’t maintained it in a while, but all of a sudden I have a bunch of Google ads that are appearing on the front end of the site.

[00:22:02] Steve Zehngut: And what happened was the theme developer just decided to slip in an ad code in the in the header of the of the theme and pushed it with an auto update. That’s just how it works. So there had nothing to do with what we’re describing here. There was no link hijacking. It was just the theme developer decided to make some extra money by pushing in their own ad tags.

[00:22:23] Jason Tucker: It, may actually Steve cause of a theme could this also happen with the theme then?

[00:22:30] Steve Zehngut: It. Let me think it.

[00:22:35] Jason Tucker: if a theme got updated and it was somebody ditched a theme and now they took over that theme slug

[00:22:43] Steve Zehngut: I didn’t get the impression that this is an actual ditching of the theme.

[00:22:47] Robert: this is,

[00:22:48] Steve Zehngut: the same developer the whole

[00:22:50] Robert: yeah, this is

[00:22:52] Jason Cosper: Yeah.

[00:22:52] Jason Tucker: Yeah,

[00:22:53] Robert: yeah. Developer gone rogue

[00:22:56] Jason Tucker: sure.

[00:22:57] Robert: Or designer gone rogue in this case.

[00:22:59] Jason Tucker: could this also happen with themes?

[00:23:01] Robert: Yeah the same constructs are there. It’s do you have a source, right? Are you validating the same source? Is this theme being updated from the same origin right or not? And that’s, those checks didn’t really exist.

[00:23:15] Robert: I, this 5.8 updated was really only for the plugins. I haven’t looked into it specifically for themes, mostly because people are pretty hesitant to, to update a theme.

[00:23:26] Jason Cosper: Yeah.

[00:23:26] Steve Zehngut: Yeah,

[00:23:27] Robert: good exists in the same place.

[00:23:28] Steve Zehngut: my point was this had nothing to do with server code. This was just a

[00:23:32] Robert: Yeah.

[00:23:33] Robert: Yeah.

[00:23:34] Steve Zehngut: And it was literally just sitting right in the header file in the

[00:23:38] Jason Cosper: Yeah.

[00:23:38] Robert: Yeah.

[00:23:40] Steve Zehngut: in queued, it wasn’t even done properly. It was just pasted right into the header file, the theme and came in through an auto update.

[00:23:46] Jason Cosper: E back when I was at WP engine, I used to have to do a lot of site cleanups. And in a lot of cases there were people just inserting a little bit of Java script, a little bit of a tiny bit of PHP that then loaded some Java script from like one of their also Completely hacked sites like down the line.

[00:24:13] Jason Cosper: And yeah, so sometimes a developer can go rogue and do that. And sometimes you have an attacker who just drops a little in there.

[00:24:25] Robert: I’ve seen a little JavaScript turned into a big cookie stuffing campaign where they’re just trying to get affiliate link cookies, just jammed into a browser. It was amazing to see thousands and in one

[00:24:37] Robert: little JavaScript.

[00:24:38] Steve Zehngut: this little one line of JavaScript. Put a Google ad into every single blog. Axert

[00:24:43] Robert: Yeah.

[00:24:44] Steve Zehngut: it was there. There are Google ads all over the.

[00:24:48] Jason Cosper: Another one that I saw as I was getting out of doing some hack site cleanups was people putting a JavaScript in that runs like a Monero like mining yeah so basically mining these small time cryptocurrencies. That even if it’s just, you’re doing just the tiniest bit of work through this JavaScript or whatever that it’s just running that in the background and they get enough people visiting the site and okay.

[00:25:24] Jason Cosper: You actually have a formidable force generating cryptocurrency for you

[00:25:30] Jason Cosper: Basically.

[00:25:31] Steve Zehngut: you visit the site near and you just see your CPU processes. Just, go

[00:25:36] Robert: Yeah.

[00:25:36] Steve Zehngut: your fans, your fan just starts to.

[00:25:39] Jason Cosper: That’s just called using Chrome, but sure.

[00:25:44] Steve Zehngut: Yeah, so true.

[00:25:46] Robert: Been blaming the tabs, but really it’s been Monero miners.

[00:25:51] Jason Tucker: So going back to what we were talking about, the very beginning here where we were clearly defining what happens with a developer point in third-party code to be included into their builds for folks that are just installing plugins on from WordPress’s repository and getting them onto their site and using those, unless something like we just described would happens there.

[00:26:19] Jason Tucker: There’s not a whole lot that like the end using develop and using. Website owner really needs to worry about or can worry about, but when it comes to the developers, themselves, when they’re going through and building out their code and and getting all that set up, that this is something that could definitely happen to them.

[00:26:41] Jason Tucker: Like we talked about in the past where there’s NPM modules that get messed with and things like that. Have we heard of anything else? Where PHP has had this same sort of issue where a included library that’s being brought in on during build and something nefarious happens.

[00:27:05] Jason Tucker: And is that something people should be even worrying about as a developer?

[00:27:11] Robert: I don’t know what on a PHP itself.

[00:27:14] Jason Cosper: Okay.

[00:27:14] Robert: was only one I can think of is PHP unit had some stuff, but. At all like this, it wasn’t a various stuff. It was an old version of PHP and it should not be shipped with your code. It’s the only year testing environment and people were accidentally shipping them with their code in the WordPress plugins, proposed story too, was leading to an incident where there was a arbitrary code execution.

[00:27:36] Robert: But yeah.

[00:27:39] Jason Cosper: I can’t think of anyone knowingly as far as like WordPress goes in outside of the little things that we’ve mentioned, although I do know there was, for some time it still could be the case, cause I won’t go and touch it. But know that code canyon and theme forest and stuff like that, especially theme for us.

[00:28:04] Jason Cosper: There was a whole run of people inserting old, like vulnerable copies of, like a revolution slider and things like that. Where yeah. T 10 thumb when we had the, Tim thumb exploit,

[00:28:21] Robert: Yeah.

[00:28:23] Jason Cosper: th those things like that. Yeah. Where it was a surefire way to get your site hacked.

[00:28:30] Robert: Yeah. That was a insecure library that developers weren’t updating within their code structure. And so it’s a funny thing where you got to remember that it’s a supply chain, right? Like your sites, your site, but you’re relying on a lot of people and a lot of other people’s code.

[00:28:46] Jason Cosper: Yeah.

[00:28:47] Robert: got to keep aware of security issues that are some two, three steps down the chain.

[00:28:52] Robert: They might come up as an issue, so you gotta keep an eye on it.

[00:28:55] Jason Cosper: To tie it back to developers say you use composer or you’re using wearable, something like that. You have to make sure. That your composer libraries are up to date the little bits of the libraries you’re using from wearable probably also let it through composer or up to date as you use JavaScript libraries to help you build blocks and things like that.

[00:29:21] Jason Cosper: Any dependencies that come through NPM or Dino or anything like that, again, you have to make sure that these things are up to date.

[00:29:30] Jason Tucker: Yeah. Yeah good. I think we, talked this one up pretty good. Thank you very much, Robert, for hanging out with us, we really appreciate it. We’re, looking forward to seeing other blog posts that you’re putting out and things that you guys have going on over there at patch stack.

[00:29:47] Jason Tucker: So thank you very

[00:29:48] Robert: Yeah,

[00:29:49] Jason Tucker: time and for hanging out with us.

[00:29:51] Robert: Thank you. The posts every week patch,

[00:29:54] Jason Tucker: I appreciate that. Thank you. Here’s our working outro. Hey go over to and subscribe to this content. This is dev branch. We put this out every month and WP WPwatercooler happens on all the other weeks that we don’t put out Def branch

Show More Show Less

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.