This is episode number 27 of DevBranch. We’re pressing with Abandonware.
[MUSIC] I’m Jason Tucker. You find me over at jasontucker.blog.
[MUSIC] I’m Sé Reed. I wasn’t looking at the screen. I do stuff at places. Sé Reed Media, I’m all the fame.
And y’all know who it is. It’s your boy, Jason Cosper, aka Fat Mullenweg, back at it again on the world’s most influential WordPress podcast.
Speaking of that podcast, go in, subscribe to us wherever it is that you want to subscribe to us and come hang out with us in our Discord.
Our Discord that is surprisingly more active every time I check, I’m just like, oh shit, people are actually talking in the Discord.
Here’s something I learned about Discord yesterday, okay? because I’ve been more discordant. All of Mid Journey is generated through a Discord bot. Yep. Did I know that? No. And literally last night I was like, “You know what? I’m procrastinating and I should go to bed, but instead I’m going to finally look up Mid Journey.” And then I was like, “Wait, what?” I didn’t start doing it because I was just so flabbergasted by the fact that I was in just like, I thought they were just gonna verify me in and then I was like, Oh, no, this is that I think a thing a bot. I like lost my mind. Anyway. I didn’t know that you could get
more discordant say but
I’m getting down with the discords.
Hey, look, we’ve got a pal. Hello. Hey, Robert, how you
– I have to find a new song for you.
– You gotta find a new one. – I’m doing good.
Doing good, a lot of free time, enjoying my time.
– Good, glad to hear it. So what are we talking about today, Cosper? What do we got going on here?
– Ask us, Cosper.
– We got Robert here. We’re probably gonna be talking about some like security type thing or something.
– I have questions actually, so. – Yeah. – I actually did a little bit of research for this topic.
– What? Oh. Stay with a little research is a dangerous thing.
I know, but I’m not going to introduce it cause it’s definitely not my Ballywick, but yeah.
Oh, Ballywick. This is what’s going to be showing up today, I think, right?
Right. Right. We’re going to get the little overtime banner going possibly.
Yeah, I know. So, so this week we are kind of talking about, abandoned WordPress plugins.
And there was a story.
I don’t know if you’ve got it locked and loaded, Tucker.
There was a story last week about effectively–
Sakuri found that there were hacked sites that
were pulling in a plugin from the WordPress repository,
installing it, a long-abandoned plugin that effectively
would insert PHP as part of its functionality, insert PHP into
your site as part of shortcodes. And because the PHP that was
being inserted, was stored in the post table, and stored in
places where you wouldn’t expect inline PHP and hack backdoors
and everything like that, it was a whole lot harder
to kind of find it and suss it out, but–
– I have a question.
– So this plugin, just ’cause I’m,
this is just such a really important and interesting
and also like always on the margins topic
because no one really like, there’s so few people
that like really understand what they’re talking about
with this stuff, right?
even though we all kind of know it’s important.
So the plugin in the repo had been abandoned, right?
So it was like super old, super old plugin, right?
So that code hadn’t been updated.
So what they were doing, just to clarify for me,
is taking that, ’cause obviously you can get the code
of that plugin anyway, right?
So whatever they did with that code,
figuring out what it did on the websites
that they had hacked, and then figuring out what it did,
then putting it on the websites they had hacked,
and then using its functionality,
which was to insert PHP shortcode,
to insert malware, malcode,
or whatever you want to call it, right?
Is that essentially what was happening?
So they were not putting the malware, essentially,
in the plugin, but they were using the plugin’s functionality
in order to exploit a site.
Is that correct?
– I would change one word.
The exploit was probably originally another compromise, right?
It was another vulnerability.
But they were using this plugin whose purpose
is to allow arbitrary PHP code execution
as a convenient kind of backdoor, right?
Now, it’s not the plugin’s fault.
The plugin had no malicious code.
It’s just purpose was to put PHP and store it in the database.
– I literally think, once upon a time, I saw that plugin.
I don’t know if it was the same plugin,
but there was a plugin on a client site,
one of those I inherited type sites,
that had a plugin in a post, or a PHP in post,
and literally I went into this post,
and it was like a code editor.
It was just the full, what you would see
in your IDE or whatever, for real.
Obviously I got rid of it right away,
but that’s not obviously a way to do it.
But that was the intention of the plugin.
So the plugin, the plugin was not compromised, right?
– Yeah, correct.
– I just think that’s really fascinating
because you think about it being,
the plugin being compromised
and maybe someone like taking over an abandoned plugin
and then like putting malware into it that’s on the repo,
but that’s not the case here.
This is just some like clever usage of old plugins,
like exploiting it as literally like a tunnel.
– Yeah, you need to upgrade it to blocks
is what they need to do.
So that way we can use blocks.
– I mean PHP and blocks plugins, right?
– Yeah, exactly.
– How did you figure this out, you guys?
Like how did someone, like,
are they trolling the plugin repo
for like plugins that do this or what?
Like how did you know?
– There’s a graph.
There’s a graph in there that is really cool
in that article that shows the spike of installations.
So we can really pinpoint–
– On this abandoned plugin.
– We can pinpoint when basically there was an attack,
like a botnet or some attacker profile.
– Yeah, look at that.
– There it is. – Right around, yeah.
March 2023, they decided to integrate this
into their automated attack structures,
which spiked the installs.
And what’s really sad about this graph
is that’s installs per day,
also that’s compromised sites per day.
So that’s just how many sites were getting compromised
by the specific botnet that was utilizing this plugin,
legitimate plugin, but abandoned,
but has backdoor, like, communitability.
– But that’s not how they were getting into the sites.
– Correct. – The sites,
they were getting in some other way.
Then they were using their takeover of the site
to install the plugin directly from the repo.
So there’s so many points, I don’t want to say a failure,
but kind of a failure here, right?
Like this is not just one point of failure situation.
This is like a little stack of failures.
– Yeah, I’m going to defend the plugin team.
I believe, I’m not certain,
’cause I couldn’t find the record,
like official statement for this,
but they do not allow plugins that execute
or pull in remote code.
Like I think this is like a new rule.
Like they’re very sensitive about that
because they knew that this was a possibility.
– Right, but so this plugin was like in there
and abandoned prior to that rule, right?
– So that’s interesting from an abandoned plugin perspective.
– Is that something that could be monitored
to see if like an old plugin that just hasn’t been used
for a long time is now getting like this weird popularity?
This isn’t music.
isn’t like, oh, we, you know, we heard some of the TikTok and now we’re all gonna go listen to it.
Yeah, it was on Better Call Saul, so you should like…
Yeah, yeah. Like, what, how do you, like, like, what’s the, what’s the correct approach for that,
of being able to have some way of looking at, like, really old ass plugins that are being
downloaded? And like, what, why?
Like, did Sikyuri notice that spike? Or did they, like, track it, track down the exploit, like,
and then find that?
I don’t know what the article goes into.
Does the article say–
I suspect that–
I thought you knew everything.
–security traditionally– yeah.
I always don’t.
But I can assume.
I can assume the security is really good at cleanups.
So I think this was identified through a cleanup process.
And they probably found this malware being installed there.
And then they probably identified the–
look at the spike, right?
And then they went straight to whatever news agency
to kind of make a big deal about it.
I mean, it’s been probably six or seven years
since I worked over at WP Engine and worked with Sucuri
on a day-to-day basis.
Because they historically were using Sucuri for site cleanups.
But I do know that Sucuri has both the file scanning
that they do, the database scanning.
And they have historically looked
for obfuscated code, base64 or whatever encoded code.
that’s just hiding out in there. So it wouldn’t surprise me if
something popped up on a scan, and maybe the first or second
time they didn’t notice it. But then once you start and
especially like if you have, you know, the team that they do over
there who’s doing site cleanups, second or third time, they start
seeing that they’re like, Hey, wait a minute. Let’s see what’s
going on here.
I’m just wondering if there’s a way to look at it from the
standpoint of like the store that’s selling, you know, the flu, you know, medicine or something,
and looking at the number of times that those are being purchased, and you’re like, oh, wait,
obviously something’s happening. Because actually, I think I’m pretty sure there’s a federal law case
about that centering around oxytocin. So I’m just curious, like, you know, because we’re pulling
this from one from one directory? You know, like looking at that
directory and just seeing like, is there a spike in this like,
15 year old plugin or something?
That’s the most interesting part. Well, I mean, not that
there’s a lot of interesting parts about this, I think, but
the I think one of the really relevant parts moving forward,
not just this plugin, but I think and what you’re asking
Jason is like, you know, are we monitoring these spikes? Like,
should we as a community as a, you know, the plugin team that
you know, the make teams should WordPress be monitoring the repo for spikes in
plugins or spikes even in themes, right?
That like that should just be checked out.
Because if you went if you if you got a flag that said, hey, a 17 year old.
First of all, we need to talk about a plugin being 17 years old.
Is it really 17 years old?
It’s like 10 years old.
That is however old it is.
12 years old.
So like that’s a different that’s a second conversation.
But like if the plugin team or someone was able to monitor that, there was a report that came
through the meta channel or whatever and said, you know, hey, this plugin is getting a lot of
attention. I mean, there’s really no downside to that because someone could go look and be like,
oh, this is a really old plugin or, oh, this is a brand new plugin. And like, it’s the newest,
best thing in the world. Right. So in one hand, in one case, it would be handed off to security
and like the, you know, the team handling the security issues. And on the other hand,
it could go to like the marketing team. And it could be like, look, this plugin is like super
popular all of a sudden. Anyway, just I’m just saying like, you know, it could be used for
multiple things. So that seems like that’s something that could be beneficial to implement.
You know, just that feedback, right? It seems like that could be automated. That seems like
we could do that. Right? That seems that seems like a use case for and gosh, I am cringing that
that I’m even saying this. It seems like a use case for AI,
where you can say, flag, like basically, if a plugin is older
Jason Tucker: where we do make sure I’m doing this correctly. Is
it every time we drink? Is that what we’re doing?
Yeah, no, every time. There’s AI something positive about AI.
Right. A butterfly gets its wings or something like that.
tequila and put it I hate tequila but like I mean it’s not good for me I don’t hate it but it’s not
okay but I will buy it and put it on my desk if we do that but I will literally like every time you
say something positive oh boy worth it so I I do think that that I mean it doesn’t have to be
uh AI it could really just be a script that checks for right like it doesn’t even have to be that
smart. At what point is AI a script? Like where does it
deviate from you write a script and it does a thing? Isn’t that
AI? It’s the same thing, right? It’s all AI?
Most AIs are still just scripts. Come on.
Right. That’s what I’m saying.
I think it depends on how much data it’s looking at.
We’re gonna ask the computer to look at it. That’s what we’re
Let’s ask chat. Where AI line is.
Right. It’s it’s it’s the difference between a three line
bash script and 17,000 million line bash script.
– Well, what if the three line bash script
just pulls in an API request from the API engine?
Or the AI engine?
– I just want to ask chat GPT.
I would say, “Hey chat GPT,
do you think this is going to be a problem?”
It’ll be like, “I don’t know.
Well, let me tell you, here’s all the possibilities,
but I can’t decide.”
– So to try, in the interest of preventing us
of going into overtime.
shoot. Yeah, I will say, so WordPress and and the plugin
repository, I was gonna I told Tucker and say I was gonna try
to extend an invite to auto and I just fell asleep at the wheel
and never did it. I thought it would be good to get someone
from the it would be good to get someone from the meta team to
to talk about that. Yeah, maybe he is.
– Auto, auto.
Are you in the audio?
– Paging auto.
– You have to say it three times.
Three times and then it happens.
– Auto, auto, auto.
Okay. – Okay.
– Not today, I guess. – Let’s see if he shows up.
No, but, so the plugin directory does a really good job
of hiding kind of the older plugins.
If you go looking for particular plugins,
you don’t really get a lot of results of stuff that is three,
four, 17 years old and hasn’t seen an update.
But they do still list it. So you’re, if you’re clicking through,
you can Google to it. You can,
he would know about it.
Yeah. You can still install it from WPCLI. You can,
you know, there are ways to still get at these plugins.
And in some cases, oh yeah, like, you know,
this is still a good plugin or whatever,
but like, should we be,
should the project maybe think about suppressing
some of these older plugins, like have a cutoff date?
I know that it’s like, hey,
oh, WordPress has got 60,000 plugins.
Like how many of those are like old ass long tail,
like haven’t been updated in like more than three years.
With the current process that’s happening on the plugins team,
I know that this is, they’re really standardizing a lot of the, um,
And so I think this is something that’s going to be part of sort of like the new,
like the new approach.
And so I think that this is a really good time to, um,
bring up those concerns, not to say that they haven’t been happening,
but just to ensure that they are being put
into the documentation and being put into the process
that is now being formed.
So, you know, people like Robert and Prosper,
you should be going to the plugin meetings,
to the meta meetings,
which I happen to be running with Courtney right now,
You should be going to these meetings
and having these conversations
because this is two things I’m gonna say.
One, we have a lot of, especially here in Watercooler,
We have a lot of conversations over here about stuff.
But the truth is, is that this stuff matters, right?
This is like a lot of websites.
This is like bots, you know,
and those all are like the botnets that like become botnets
and like sleeper botnets and whatever else, right?
Like this is a big deal from a security perspective,
from an internet safety perspective,
from a WordPress perspective.
And like, there is not enough,
there’s a lot of conversation
and a lot of knowledge in the greater community.
And for a variety of reasons,
I could go into like 12,
I could write 12 essays about the reason.
But for a variety of reasons,
that knowledge is not being shared
in like the official Make WordPress community.
It is happening in post status, that conversation.
And so I wanted to say, like there is a,
I don’t know, Robert, are you in post status?
So there’s a there’s a there was a conversation a little while
back with Yoast and someone else who’s Yoast of Yoast, who may
not be of Yoast anymore.
Formally of Yoast.
Yoast, formally of Yoast, was talking about security with
someone and they were talking about reporting and how hard it
is to track down the plugin folks, the person whose plugin
it is that may have a compromise, the plugin
developer, because there’s no like clear direct security
contact, there’s no reporting process set up. And so that has
to go through the plugins team. And so the conversation was
really about, should there be materials of it? Like should
that contact security contact be available on the plugin page?
Should there be a if you’re logged in and have certain site rights, should you be able to see
contact information for the plugin developer where you could make a security report?
Should you know, because right now, like I said, it’s going, the people who find the security
issues have to contact the plugin review team, who then contacts the plugin developer. And there is
when you have a plugin review team that is, you know, as you wrote about in your article,
right, Robert? Just literally like a small part of a big funnel.
– Like a little small…
– It’s overburdened, right? Yeah.
– Yeah, it’s definitely overburdened.
– Yeah, there’s too much reliance on it.
– But I disagree with your solution in that article, but the problem we agree on for sure.
And we all know that that’s been a problem. And again, there’s a million political reasons
that that has been a problem. But right now, that is shaping, that is that is being shaped for the
future. And the people who are have this expertise, who care about WordPress should get their butts to
a meeting in Slack, and should raise these concerns and have these conversations because it will
benefit all of us to have these conversations in a place and, you know, maybe make those changes,
maybe implement some good stuff.
Like the people who are there, not just the plug interview team,
but all of the make community are overburdened.
And a majority of them are sponsored by.
Individual companies that you might surmise are the individual companies,
and those companies.
Don’t have all the answers.
That’s all I’m going to say, like they might be great.
I’m not talking about intentions.
I’m just saying inside of one company, you get.
siloed. And there is a lot of knowledge out there, your article,
Robert, like what you bring to the table, Kasper, like that
could really impact this stuff. So I’m gonna get off my
contribution soap box now, but I really feel that there has never
been a more important time for the plugin team than right now,
for the future of WordPress, maybe when it first came around.
But for now, like the future of the plugin team is being
developed right now. And this needs to be part of that conversation because right now,
it’s not becoming easier to report security concerns. Like that’s not becoming a less
obscure process. So how can we, as WordPress, take a more open perspective on this and be,
know, like Robert, like you report bugs, right?
You report problems, you find problems and report them.
Like this is an important part of security, right?
– That’s how it works.
– I mean, Robert, you had a whole project
at your last gig where you were updating some kind of,
were they mainly abandoned?
– Yeah, typically abandoned because,
well, these were plugins that had security issues
publicly reported in them and then no patch available.
Plugins that were used to be available.
– Or just in the WordPress repo specifically
or just all GitHub.
– It could be any WordPress plugin.
But you know, 90% are in the repo.
That’s where the most attraction comes, right?
And some other person found a security bug in them
and I took it upon myself to write the patches for them.
Right, as an educational thing.
Because I felt like a lot of the security
like arena discussion is always like,
hey, here’s how you hack stuff,
here’s how you hack stuff.
And I was like, here’s how you patch stuff.
I’m just trying to make the next logical step
in this process, right?
Like you can find the bugs, but can you patch the bugs?
And what’s neat is some WordPress security researchers
are starting to actually add, here’s how I would patch it.
Right, like here’s the code I use to patch this.
But with WordPress and open source, really,
you can get a variety of responses back.
And unfortunately with a lot of the other patching
that I was doing, either the patch was way too late,
Like some things I patched that had been exposed publicly
over a year prior and the sites that were running
that plugin that was vulnerable,
yeah, they’ve already basically been taken offline
by hacks or something or other,
like far too late to win that game
against the botnets and such.
In other cases though, I mean, I’ve offered it,
I think within a week or two,
and it’s like you mentioned, there’s no process for this.
There’s no literal process of let me accept third party code
into this plugin.
– I mean, unless they’re GitHub, right?
And you could do it–
– GitHub has one.
GitHub has a great one, yes.
GitHub has phenomenal resources for this.
In fact, I’m starting to think
we should kind of move things towards GitHub
and then just have GitHub publish the SVN.
– I mean, the WordPress community,
the WordPress teams are moving a lot of the stuff over,
obviously not MetaTrack or CoreTrack.
That’s not going anywhere for a while.
But the marketing teams operate there.
everyone’s moving to there.
And I think that makes so much sense.
But not, but, but-
– And it’s free.
– It makes a lot of sense, it’s free,
but it also has,
it’s really the most beautiful thing I think
about pull requests and doing it this way.
It’s all documented.
Like it’s not like a security person
is freaking emailing somebody else.
Like, but this is, who’s email?
Like we’re like emailing people and like,
where does that go?
It goes- – Here’s an attachment.
Yeah, here’s an attachment with a bunch of code.
please upload it to this plugin that I don’t have.
– What are we doing?
Like this is.
– I actually just, I want to say like,
I actually did just get a pull request accepted
for a plugin that was part of the core WordPress team.
Like they had a very minor vulnerability.
It’s almost trivial.
I know it is trivial,
but I won’t say what it is just for.
– It’s only trivial until it’s five years later
and someone’s building out like a whole like.
– This is the sort of thing.
Well, this is the sort of thing that would show up
in some security report because it got a CVE assigned to it.
And then like some vendor who’s using WordPress,
we’re like, “Why, we have to fix the CVE.”
And then they look back at the developer and then ask them.
And like the developer would get these requests constantly.
– What’s a CVE?
– CVE is Common Vulnerability Enumeration.
It’s just a number that associates a vulnerability
to like this unique identifying number.
But yeah, it shows up.
Yeah, there’s government organizations.
– Wait, wait, wait, the CVE is like a world number
or is it like a like per company number?
– There are governing agencies
that manage their individual numbers.
Japan has their own, US has their own.
Probably China has their own,
but they don’t share that information publicly.
– Like ICANN for bugs?
For like vulnerabilities?
– Yes, and you have a certified numbering authorities
that like it, like it goes to validate things.
– So mostly the barcode type thing
with like the numbers at the bottom,
it’s like that type of, you know.
– Okay, wait, this is why I,
this is me in content with websites.
I’m like, so wait, so can you,
as a someone who’s discovered or patches vulnerabilities,
like list here all the numbers I’ve fixed,
like it’s their webpage?
– There is?
– Developers can do it and security researchers
typically do it to make a resume.
– Right, I’m like, here’s a list of all of my patches,
like go find them on, they’re on the official register.
– It’s like Dribbble, but for like, yeah.
– That’s awesome, I did not know that.
– I’ve recommended to security researchers
I really want to get into it,
basically find one of each type of vulnerability,
because there’s also like vulnerability categories
and then that’s how you can prove you’re familiar
with a security as a whole.
– That’s amazing.
I, you know, I think that’s interesting in terms of, um, kind of the DIY approach to
security, which I, so, uh, this is my secret thing I was gonna tell you.
I, so I did re I started reading your website last night.
Um, I know, I know.
I was like, there’s a lot going on here.
I was just trying to remember, like, cause they were like, who’s this?
I was like, who’s our guest tomorrow?
And I’m terrible with names.
So I was like, I’m just going to go figure out what this is.
Oh, look, Otto’s here.
But you had some really interesting posts on your website,
but my favorite one, well, other than learning,
you’re basically a secret hacker, which I also learned.
But the, what’s it called?
Oh, I don’t wanna call it,
I was like an Oompa Loompa, a Palo Looza, a Palo Palooza.
You’re an open source Palo.
– Oh, oh, oh, oh, yeah.
– What is the word? – Papadour, no, not Papadour.
– A poppadour. – Psychopomp.
Psychopomp. – Psychopomp.
The terminology psychopomp,
which is historically connected to the character
or the embodiment of the concern of like death, right?
Or like the grim reaper is a psychopomp.
– The River Styx guy, right?
– Yeah, the Sheryl and I think.
– Bringing you over into the afterlife.
– The shepherd. – The shepherd of death.
– Yes, the shepherd who brings you past,
not heavens, there is no judgment here.
It is the one that brings you to the gates, right?
From the living world to the dead world.
There’s some really crazy, yeah,
I was playing with a talk idea for that,
but there’s really crazy connections as to how–
– It’s a great talk idea, I love it.
I think that is the most interesting.
Is that like a common security term,
or did you bring those together?
– I brought it together,
and I may have picked it up from somewhere else,
’cause this has totally happened to me before.
Like I came up with something,
I find out like Schneier talked about it,
I’m like, “Darn it.”
So I have this open source–
– There are no original ideas, ugh!
– Open source cyberpsychopomps
could maybe become my trademarked term,
if anybody can ever remember it.
– I think it’s got amazing, I love the imagery of it
because this is like, the definition of abandonware
is that it was abandoned, not sunsetted, right?
Like that’s literally the thing.
It’s not like someone was like conscientiously being like,
“Oh, well, I’m gonna end this now,” right?
They’re literally just like, “I forgot about that.
“That’s in some reason, I don’t know.
“I don’t have that GitHub email anymore
“and I don’t even know,” right?
– And that leaves the abandonware
In the area of the living, you could say, right?
They’re so active in the repository.
Right, in the purgatory.
They’re in purgatory because they’re not alive, but they’re not dead.
And every year they become deader because they’re not tested with your WordPress and
all of that stuff starts getting added to it.
But that’s also a problem on the plugin team because talking to Mika, who is like the main
plugins person forever, was, is a constant thing that most of the emails that they send
to plugin developers bounce. So, you know, we were talking about how to contact these
plugin developers. The, the, the plugin team, not only can the security people not reach
them, but the plugin team can’t even reach them a lot of the time. And it’s not even
for abandoned ware, like that, like, so obviously, abandoned ware is really abandoned, super
abandoned where but is even if something’s kind of updated, you
know, it’s three years old or something and it’s not terrible.
But if you’re not monitoring that email, if someone signed up
with, you know,
if you’re working at another place, like there’s a there’s a
lot of reasons why you don’t have access to that email
anymore. And you know, people are in 14 emails from one
business to the next like that. You’re gone at that point, you
know, right. So yeah, there’s, there’s plenty of like really
odd issues that could come up with that night. There is no
like, essentially source of truth for that communication,
like that way of being able to communicate with that person.
Even if you put somebody like on a Twitter handle, and then we
all ditch Twitter, who would have thought you know, like,
exactly right? Like, that’s been everyone’s mate. Oh, you can
connect, you know, put everyone’s got that even on the
WordCamp us sign up. It’s like, what’s your Twitter handle? And
I was like,
I can’t put two hats.
What’s going on here?
But so I think this is, again, I just want to make I know we’re in overtime.
And I know I’ve already made this pitch. And this wasn’t the point of the show.
But anyone who cares about this stuff, come care about it. actively is what I’m
saying, like, come care about it and make it better. Because it does get annoying to
hear the same problems over and over and over. When we could change things, because
that is the whole freaking point of open source.
So like, if we all care and we all see the problems
with security or whatever, let’s go in and make it better.
Right? Like let’s apply those processes.
Let’s bring in the other industries, best practices.
Let’s talk about how can we, you know,
like the conversation happening in post status is not useful.
Like it’s useful to me, but it’s not useful to the project.
And everyone feels then that they’ve,
they’ve had the conversation, well, good for you,
but it didn’t do anything.
Like, unless someone is listening
and then happens to be there and then goes and contributes.
– Yeah, somebody else would do the thing, yeah.
– Yeah, so like, I’m really, you know,
security is one of the biggest deals
because it, you know, it could have a real problem,
but also it undermines the lack of security
or security problems getting out there,
undermines WordPress’s reputation and makes WordPress,
weakens it’s standing.
And it doesn’t have to, because it doesn’t,
you know, it doesn’t have to be this way.
And again, there’s a lot I could say
that doesn’t have to be this way,
but security should be something that is objective.
This should not be like a political conversation.
This should be, you know, how can we lead the way
as an open source project that is still extremely concerned
about security, but is able to, you know,
do that in a way that is documented and clear and follows best practices.
Like it’s possible.
I’d also say build,
build tools that are going to help folks with being able to surface this stuff.
Cosper Cosper recently did a tool that I think is pretty awesome and being able
to look at and see like what’s what, but being able to you know,
to look and see what was recently updated
and what date in which they were recently updated.
And he even wrote a WPCLI command
to be able to actually output this as well.
So I don’t know, you should spend some time
like writing some code on how to support
these types of initiatives of being able to see
like what the heck is wrong with these plugins?
Why is this plugin so old?
How do I get rid of the old plugins?
Even helping people try to find like alternatives
to plugins as well.
– There’s right now, I’m sorry, right now there’s,
so this stuff, that code, that can become part of,
that could become part of core.
I know there is a plugin that Andy Fragen,
a friend of the show and trauma surgeon is working on
that is currently a plugin that’s being tested
to test plugin dependencies.
So that basically it would say, oh, you have this plugin,
we have to have the other plugin and yes,
you can install it or you can’t,
like it won’t allow you to install it
if you don’t have the other plugin
and it gives a little notification.
It’s a tiny little tool, tiny little plugin,
but that can be incorporated into the core
because that’s something that is just making the system
better and function better.
And so things, oh, you found it.
Yeah, things like this,
I think this is actually going to get smooshed into core
also, that’s what it’s being tested for currently.
– Yeah, we’re in OT,
wanna be mindful of everybody’s time here,
but with the funny little story about this plugin
that I made, plugin less updated Redux.
It’s not in the plugin directory yet.
It’s just up on GitHub.
Still making sure to like iron out some bugs.
If you want to test it, I encourage it.
– Make a full request.
– This is a plugin that was in the repository,
still is that Pete Mall from Range made–
– Pete Mall?
I haven’t heard his name in so long.
– Right, I think he plays poker now.
Like I think that’s what he does for–
– He played poker then, but now he doesn’t even have
to probably play poker anymore.
– Right, so he–
– He played it well is the point.
– Yes, he has not updated this plugin in,
or the the plugin last updated plugin in 11 years, 13 years, I
can’t remember. But effectively, it was
Sé Reed: can’t remember when the plugin last the update last
wait, when you can’t remember when the plugin that is to tell
you when your plugin was last updated, didn’t write it yet.
And you don’t know when it was last updated.
Jason Tucker: You didn’t write it yet. I can’t even situation.
Jason Cosper: You got there, you got there eventually.
There were some words. They might have made sense.
So yeah, I basically took this abandoned plugin, I attempted to
reach out and was like, Hey, can I take this only got like his
his plugin has only got like 70 ish installs, like apparently
because it’s out of date. And, you know, people aren’t using
it. So I was like, Hey, can I take this over? I didn’t get any
answers from him. So I’m like, all right. And then I just fork
the plugin added, well, went ahead, went ahead, brought it up
to date. And then once I had it up to date, I started adding
some additional functionality. So now like, you get a little
warning emoji, like next to plugins that are older than two
years, or the WPCLI command. See, I did it on the first take
there, Tucker. The WP CLI command, you run it, and it just
lists off your repo installed or repo installable plugins, and
the date that they were last updated. And then off to the
side, there is not an emoji, but just a little arrow that points
at all of the plugins out of date. So you can go back
through and yeah, I would maybe like to, you know, set up the
output. So it only shows out of date plugins. I you know, I’m
still ideating and everything else there. But I do plan on
putting this up on the repo, I would love to be able to get the
chance to like, just take over the plugin last updated spot on
But again, how do you get ahold of those people? And how do you
do that? You know, there was a few years ago, pre pandemic,
there was a conversation about having an adoption program for plugins.
That hasn’t been on the radar, at least my radar for a long time, but
that’s the type of thing that like, why not?
If someone’s like done, like, it’s kind of, okay, this is a little morbid, but it’s like,
you know how you can like, you have the leave a baby campaign that you can leave a baby at the
fire station, right?
Like, you can literally like abandon your child at a fire station and not be held liable for
for like, you know, child neglect or whatever.
And that saves lives of children
who would otherwise be hidden or what is,
I told you this was morose,
but like, this is the same kind of thing.
If there was a process in place where someone would be like,
hey, I’m not doing this anymore.
Someone can take it over or take it offline.
I mean, maybe people wouldn’t do that
because obviously people are abandoning things,
but some would, and there would be a process.
At least if there’s a process,
we could even, you know, implement something that says,
after 10 years, if you haven’t replied, we will put your plugin
up for adoption, we’ll pull it from the repo and put it in the
adoption repo or whatever it is. And then it was just
seven years ago, by the way, that we we’ve mentioned that
Which one? Oh, the Wow.
Seven years ago,
that was like, yeah. So seven years ago, we were talking about
plugin adoption and fucking that has not happened. No, I don’t
know. I don’t know what auto was talking about with which
process. There’s a process.
There is there is you can tag your plugin if you want to
basically give it up.
Yeah, I’ve seen right but it’s it’s kind of very
you would have to care.
Lowly in order. It’s a process that’s not been adopted by the
Yeah, and care though. That’s the thing. And if you don’t care
anymore, you don’t work there anymore.
Maybe we’ll do a marketing campaign for it. Maybe that
would be a thing to do like
the abandonment. You need to acknowledge the abandonment I
I think is a good thing.
– Oh yeah, they need to be acknowledged.
This has been abandoned.
I just, I really mean like,
it could be a bigger part of,
it could be a bigger thing, right?
‘Cause it’s like, hey, here’s a bunch of free plugins
that you can take and reuse or recycle.
Like that’s kind of an eat your board one day.
You’re like, let me go paw through there
and see if there’s anything fun.
Like, it’s like a rummage sale almost.
– There are security implications there,
but I like the idea.
– There’s old code everywhere.
But I also wanted to just say, Otto had also said that you can add security contact
information now to a plugin.
You can, and they can add whatever they want, really, in the text.
They can add links to their site.
But the conversation that was being held in post status with Yoast, whatever,
was that, should it be required?
That’s really the question.
Should we require there to be a security contact that is maybe an updated email
that is kept up to date?
you know, is there something that could be more like you put in your security
information and then certain people can access it.
And that is a monitor, you know, monitored account.
That would be part of more of like a,
like this is why I don’t disagree with your conclusion about the plugins review
team. And we should take our plugins elsewhere.
I don’t think that we should just make our plugins. Yes. Yes.
But I email again,
– Otto just came on here and said,
we should help.
– I put my ICQ number on there,
but no one ever contacted me.
– I’m like, can we get out of the email thing, people?
Like, we’re crying out loud.
– I should add, there were two recommendations
I had with that article.
One was going elsewhere to just reduce the burden.
The other one was specifically
listing a security point of contact.
And you can do it free form in your description.
I’ve been recommending it to people for the last few months.
– That’s a pretty low lift to help people out.
– Yeah, it’s huge help.
– And yeah, so maybe, but even if that was a field
in the plugin stuff that was like optional,
but it’s recommended and there’s a field there.
So it’s like people who put it,
this is a type of stuff that can be implemented
with pretty low lift on the code end,
on the required, it doesn’t have to be required,
it could be optional,
but these things can incrementally really improve
the system for everybody.
– Do you think this is why–
– Otto says that email works and nothing,
everything else doesn’t.
And I’m just gonna make a comment about Gen X
And then I’m just going to leave it there.
Do you think there’s a reason why a lot of these like, uh,
development houses and agencies and stuff typically will have like the,
like that company’s account listed as the plugin owner as well as a way of being
able to allow for, um,
essentially like a service account type thing that someone who no matter what
will always be able to monitor it. Do you, do you feel like
info@emails, totally paying attention to those.
But I mean, I’m just saying, do you think that that’s the reason why those
people list those, um, those types of accounts in there?
Or do you think this is something that people should do more of?
Yeah, it’s, I, I will actually, uh, say it from, uh, the perspective of somebody
who, uh, I, I work at dream host.
It’s not a thing that I talk about very often, but I am very proud to work there.
And so I work at DreamHost and we had one of our plugins pulled from the repository,
not because there was a security exploit or anything else.
It was because the email that was attached to the DreamHost account was attached to or
forwarding to someone’s inbox who no longer worked for the company.
And those emails started bouncing.
And I basically had to like go in and clean that up and and sort that out.
And so like they they do if an email bounces, like they will close and and
pull down plugins from the repository.
My concern is just the the emails that don’t bounce, but people are just
filtering them at this point, right?
or whatever. It’s like, Oh, yeah, this Gmail account from 15
years ago still works. But like, I never checked it.
Just collecting those emails. Just like, you know, talk about
abandonware. Think about all the old email addresses that are
just collecting all over the internet is collecting spam.
Just like, all the Bed Bath and Beyond. That’s not even a
company anymore. It’s like, here’s all your coupons for all
these companies that don’t even exist.
And Google’s using it to train an AI model.
So we’re basically that just makes it clear that the future
is idiocracy because I didn’t realize that AI was going to be
trained on spam. So I see I see I see you.
With that, we’re gonna end the show.
We’re gonna have to talk to auto we’re gonna have to have auto
on the show to officially discuss some of the stuff that’s
plugins team. So yeah, you’re you’re coming on soon.
an extra overtime day. Ready? All right, well, we’re gonna hit
our outro button and someone is going to say the words because
for whatever reason never works for me. So here’s our outro.
watercooler.com slash subscribe. Apple podcasts were on Google
podcast stitcher Spotify, YouTube. Did my mic not work
this time. What the hell is going on? That’s so weird.
We should not rely on my microphone though. No. No. No.
All right, well, we’re out.