How can plugin and theme developers keep up with security recommendations?


#1

How can plugin and theme developers keep up with security recommendations? I only stumbled upon this by accident… screen-capture from Slack.

When new security recommendations are made, the stakeholders need to know about it. If we don’t know about new recommendations, we won’t update what we’re doing. In that case, we’ll only ever be chasing security instead of getting in front of it. Is there any plan to create a blog for security related items, or to notify stakeholders when fundamentals change? I don’t have time to keep up with WP (or even Git discussions) for the most part.


#2

I’d like to clarify that I’m referring to core security changes/recommendations… not general security recommendations. Like, when a function or methodology (or expectation) is changed in core, those are the changes we need to know about.


#3

I have laid out the foundation to use a new template when releasing new versions of CP (similar to Discourse) so ideally it would be included in there by the security team (maybe with a more detailed blog post?).

But for specifics @Security will be the people to get input from :slight_smile:


#4

This is a good point. I’ve seen a lot of unescaped translations in plugin and theme code. Sometimes it’s not clear where it gets escaped. I’ve seen cases of text being escaped twice in some plugins.

I think the codex code examples should follow best security practices too. That would save developers a great deal of time. A stripped down example is fine for illustrative purposes, but include a complete one so we don’t have to hunt down and interpret something like this. Security is too important not to document thoroughly. Maybe this is something that could be implemented in the CP2 documentation.


#5

In this case it’s a change we made to our instance of glotpress, not a general security issue or recommendation. Really, it’s just implementing something that should have been there already - sanitising inputs.


#6

Yes, there will be posts about all security fixes - how we collate them into something useful for future reference is another question.