Dev Branch

EP27 – WordPressing with Abandon(ware)

May 5, 2023

In this episode of WPwatercooler’s Dev Branch, we’ll be joined by Robert Rowley, a Security Expert, to discuss a critical aspect of building sites with WordPress — plugins. Specifically, we’ll delve into the topic of abandoned plugins and the risks that they can pose to website security.

We discuss the issue of abandoned WordPress plugins being used to exploit sites by hackers. We talk about a recent story where hackers were using an abandoned plugin to insert PHP into sites and how it was difficult to find and remove the code. We also discuss the problem of old plugins still being listed in the WordPress repository and how it’s hard to contact the developers of these plugins. We suggest solutions like monitoring spikes in downloads and making it easier for someone to take over an abandoned plugin. We also mention a plugin being tested to test plugin dependencies and adding security contact information to a plugin.

Join us for this important conversation about orphaned WordPress plugins learn and how to keep your website safe from potential security threats.

Links

Panel

Episode Transcription

[MUSIC]

Jason Tucker
This is episode number 27 of DevBranch. We’re pressing with Abandonware.

Jason Tucker
[MUSIC] I’m Jason Tucker. You find me over at jasontucker.blog.

Sé Reed
[MUSIC] I’m Sé Reed. I wasn’t looking at the screen. I do stuff at places. Sé Reed Media, I’m all the fame.

Jason Cosper
And y’all know who it is. It’s your boy, Jason Cosper, aka Fat Mullenweg, back at it again on the world’s most influential WordPress podcast.

Jason Tucker
Speaking of that podcast, go in, subscribe to us wherever it is that you want to subscribe to us and come hang out with us in our Discord.

Jason Cosper
Our Discord that is surprisingly more active every time I check, I’m just like, oh shit, people are actually talking in the Discord.

Jason Tucker
Right?

Sé Reed
Here’s something I learned about Discord yesterday, okay? because I’ve been more discordant. All of Mid Journey is generated through a Discord bot. Yep. Did I know that? No. And literally last night I was like, “You know what? I’m procrastinating and I should go to bed, but instead I’m going to finally look up Mid Journey.” And then I was like, “Wait, what?” I didn’t start doing it because I was just so flabbergasted by the fact that I was in just like, I thought they were just gonna verify me in and then I was like, Oh, no, this is that I think a thing a bot. I like lost my mind. Anyway. I didn’t know that you could get

Jason Cosper
more discordant say but

Sé Reed
I’m getting down with the discords.

Jason Cosper
Hey, look, we’ve got a pal. Hello. Hey, Robert, how you

Jason Tucker
doing today?

Sé Reed
– I have to find a new song for you.

Robert Rowley
– Yes.

Sé Reed
– You gotta find a new one. – I’m doing good.

Robert Rowley
Doing good, a lot of free time, enjoying my time.

Jason Tucker
– Good, glad to hear it. So what are we talking about today, Cosper? What do we got going on here?

Sé Reed
– Ask us, Cosper.

Jason Tucker
– We got Robert here. We’re probably gonna be talking about some like security type thing or something.

Sé Reed
– I have questions actually, so. – Yeah. – I actually did a little bit of research for this topic.

Jason Cosper
– What? Oh. Stay with a little research is a dangerous thing.

Sé Reed
I know, but I’m not going to introduce it cause it’s definitely not my Ballywick, but yeah.

Jason Cosper
Oh, Ballywick. This is what’s going to be showing up today, I think, right?

Jason Tucker
Right. Right. We’re going to get the little overtime banner going possibly.

Yeah, I know. So, so this week we are kind of talking about, abandoned WordPress plugins.

And there was a story.

I don’t know if you’ve got it locked and loaded, Tucker.

There was a story last week about effectively–

Sakuri found that there were hacked sites that

were pulling in a plugin from the WordPress repository,

installing it, a long-abandoned plugin that effectively

would insert PHP as part of its functionality, insert PHP into

your site as part of shortcodes. And because the PHP that was

being inserted, was stored in the post table, and stored in

places where you wouldn’t expect inline PHP and hack backdoors

and everything like that, it was a whole lot harder

to kind of find it and suss it out, but–

– I have a question.

– Yes.

– So this plugin, just ’cause I’m,

this is just such a really important and interesting

and also like always on the margins topic

because no one really like, there’s so few people

that like really understand what they’re talking about

with this stuff, right?

even though we all kind of know it’s important.

So the plugin in the repo had been abandoned, right?

So it was like super old, super old plugin, right?

So that code hadn’t been updated.

So what they were doing, just to clarify for me,

is taking that, ’cause obviously you can get the code

of that plugin anyway, right?

So whatever they did with that code,

figuring out what it did on the websites

that they had hacked, and then figuring out what it did,

then putting it on the websites they had hacked,

and then using its functionality,

which was to insert PHP shortcode,

to insert malware, malcode,

or whatever you want to call it, right?

Is that essentially what was happening?

So they were not putting the malware, essentially,

in the plugin, but they were using the plugin’s functionality

in order to exploit a site.

Is that correct?

– I would change one word.

The exploit was probably originally another compromise, right?

It was another vulnerability.

But they were using this plugin whose purpose

is to allow arbitrary PHP code execution

as a convenient kind of backdoor, right?

Now, it’s not the plugin’s fault.

The plugin had no malicious code.

It’s just purpose was to put PHP and store it in the database.

– I literally think, once upon a time, I saw that plugin.

I don’t know if it was the same plugin,

but there was a plugin on a client site,

one of those I inherited type sites,

that had a plugin in a post, or a PHP in post,

and literally I went into this post,

and it was like a code editor.

It was just the full, what you would see

in your IDE or whatever, for real.

Obviously I got rid of it right away,

but that’s not obviously a way to do it.

But that was the intention of the plugin.

So the plugin, the plugin was not compromised, right?

– Yeah, correct.

– I just think that’s really fascinating

because you think about it being,

the plugin being compromised

and maybe someone like taking over an abandoned plugin

and then like putting malware into it that’s on the repo,

but that’s not the case here.

This is just some like clever usage of old plugins,

like exploiting it as literally like a tunnel.

– Yeah, you need to upgrade it to blocks

is what they need to do.

So that way we can use blocks.

– I mean PHP and blocks plugins, right?

– Yeah, exactly.

– How did you figure this out, you guys?

Like how did someone, like,

are they trolling the plugin repo

for like plugins that do this or what?

Like how did you know?

– There’s a graph.

There’s a graph in there that is really cool

in that article that shows the spike of installations.

So we can really pinpoint–

– On this abandoned plugin.

– We can pinpoint when basically there was an attack,

like a botnet or some attacker profile.

– Yeah, look at that.

– There it is. – Right around, yeah.

March 2023, they decided to integrate this

into their automated attack structures,

which spiked the installs.

And what’s really sad about this graph

is that’s installs per day,

also that’s compromised sites per day.

So that’s just how many sites were getting compromised

by the specific botnet that was utilizing this plugin,

legitimate plugin, but abandoned,

but has backdoor, like, communitability.

– But that’s not how they were getting into the sites.

– Correct. – The sites,

they were getting in some other way.

Then they were using their takeover of the site

to install the plugin directly from the repo.

So there’s so many points, I don’t want to say a failure,

but kind of a failure here, right?

Like this is not just one point of failure situation.

This is like a little stack of failures.

– Yeah, I’m going to defend the plugin team.

I believe, I’m not certain,

’cause I couldn’t find the record,

like official statement for this,

but they do not allow plugins that execute

or pull in remote code.

Like I think this is like a new rule.

Like they’re very sensitive about that

because they knew that this was a possibility.

– Right, but so this plugin was like in there

and abandoned prior to that rule, right?

– Yeah.

– So that’s interesting from an abandoned plugin perspective.

– Is that something that could be monitored

to see if like an old plugin that just hasn’t been used

for a long time is now getting like this weird popularity?

This isn’t music.

isn’t like, oh, we, you know, we heard some of the TikTok and now we’re all gonna go listen to it.

Like, what’s…

Yeah, it was on Better Call Saul, so you should like…

Yeah, yeah. Like, what, how do you, like, like, what’s the, what’s the correct approach for that,

of being able to have some way of looking at, like, really old ass plugins that are being

downloaded? And like, what, why?

Like, did Sikyuri notice that spike? Or did they, like, track it, track down the exploit, like,

and then find that?

I don’t know what the article goes into.

Does the article say–

I suspect that–

I thought you knew everything.

–security traditionally– yeah.

I always don’t.

But I can assume.

I can assume the security is really good at cleanups.

So I think this was identified through a cleanup process.

And they probably found this malware being installed there.

And then they probably identified the–

look at the spike, right?

And then they went straight to whatever news agency

to kind of make a big deal about it.

I mean, it’s been probably six or seven years

since I worked over at WP Engine and worked with Sucuri

on a day-to-day basis.

Because they historically were using Sucuri for site cleanups.

But I do know that Sucuri has both the file scanning

that they do, the database scanning.

And they have historically looked

for obfuscated code, base64 or whatever encoded code.

that’s just hiding out in there. So it wouldn’t surprise me if

something popped up on a scan, and maybe the first or second

time they didn’t notice it. But then once you start and

especially like if you have, you know, the team that they do over

there who’s doing site cleanups, second or third time, they start

seeing that they’re like, Hey, wait a minute. Let’s see what’s

going on here.

I’m just wondering if there’s a way to look at it from the

standpoint of like the store that’s selling, you know, the flu, you know, medicine or something,

and looking at the number of times that those are being purchased, and you’re like, oh, wait,

obviously something’s happening. Because actually, I think I’m pretty sure there’s a federal law case

about that centering around oxytocin. So I’m just curious, like, you know, because we’re pulling

this from one from one directory? You know, like looking at that

directory and just seeing like, is there a spike in this like,

15 year old plugin or something?

That’s the most interesting part. Well, I mean, not that

there’s a lot of interesting parts about this, I think, but

the I think one of the really relevant parts moving forward,

not just this plugin, but I think and what you’re asking

Jason is like, you know, are we monitoring these spikes? Like,

should we as a community as a, you know, the plugin team that

you know, the make teams should WordPress be monitoring the repo for spikes in

plugins or spikes even in themes, right?

That like that should just be checked out.

Because if you went if you if you got a flag that said, hey, a 17 year old.

First of all, we need to talk about a plugin being 17 years old.

Is it really 17 years old?

It’s like 10 years old.

That is however old it is.

12 years old.

So like that’s a different that’s a second conversation.

But like if the plugin team or someone was able to monitor that, there was a report that came

through the meta channel or whatever and said, you know, hey, this plugin is getting a lot of

attention. I mean, there’s really no downside to that because someone could go look and be like,

oh, this is a really old plugin or, oh, this is a brand new plugin. And like, it’s the newest,

best thing in the world. Right. So in one hand, in one case, it would be handed off to security

and like the, you know, the team handling the security issues. And on the other hand,

it could go to like the marketing team. And it could be like, look, this plugin is like super

popular all of a sudden. Anyway, just I’m just saying like, you know, it could be used for

multiple things. So that seems like that’s something that could be beneficial to implement.

You know, just that feedback, right? It seems like that could be automated. That seems like

we could do that. Right? That seems that seems like a use case for and gosh, I am cringing that

that I’m even saying this. It seems like a use case for AI,

where you can say, flag, like basically, if a plugin is older

than n,

Jason Tucker: where we do make sure I’m doing this correctly. Is

it every time we drink? Is that what we’re doing?

Yeah, no, every time. There’s AI something positive about AI.

Right. A butterfly gets its wings or something like that.

tequila and put it I hate tequila but like I mean it’s not good for me I don’t hate it but it’s not

okay but I will buy it and put it on my desk if we do that but I will literally like every time you

say something positive oh boy worth it so I I do think that that I mean it doesn’t have to be

uh AI it could really just be a script that checks for right like it doesn’t even have to be that

smart. At what point is AI a script? Like where does it

deviate from you write a script and it does a thing? Isn’t that

AI? It’s the same thing, right? It’s all AI?

Most AIs are still just scripts. Come on.

Right. That’s what I’m saying.

I think it depends on how much data it’s looking at.

We’re gonna ask the computer to look at it. That’s what we’re

saying.

Let’s ask chat. Where AI line is.

Right. It’s it’s it’s the difference between a three line

bash script and 17,000 million line bash script.

– Well, what if the three line bash script

just pulls in an API request from the API engine?

Or the AI engine?

– I just want to ask chat GPT.

I would say, “Hey chat GPT,

do you think this is going to be a problem?”

It’ll be like, “I don’t know.

Well, let me tell you, here’s all the possibilities,

but I can’t decide.”

– So to try, in the interest of preventing us

of going into overtime.

shoot. Yeah, I will say, so WordPress and and the plugin

repository, I was gonna I told Tucker and say I was gonna try

to extend an invite to auto and I just fell asleep at the wheel

and never did it. I thought it would be good to get someone

from the it would be good to get someone from the meta team to

to talk about that. Yeah, maybe he is.

– Auto, auto.

Are you in the audio?

– Paging auto.

– You have to say it three times.

Three times and then it happens.

– Auto, auto, auto.

Okay. – Okay.

– Not today, I guess. – Let’s see if he shows up.

No, but, so the plugin directory does a really good job

of hiding kind of the older plugins.

If you go looking for particular plugins,

you don’t really get a lot of results of stuff that is three,

four, 17 years old and hasn’t seen an update.

But they do still list it. So you’re, if you’re clicking through,

you can Google to it. You can,

he would know about it.

Yeah. You can still install it from WPCLI. You can,

you know, there are ways to still get at these plugins.

And in some cases, oh yeah, like, you know,

this is still a good plugin or whatever,

but like, should we be,

should the project maybe think about suppressing

some of these older plugins, like have a cutoff date?

I know that it’s like, hey,

oh, WordPress has got 60,000 plugins.

Like how many of those are like old ass long tail,

like haven’t been updated in like more than three years.

With the current process that’s happening on the plugins team,

I know that this is, they’re really standardizing a lot of the, um,

the operations.

And so I think this is something that’s going to be part of sort of like the new,

like the new approach.

And so I think that this is a really good time to, um,

bring up those concerns, not to say that they haven’t been happening,

but just to ensure that they are being put

into the documentation and being put into the process

that is now being formed.

So, you know, people like Robert and Prosper,

you should be going to the plugin meetings,

to the meta meetings,

which I happen to be running with Courtney right now,

interim.

You should be going to these meetings

and having these conversations

because this is two things I’m gonna say.

One, we have a lot of, especially here in Watercooler,

We have a lot of conversations over here about stuff.

But the truth is, is that this stuff matters, right?

This is like a lot of websites.

This is like bots, you know,

and those all are like the botnets that like become botnets

and like sleeper botnets and whatever else, right?

Like this is a big deal from a security perspective,

from an internet safety perspective,

from a WordPress perspective.

And like, there is not enough,

there’s a lot of conversation

and a lot of knowledge in the greater community.

And for a variety of reasons,

I could go into like 12,

I could write 12 essays about the reason.

But for a variety of reasons,

that knowledge is not being shared

in like the official Make WordPress community.

It is happening in post status, that conversation.

And so I wanted to say, like there is a,

I don’t know, Robert, are you in post status?

not recently.

So there’s a there’s a there was a conversation a little while

back with Yoast and someone else who’s Yoast of Yoast, who may

not be of Yoast anymore.

Formally of Yoast.

Yoast, formally of Yoast, was talking about security with

someone and they were talking about reporting and how hard it

is to track down the plugin folks, the person whose plugin

it is that may have a compromise, the plugin

developer, because there’s no like clear direct security

contact, there’s no reporting process set up. And so that has

to go through the plugins team. And so the conversation was

really about, should there be materials of it? Like should

that contact security contact be available on the plugin page?

Should there be a if you’re logged in and have certain site rights, should you be able to see

contact information for the plugin developer where you could make a security report?

Should you know, because right now, like I said, it’s going, the people who find the security

issues have to contact the plugin review team, who then contacts the plugin developer. And there is

when you have a plugin review team that is, you know, as you wrote about in your article,

right, Robert? Just literally like a small part of a big funnel.

– Yeah.

– Like a little small…

– It’s overburdened, right? Yeah.

– Yeah, it’s definitely overburdened.

– Yeah, there’s too much reliance on it.

– But I disagree with your solution in that article, but the problem we agree on for sure.

And we all know that that’s been a problem. And again, there’s a million political reasons

that that has been a problem. But right now, that is shaping, that is that is being shaped for the

future. And the people who are have this expertise, who care about WordPress should get their butts to

a meeting in Slack, and should raise these concerns and have these conversations because it will

benefit all of us to have these conversations in a place and, you know, maybe make those changes,

maybe implement some good stuff.

Like the people who are there, not just the plug interview team,

but all of the make community are overburdened.

And a majority of them are sponsored by.

Individual companies that you might surmise are the individual companies,

and those companies.

Don’t have all the answers.

That’s all I’m going to say, like they might be great.

I’m not talking about intentions.

I’m just saying inside of one company, you get.

siloed. And there is a lot of knowledge out there, your article,

Robert, like what you bring to the table, Kasper, like that

could really impact this stuff. So I’m gonna get off my

contribution soap box now, but I really feel that there has never

been a more important time for the plugin team than right now,

for the future of WordPress, maybe when it first came around.

But for now, like the future of the plugin team is being

developed right now. And this needs to be part of that conversation because right now,

it’s not becoming easier to report security concerns. Like that’s not becoming a less

obscure process. So how can we, as WordPress, take a more open perspective on this and be,

know, like Robert, like you report bugs, right?

You report problems, you find problems and report them.

Like this is an important part of security, right?

– Yep.

– That’s how it works.

– I mean, Robert, you had a whole project

at your last gig where you were updating some kind of,

were they mainly abandoned?

– Yeah, typically abandoned because,

well, these were plugins that had security issues

publicly reported in them and then no patch available.

Plugins that were used to be available.

– Or just in the WordPress repo specifically

or just all GitHub.

– It could be any WordPress plugin.

But you know, 90% are in the repo.

That’s where the most attraction comes, right?

And some other person found a security bug in them

and I took it upon myself to write the patches for them.

Right, as an educational thing.

Because I felt like a lot of the security

like arena discussion is always like,

hey, here’s how you hack stuff,

here’s how you hack stuff.

And I was like, here’s how you patch stuff.

I’m just trying to make the next logical step

in this process, right?

Like you can find the bugs, but can you patch the bugs?

And what’s neat is some WordPress security researchers

are starting to actually add, here’s how I would patch it.

Right, like here’s the code I use to patch this.

But with WordPress and open source, really,

you can get a variety of responses back.

And unfortunately with a lot of the other patching

that I was doing, either the patch was way too late,

Like some things I patched that had been exposed publicly

over a year prior and the sites that were running

that plugin that was vulnerable,

yeah, they’ve already basically been taken offline

by hacks or something or other,

like far too late to win that game

against the botnets and such.

In other cases though, I mean, I’ve offered it,

I think within a week or two,

and it’s like you mentioned, there’s no process for this.

There’s no literal process of let me accept third party code

into this plugin.

Unless–

– I mean, unless they’re GitHub, right?

And you could do it–

– GitHub has one.

GitHub has a great one, yes.

GitHub has phenomenal resources for this.

In fact, I’m starting to think

we should kind of move things towards GitHub

and then just have GitHub publish the SVN.

– I mean, the WordPress community,

the WordPress teams are moving a lot of the stuff over,

obviously not MetaTrack or CoreTrack.

That’s not going anywhere for a while.

But the marketing teams operate there.

everyone’s moving to there.

And I think that makes so much sense.

But not, but, but-

– And it’s free.

– It makes a lot of sense, it’s free,

but it also has,

it’s really the most beautiful thing I think

about pull requests and doing it this way.

It’s all documented.

Like it’s not like a security person

is freaking emailing somebody else.

Like, but this is, who’s email?

Like we’re like emailing people and like,

where does that go?

It goes- – Here’s an attachment.

Yeah, here’s an attachment with a bunch of code.

please upload it to this plugin that I don’t have.

– What are we doing?

Like this is.

– I actually just, I want to say like,

I actually did just get a pull request accepted

for a plugin that was part of the core WordPress team.

Like they had a very minor vulnerability.

It’s almost trivial.

I know it is trivial,

but I won’t say what it is just for.

– It’s only trivial until it’s five years later

and someone’s building out like a whole like.

– This is the sort of thing.

Well, this is the sort of thing that would show up

in some security report because it got a CVE assigned to it.

And then like some vendor who’s using WordPress,

we’re like, “Why, we have to fix the CVE.”

And then they look back at the developer and then ask them.

And like the developer would get these requests constantly.

– What’s a CVE?

– CVE is Common Vulnerability Enumeration.

It’s just a number that associates a vulnerability

to like this unique identifying number.

But yeah, it shows up.

Yeah, there’s government organizations.

– Wait, wait, wait, the CVE is like a world number

or is it like a like per company number?

– There are governing agencies

that manage their individual numbers.

Japan has their own, US has their own.

Probably China has their own,

but they don’t share that information publicly.

– Like ICANN for bugs?

For like vulnerabilities?

– Yes, and you have a certified numbering authorities

that like it, like it goes to validate things.

– So mostly the barcode type thing

with like the numbers at the bottom,

it’s like that type of, you know.

– Okay, wait, this is why I,

this is me in content with websites.

I’m like, so wait, so can you,

as a someone who’s discovered or patches vulnerabilities,

like list here all the numbers I’ve fixed,

like it’s their webpage?

– There is?

– Developers can do it and security researchers

typically do it to make a resume.

– Right, I’m like, here’s a list of all of my patches,

like go find them on, they’re on the official register.

– It’s like Dribbble, but for like, yeah.

– That’s awesome, I did not know that.

– I’ve recommended to security researchers

I really want to get into it,

basically find one of each type of vulnerability,

because there’s also like vulnerability categories

and then that’s how you can prove you’re familiar

with a security as a whole.

– That’s amazing.

I, you know, I think that’s interesting in terms of, um, kind of the DIY approach to

security, which I, so, uh, this is my secret thing I was gonna tell you.

I, so I did re I started reading your website last night.

Um, I know, I know.

I was like, there’s a lot going on here.

I was just trying to remember, like, cause they were like, who’s this?

I was like, who’s our guest tomorrow?

And I’m terrible with names.

So I was like, I’m just going to go figure out what this is.

Oh, look, Otto’s here.

Hi, Otto.

But you had some really interesting posts on your website,

but my favorite one, well, other than learning,

you’re basically a secret hacker, which I also learned.

But the, what’s it called?

Oh, I don’t wanna call it,

I was like an Oompa Loompa, a Palo Looza, a Palo Palooza.

You’re an open source Palo.

– Oh, oh, oh, oh, yeah.

– What is the word? – Papadour, no, not Papadour.

– A poppadour. – Psychopomp.

Psychopomp. – Psychopomp.

– Yes.

The terminology psychopomp,

which is historically connected to the character

or the embodiment of the concern of like death, right?

Or like the grim reaper is a psychopomp.

– The River Styx guy, right?

– Yeah, the Sheryl and I think.

– Bringing you over into the afterlife.

– The shepherd. – The shepherd of death.

– Yes, the shepherd who brings you past,

not heavens, there is no judgment here.

It is the one that brings you to the gates, right?

From the living world to the dead world.

There’s some really crazy, yeah,

I was playing with a talk idea for that,

but there’s really crazy connections as to how–

– It’s a great talk idea, I love it.

I think that is the most interesting.

Is that like a common security term,

or did you bring those together?

– I brought it together,

and I may have picked it up from somewhere else,

’cause this has totally happened to me before.

Like I came up with something,

I find out like Schneier talked about it,

I’m like, “Darn it.”

So I have this open source–

– There are no original ideas, ugh!

– Open source cyberpsychopomps

could maybe become my trademarked term,

if anybody can ever remember it.

– I think it’s got amazing, I love the imagery of it

because this is like, the definition of abandonware

is that it was abandoned, not sunsetted, right?

Like that’s literally the thing.

It’s not like someone was like conscientiously being like,

“Oh, well, I’m gonna end this now,” right?

They’re literally just like, “I forgot about that.

“That’s in some reason, I don’t know.

“I don’t have that GitHub email anymore

“and I don’t even know,” right?

– And that leaves the abandonware

In the area of the living, you could say, right?

They’re so active in the repository.

Right, in the purgatory.

They’re in purgatory because they’re not alive, but they’re not dead.

And every year they become deader because they’re not tested with your WordPress and

all of that stuff starts getting added to it.

But that’s also a problem on the plugin team because talking to Mika, who is like the main

plugins person forever, was, is a constant thing that most of the emails that they send

to plugin developers bounce. So, you know, we were talking about how to contact these

plugin developers. The, the, the plugin team, not only can the security people not reach

them, but the plugin team can’t even reach them a lot of the time. And it’s not even

for abandoned ware, like that, like, so obviously, abandoned ware is really abandoned, super

abandoned where but is even if something’s kind of updated, you

know, it’s three years old or something and it’s not terrible.

But if you’re not monitoring that email, if someone signed up

with, you know,

if you’re working at another place, like there’s a there’s a

lot of reasons why you don’t have access to that email

anymore. And you know, people are in 14 emails from one

business to the next like that. You’re gone at that point, you

know, right. So yeah, there’s, there’s plenty of like really

odd issues that could come up with that night. There is no

like, essentially source of truth for that communication,

like that way of being able to communicate with that person.

Even if you put somebody like on a Twitter handle, and then we

all ditch Twitter, who would have thought you know, like,

exactly right? Like, that’s been everyone’s mate. Oh, you can

connect, you know, put everyone’s got that even on the

WordCamp us sign up. It’s like, what’s your Twitter handle? And

I was like,

I can’t put two hats.

What’s going on here?

But so I think this is, again, I just want to make I know we’re in overtime.

And I know I’ve already made this pitch. And this wasn’t the point of the show.

But anyone who cares about this stuff, come care about it. actively is what I’m

saying, like, come care about it and make it better. Because it does get annoying to

hear the same problems over and over and over. When we could change things, because

that is the whole freaking point of open source.

So like, if we all care and we all see the problems

with security or whatever, let’s go in and make it better.

Right? Like let’s apply those processes.

Let’s bring in the other industries, best practices.

Let’s talk about how can we, you know,

like the conversation happening in post status is not useful.

Like it’s useful to me, but it’s not useful to the project.

And everyone feels then that they’ve,

they’ve had the conversation, well, good for you,

but it didn’t do anything.

Like, unless someone is listening

and then happens to be there and then goes and contributes.

– Yeah, somebody else would do the thing, yeah.

– Yeah, so like, I’m really, you know,

security is one of the biggest deals

because it, you know, it could have a real problem,

but also it undermines the lack of security

or security problems getting out there,

undermines WordPress’s reputation and makes WordPress,

weakens it’s standing.

And it doesn’t have to, because it doesn’t,

you know, it doesn’t have to be this way.

And again, there’s a lot I could say

that doesn’t have to be this way,

but security should be something that is objective.

This should not be like a political conversation.

This should be, you know, how can we lead the way

as an open source project that is still extremely concerned

about security, but is able to, you know,

do that in a way that is documented and clear and follows best practices.

Like it’s possible.

I’d also say build,

build tools that are going to help folks with being able to surface this stuff.

Yeah.

Cosper Cosper recently did a tool that I think is pretty awesome and being able

to look at and see like what’s what, but being able to you know,

to look and see what was recently updated

and what date in which they were recently updated.

And he even wrote a WPCLI command

to be able to actually output this as well.

So I don’t know, you should spend some time

like writing some code on how to support

these types of initiatives of being able to see

like what the heck is wrong with these plugins?

Why is this plugin so old?

How do I get rid of the old plugins?

Even helping people try to find like alternatives

to plugins as well.

– There’s right now, I’m sorry, right now there’s,

so this stuff, that code, that can become part of,

that could become part of core.

I know there is a plugin that Andy Fragen,

a friend of the show and trauma surgeon is working on

that is currently a plugin that’s being tested

to test plugin dependencies.

So that basically it would say, oh, you have this plugin,

we have to have the other plugin and yes,

you can install it or you can’t,

like it won’t allow you to install it

if you don’t have the other plugin

and it gives a little notification.

It’s a tiny little tool, tiny little plugin,

but that can be incorporated into the core

because that’s something that is just making the system

better and function better.

And so things, oh, you found it.

Yeah, things like this,

I think this is actually going to get smooshed into core

also, that’s what it’s being tested for currently.

– Yeah, we’re in OT,

wanna be mindful of everybody’s time here,

but with the funny little story about this plugin

that I made, plugin less updated Redux.

It’s not in the plugin directory yet.

It’s just up on GitHub.

Still making sure to like iron out some bugs.

If you want to test it, I encourage it.

– Make a full request.

– This is a plugin that was in the repository,

still is that Pete Mall from Range made–

– Pete Mall?

I haven’t heard his name in so long.

– Right, I think he plays poker now.

Like I think that’s what he does for–

– He played poker then, but now he doesn’t even have

to probably play poker anymore.

– Right, so he–

– He played it well is the point.

– Yes, he has not updated this plugin in,

or the the plugin last updated plugin in 11 years, 13 years, I

can’t remember. But effectively, it was

Sé Reed: can’t remember when the plugin last the update last

wait, when you can’t remember when the plugin that is to tell

you when your plugin was last updated, didn’t write it yet.

And you don’t know when it was last updated.

Jason Tucker: You didn’t write it yet. I can’t even situation.

Jason Cosper: You got there, you got there eventually.

There were some words. They might have made sense.

So yeah, I basically took this abandoned plugin, I attempted to

reach out and was like, Hey, can I take this only got like his

his plugin has only got like 70 ish installs, like apparently

because it’s out of date. And, you know, people aren’t using

it. So I was like, Hey, can I take this over? I didn’t get any

answers from him. So I’m like, all right. And then I just fork

the plugin added, well, went ahead, went ahead, brought it up

to date. And then once I had it up to date, I started adding

some additional functionality. So now like, you get a little

warning emoji, like next to plugins that are older than two

years, or the WPCLI command. See, I did it on the first take

there, Tucker. The WP CLI command, you run it, and it just

lists off your repo installed or repo installable plugins, and

the date that they were last updated. And then off to the

side, there is not an emoji, but just a little arrow that points

at all of the plugins out of date. So you can go back

through and yeah, I would maybe like to, you know, set up the

output. So it only shows out of date plugins. I you know, I’m

still ideating and everything else there. But I do plan on

putting this up on the repo, I would love to be able to get the

chance to like, just take over the plugin last updated spot on

the repository.

But again, how do you get ahold of those people? And how do you

do that? You know, there was a few years ago, pre pandemic,

there was a conversation about having an adoption program for plugins.

Right.

That hasn’t been on the radar, at least my radar for a long time, but

that’s the type of thing that like, why not?

If someone’s like done, like, it’s kind of, okay, this is a little morbid, but it’s like,

you know how you can like, you have the leave a baby campaign that you can leave a baby at the

fire station, right?

Like, you can literally like abandon your child at a fire station and not be held liable for

for like, you know, child neglect or whatever.

And that saves lives of children

who would otherwise be hidden or what is,

I told you this was morose,

but like, this is the same kind of thing.

If there was a process in place where someone would be like,

hey, I’m not doing this anymore.

Someone can take it over or take it offline.

I mean, maybe people wouldn’t do that

because obviously people are abandoning things,

but some would, and there would be a process.

At least if there’s a process,

we could even, you know, implement something that says,

after 10 years, if you haven’t replied, we will put your plugin

up for adoption, we’ll pull it from the repo and put it in the

adoption repo or whatever it is. And then it was just

seven years ago, by the way, that we we’ve mentioned that

particular episode.

Which one? Oh, the Wow.

Seven years ago,

that was like, yeah. So seven years ago, we were talking about

plugin adoption and fucking that has not happened. No, I don’t

know. I don’t know what auto was talking about with which

process. There’s a process.

There is there is you can tag your plugin if you want to

basically give it up.

Yeah, I’ve seen right but it’s it’s kind of very

you would have to care.

Lowly in order. It’s a process that’s not been adopted by the

developers yet.

Yeah, and care though. That’s the thing. And if you don’t care

anymore, you don’t work there anymore.

Maybe we’ll do a marketing campaign for it. Maybe that

would be a thing to do like

the abandonment. You need to acknowledge the abandonment I

I think is a good thing.

– Oh yeah, they need to be acknowledged.

This has been abandoned.

I just, I really mean like,

it could be a bigger part of,

it could be a bigger thing, right?

‘Cause it’s like, hey, here’s a bunch of free plugins

that you can take and reuse or recycle.

Like that’s kind of an eat your board one day.

You’re like, let me go paw through there

and see if there’s anything fun.

Like, it’s like a rummage sale almost.

– There are security implications there,

but I like the idea.

– There’s old code everywhere.

But I also wanted to just say, Otto had also said that you can add security contact

information now to a plugin.

You can, and they can add whatever they want, really, in the text.

They can add links to their site.

But the conversation that was being held in post status with Yoast, whatever,

was that, should it be required?

That’s really the question.

Should we require there to be a security contact that is maybe an updated email

that is kept up to date?

you know, is there something that could be more like you put in your security

information and then certain people can access it.

And that is a monitor, you know, monitored account.

That would be part of more of like a,

like this is why I don’t disagree with your conclusion about the plugins review

team. And we should take our plugins elsewhere.

I don’t think that we should just make our plugins. Yes. Yes.

But I email again,

– Otto just came on here and said,

we should help.

– I put my ICQ number on there,

but no one ever contacted me.

– I’m like, can we get out of the email thing, people?

Like, we’re crying out loud.

– I should add, there were two recommendations

I had with that article.

One was going elsewhere to just reduce the burden.

The other one was specifically

listing a security point of contact.

And you can do it free form in your description.

I’ve been recommending it to people for the last few months.

– That’s a pretty low lift to help people out.

– Yeah, it’s huge help.

– And yeah, so maybe, but even if that was a field

in the plugin stuff that was like optional,

but it’s recommended and there’s a field there.

So it’s like people who put it,

this is a type of stuff that can be implemented

with pretty low lift on the code end,

on the required, it doesn’t have to be required,

it could be optional,

but these things can incrementally really improve

the system for everybody.

– Do you think this is why–

– Otto says that email works and nothing,

everything else doesn’t.

And I’m just gonna make a comment about Gen X

And then I’m just going to leave it there.

Do you think there’s a reason why a lot of these like, uh,

development houses and agencies and stuff typically will have like the,

like that company’s account listed as the plugin owner as well as a way of being

able to allow for, um,

essentially like a service account type thing that someone who no matter what

will always be able to monitor it. Do you, do you feel like

info@emails, totally paying attention to those.

But I mean, I’m just saying, do you think that that’s the reason why those

people list those, um, those types of accounts in there?

Or do you think this is something that people should do more of?

Yeah, it’s, I, I will actually, uh, say it from, uh, the perspective of somebody

who, uh, I, I work at dream host.

It’s not a thing that I talk about very often, but I am very proud to work there.

And so I work at DreamHost and we had one of our plugins pulled from the repository,

not because there was a security exploit or anything else.

It was because the email that was attached to the DreamHost account was attached to or

forwarding to someone’s inbox who no longer worked for the company.

And those emails started bouncing.

And I basically had to like go in and clean that up and and sort that out.

And so like they they do if an email bounces, like they will close and and

pull down plugins from the repository.

It’s it.

My concern is just the the emails that don’t bounce, but people are just

filtering them at this point, right?

or whatever. It’s like, Oh, yeah, this Gmail account from 15

years ago still works. But like, I never checked it.

Just collecting those emails. Just like, you know, talk about

abandonware. Think about all the old email addresses that are

just collecting all over the internet is collecting spam.

Just like, all the Bed Bath and Beyond. That’s not even a

company anymore. It’s like, here’s all your coupons for all

these companies that don’t even exist.

And Google’s using it to train an AI model.

Right.

So we’re basically that just makes it clear that the future

is idiocracy because I didn’t realize that AI was going to be

trained on spam. So I see I see I see you.

With that, we’re gonna end the show.

We’re gonna have to talk to auto we’re gonna have to have auto

on the show to officially discuss some of the stuff that’s

plugins team. So yeah, you’re you’re coming on soon.

an extra overtime day. Ready? All right, well, we’re gonna hit

our outro button and someone is going to say the words because

for whatever reason never works for me. So here’s our outro.

Thank you.

watercooler.com slash subscribe. Apple podcasts were on Google

podcast stitcher Spotify, YouTube. Did my mic not work

this time. What the hell is going on? That’s so weird.

We should not rely on my microphone though. No. No. No.

All right, well, we’re out.

Show More Show Less

Likes, Bookmarks, and Reposts

12 responses to “EP27 – WordPressing with Abandon(ware)”

  1. Jason Tucker Avatar

    @wpwatercooler looking forward to this one!

  2. Jason Tucker Avatar
  3. Ahmed Avatar

    … liked this!

  4. Jason Tucker Avatar

    … reposted this!

  5. Ahmed Avatar

    … reposted this!

  6. SteveRudolfi Avatar

    … reposted this!

  7. Donncha Ó Caoimh Avatar
  8. Jos Velasco Avatar

    … liked this!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.