The keys to running a successful WordPress blog — technically speaking

Heise online reports WordPress is going to clean up the plugins dir because plugins “suck” and that — despite this fact — WordPress has become a constant in the web because large blogs such as Smashing Magazine are using it.

How do large WordPress blogs like Smashing Magazine accomplish this when plugins suck so much?

In the past years I have responsible for many WordPress installations, including Smashing Magazine‘s WordPress installations. I think I can tell you the keys that make a blog running WordPress successful or unsuccessful, technically speaking.

It’s the plugins:

  • How many of them are installed – the less the better!
  • Which ones are installed — always look how experienced the plugin’s developer is!
  • How they got chosen — make a security audit, either by yourself if you are competent, or hire someone how is!

In fact there are many, many WordPress plugins out there that have been developed by, let’s say, inexperienced developers. There are *tons* of security issues out there. The more plugins you install, the more security issues you install.

When I take over as a WordPress sysadmin, the first thing I do is throw out all unneeded plugins. Then I update the remaining ones. Then I try to further reduce the amount of plugins, either by implementing features myself or by replacing plugins with more capable/secure ones.

Here’s my last tip: If you cannot find a decent, capable, and secure WordPress plugin that suits your needs, hire a good developer with a security background to create it for you. Obviously you have to make sure not to hire one of the inexperienced developers. Please don’t go collecting plugins like “Oh I take this, and this one as well, this one sounds nice too” — this is not going to work in the long run. A successful WordPress blog is *always* run by competent admins and developers, not by “WordPress plugin collectors”.

Of course there are other factors as well, like always having the most recent versions of them installed, or to have interesting contents, but those are the keys IMHO.

WP Plugin Security: Multiple Leaks in WP-PhotoContest

What IS WP PhotoContest? The readme states:

This plugin permits you to create a ‘voting for photos-contest’ from the WordPress admin panel Subscribed users can uploads photos and everyone else can vote for the uploaded photos (sic).

The author could rephrase that as follows:

This plugin permits everyone to inject SQL commands into the database and to do a cross site scripting attack.

You most certainly do not want to install this plugin even if you are in the mood for a photo contest.

I did not review the whole plugin, just login.php where I have found the XSS leak and view.php as well as viewimg.php where the SQL injection leaks are located. Most propably there are even more leaks as this plugin seems to be from an inexperienced PHP programmer.

The author has been notified at UTC 1022. Information applies to version 1.0 and 1.0.1.


The XSS leak is all too common:

$frompost_id = $_REQUEST['prid'];
<a href="<?php echo bloginfo('wpurl'); ?>/wp-content/plugins/wp-photocontest/login.php?post_id=<?php echo $frompost_id; ?>"><?php _e('Log In', 'wp-photocontest') ?></a>

There it is. A classic.

SQL injection in view.php and viewimg.php:

$post_id = $_REQUEST['prid'];
$q1 = "SELECT contest_id, start_date, end_date, contest_path, contest_name, intro_text, num_photo FROM ".$wpdb->prefix."photocontest_admin where post_id=$post_id";
$out = $wpdb->get_row($q1);

This is also a classic and a beginners mistake as well. There is no security whatsoever. Don’t consider this plugin to be safe when the mentioned leaks have been fixed!

What to do for plugin users

Deactivate and remove WP-PhotoContest immediately and wait for a revised plugin.

This issue has been resolved