In this post I wish to talk about cleanness of WordPress plugin’s packages. I name package clean if it doesn’t contain any unnecessary files inside. Unnecessary files together with garbage issue can lead to the real security problem. Let’s take my last download as an example. It is a well known WordPress plugin WP-Forum produced by Fredrik Fahlstad. In case if somebody is new to this plugin, this is the simple discussion forum plugin for WordPress. You can download this plugin from Frederik site http://fahlstad.se/wordpress/plugins/wp-forum/.
I went to the plugin’s home page http://www.fahlstad.se/wp-plugins/wp-forum/ and downloaded a 2.4 version installation package.
Inside this package .zip file in addition to core plugin code files we can see:
__MACOSX folder and .DS_Store files in every other folders.
__MACOSX folder is created on Mac OS X operating system automatically during .zip archive file creation. Its origin is well written in this post http://floatingsun.net/2007/02/07/whats-with-__macosx-in-zip-files.
.DS_Store (Desktop Services Store) is a hidden file created by Apple Inc.’s Mac OS X operating system too. More information about .DS_Store file you can read here
Thanks Frederik for your hard work and very useful plugin. But please be aware about such unnecessary files which your OS automatically added into plugin installation package, please make you installation packages clean.
How many users check new plugin package file before install it on site? It is so easy (thanks to WordPress core developers) to install and start to use the most of WordPress plugins. What files we unpack and put on site during plugin installation? It can have relation to a large security problem if somehow (virus, bad guys) malware script will fall into one of the popular plugin packages. Just imagine if some day this will happend. How many sites will lose control or be compromised at once? Ideally we need some kind of code security control service to check new (plugins, themes) code security issues and vulnerabilities before make it accessible to the public from wordpress.org.
While such service doesn’t exist (if it is and I don’t know please correct me) we have to be aware about this possible threat and make possible checking and testing of new plugins on one’s own before put it on a live site.