WordPress security: the case for dependency management

Two things happened in the last week to spark this post; I gave the weekly “Show and Tell” at work on my favourite things about Drupal that I’d like WordPress to learn from (one of them should appear in 4.1, by the way), and yesterday a vulnerability was revealed in the still popular TimThumb library used by many WordPress themes and plugins.

Dependencies

One of my favourite things about Drupal is that it offers theme and module developers the ability to use dependencies. A few simple lines in the module.info file (Drupal’s sort-of readme.txt equivalent) can specify that the module depends on other modules and Drupal will recognise that, offering to install and/or enable those modules for you in order to meet those dependencies. E.g.;

dependencies[] = views
dependencies[] = rules
dependencies[] = features

That’s not all though, Drupal also allows module developers to specify required libraries in a similar way. Those libraries are then installed in a ‘libraries’ directory alongside the modules directory.

Duplicated Effort

By contrast, WordPress plugin and theme developers often have to bundle those libraries into their plugin or theme. The result, when a security issue like yesterday’s TimThumb exploit is revealed, is that individual plugin and theme developers need to update their projects individually and push out an update, leaving users vulnerable until the developer gets round to it.

Instead, having a system like Drupal’s dependencies means that, once the library itself is updated, all installations could pull down that library update and secure their site without the plugin/theme developer having to lift a finger. Installs are secured quicker with minimal effort.

There are other benefits to a dependency system but I believe the security angle is by far the most compelling.

My suggestions above actually go a bit further than what Drupal offers at the moment, I believe, but a system that works as close to the plugin/theme system as possible would be beneficial.

TimThumb, seriously?

Before you say it, yes, there is a better way to deal with TimThumb specifically. David Bisset put it best:

Thoughts?

Picture credit: The Colorful Library of an Interaction Designer by See-ming Lee


Posted

in

by

Comments

One response to “WordPress security: the case for dependency management”

  1. @ommunist Avatar

    I stumbled upon the same thoughts years ago, when different versions of jQuery was shipped with every second WP plugin.
    Unfortunately you have to live and work with Automattic to make this changing to better.
    Or – lets write a helpful brochure on plugin-theme development with proper addressing of the issue, showing how the heck one should use libraries available in plenty at /wp-includes.

Leave a Reply

Your email address will not be published. Required fields are marked *