That Danny!
When the folks at Automattic, the home of popular blogging platform WordPress came up with VaultPress, I was doubly pleased. First of all it addressed a real need to have constant off-server backups of WP sites and someone to call on when things went badly wrong with our installations. Secondly, I was pleased that the guys have found a new tangible revenue stream for a company that was founded on open-source and made an effort not to exploit their leading position. Being nice is all well and good, but it’s also important that they develop the business that serves so much free goodness in a way that’s sustainable.
The unexpected benefit
But there’s another aspect to the launch of VaultPress that is already having a significant impact on the WordPress universe. One of the functions of this new tool is that it scans your WordPress installation for security breaches, and alerts you if it finds any suspicious code, or potential back doors. As anyone who uses self-hosted WordPress knows, one of the main security threats isn’t actually the WP installation itself, but the thousands of popular themes and plugins, that add a great deal of functionality to it. As an open source project, these are contributed by coders and designers at varying levels of ability, and security awareness. As a result, the biggest security holes are actually bolted on to the WP platform and therefore difficult to control.
And this is where it gets interesting. In the first few weeks after the launch of VaultPress, you could already see users of the tool contacting developers of plugins, even some that have been around for a while, to alert them that their creation needs fixing, because they were flagged for security breaches. I myself realised that WP-DBManager was coming up with security warnings, and immediately checked online, only to find out that indeed other users have already identified the vulnerability and alerted the developer (who promptly fixed it). I know of two other plug-ins and a theme with similar issues (one fixed, two not yet).
So it would appear that the growing VaultPress userbase is taking advantage of the tool not only to ensure that their own installations are safe, but also to alert the community to unsafe plugins and themes, and therefore incrementally making the WordPress universe better for all of us; a good result, no doubt.
PS. The obvious question is whether it would not be even more impressive if Automattic also ran the same sort of scan for any theme or plugin uploaded to WordPress.org. I certainly think they should consider it.
If you enjoyed this article, please consider sharing it!
Themes now do undergo extensive reviews before being made available. Some have complained that they’re too extensive, in fact. :)
Plugins are still a bit of a free for all, but I know that some of the WordPress core devs have been scanning plugins and creating lists of potential problems, in order to notify developers. There may be some progress in this area in a few months.
Nobody really wants to put plugins under a review process, because it’s very hard and time-consuming to do and it tends to stifle innovation when you do that. It’s more doable with themes, since they tend to be more goal-focused than plugins, which might do pretty much anything.
I’m sorry but I think WordPress should treat the plugin vault the same way Apple does the App Store.
Stifling creativity wouldn’t be an issue if people wrote good code. Hire a couple of gifted programmers whose sole job is to examine plugins.