Back when I started explaining why I dislike security plugins, I mentioned hating people who thought they knew everything.
Noah (not his real name) is a good example of that kind of drama.
Not Safe Enough
Very rarely do plugins get an email that starts out with claims we’re too dumb to understand security.
In this case, Noah submitted a search plugin. Not a security plugin. And on a quick look, it had the following serious issues:
- direct access to files with POST calls outside of functions
- calling wp-config.php directly to get DB access
- non-prefixed functions, defines, and classes
- non-sanitized data being processed and non-escaped data being output
Pretty normal in so far as poorly written plugins go, and Noah got an email with the usual details on what’s wrong and what to fix.
Noah did not take it well and claimed our rules were arbitrary and made to protect people. Yes? I mean, of course the rules are there to protect people! And one can argue any rule is ‘arbitrary,’ but that’s how they work. Noah went on to say that was okay, but rules had disadvantages too. To that end, sure, he’s got a point. The rules do limit innovation to an extent but usually that’s got a reason.
The email went on for 1500 words about the problems people face (resource usage, mostly, and caching), and Noah included this gem:
You are not able to solve these problems since you waste all of your time defining rules, handling security problems and bothering people who are offering their assistance to you for free.
Noah via email to Plugins
We wouldn’t have to make all those guidelines and handle security issues if people actually fixed them, but I felt that was besides the point.
Let’s be honest here, Noah’s email was a lot of drama and words, signifying nothing at all. Making WordPress faster and having it use fewer resources is a great idea. But sir, this is an Arby’s. Or rather, Noah my man, this is a search plugin that has obvious security issues (sanitizing/escaping), makes dangerous calls that won’t always work (calling wp-config.php which can be moved), and crap for prefixes.
Not Smart Enough
I did pick out the line “you can’t understand what I do” and rolled my eyes. Generally speaking, if someone tells you that, they’re the fool, not you. It’s like people who jump to tell you “I have a decade experience in WordPress!” They want their perceived standing in the community to excuse behaviour. That may happen, but I never cared if it was Matt himself submitting a plugin. Security is security. Hell, I once closed my own plugin for a security issue I’d missed 5 years prior (hilariously I only realized it was mine when I was about to hit send — there was a lot of laughing).
And I absolutely am smart enough to take one look at Noah’s code and recognize that his entire point was to have a plugin search WordPress and intentionally not use the built in WordPress security features. Like nonces. Normally that is from a lack of education and I think of it as a no-harm/no-foul. I remember when I didn’t really understand nonces, after all!
But in Noah’s case, he believed he was smarter than everyone else using WordPress and, instead of submitting patches to improve it for everyone, he was just going to circumvent WordPress’ security entirely. And that is a non-starter.
I am also smart enough to see his plugin could be brought into compliance pretty easily, which was why I didn’t reject, I pended.
Not Clever Enough
I replied to Noah explaining his rant was pretty off topic not to mention very wrong in many places. The code was not safe to use, and we generally didn’t accept plugins that didn’t ‘use’ WordPress unless it was safe.
Perhaps I should explain a little here… See, there are two issues with calling wp-load.php or wp-config.php. The first issue is that people can, and do, move both the config file and the wp-content folders, so there would have to be a lot of fallbacks to make sure it would work for everyone. The second is that calling those directly is how you obviate WordPress’ security.
A sneaky third is that there’s no reason you should need to do that in the first place. If you call your plugin properly, with init and so on, then you get all the fun WordPress stuff without the drama. I know it’s a concept a lot of pure PHP devs struggle with, especially when they want to have ‘a url’ that people can use on their site (like a plugin wants your site to have example.com/myplugin), because that is a little tricky with WordPress.
In the email to Noah I made it clear. If he wanted to be hosted on WordPress.org, he had to follow the guidelines and that included our security requirements.
I mean, come on, here’s the part of the email where I tell him to sanitize, and he asks if that’s correct:
> When you include POST/GET/REQUEST/FILE calls in your plugin, it’s important to sanitize, validate, and escape them.
Did you ever think, if this is really correct?
Noah via email to Plugins
Yes. Yes I do think it’s correct to sanitize, escape, and validate.
Also telling him “you must use the most appropriate function for sanitizing” (by which I mean ‘don’t sanitize a number as a text field, y’all’) he says:
Who are you, that you think you are allowed to tell me what I “must use”? Are you thinking, you would be god?
Noah via email to plugins
A god?
Jokes aside, Noah made it clear he thought the rules were bullshit, and he had no intention of ‘helping’ anyone. I shrugged, rejected his plugin, suspended his account, sent his emails to the blocked bin, and moved on my way.
One Year Later…
A new search plugin showed up, and at first it didn’t trigger any memories for me. In fact, this version had corrected most of the things I’d flagged in the first one. A lot of people submit similar plugins, but at this point I was about 7ish years into reviews, so I was pretty good at spotting repeats.
Just like people have writing styles, people have coding styles.
Around halfway through the review, something clicked. I went and checked, and lo and behold it was Noah! He used a new domain, but DNS showed the same person owned both domains. Him. And he wasn’t really trying to hide it since, when I rejected the plugin, he replied from his first account’s email.
He explained that in the last couple of weeks, we’d ‘twice’ gotten in trouble together. I thought I hadn’t heard from him in nearly a year, and now I was worried he had used multiple accounts. But before I got into that work, I read his email.
I Didn’t Read His Email
It’s true. I skimmed his 2500+ word email that was filled with … well … bullshit. He claimed that the use of saved replies meant I was ignorant and only doing that because it was easy… You know what, let me bullet point.
- He thinks Automattic owns the plugin review team.
- He believes he was 100% right and I was wrong, but he made the security changes anyway.
- I was selfish for not listening to him, but he’s not rude for not listening to me.
- He doesn’t believe telling me I’m stupid and paranoid was rude.
- He expected me to do the emotional labor of telling him how to behave.
- He claimed I rejected his plugin without a word (even though he replied to the email where I explained it was for abusive behaviour).
- He’s mad I rejected his resubmission, even though the original email said NOT to resubmit or make a new account (… I mean …).
I did not reply since at the end he’d said this:
This is my very last attempt to offer my software to you. If you don’t answer this email, I will delete the plug-in. But I believe you would serve WordPress better if you would give the software a chance.
Noah via email to Plugins
Alas, he tried twice more that year before (seemingly) giving up.
Oh, and no, he didn’t have other accounts. He was sniffing some glue to come up with a claim that he and I had been in contact at all after that first rejection.