We build most of our sites in WordPress, which has the advantage of allowing our clients to suggest plugins for specific functionality that they want on their site. Using plugins means we can grow the site quickly and without reinventing the wheel by coding for features that already exist.
This is one of the great strengths of using open source software, and especially popular platforms like WordPress: there are a huge number of developers making any number of add ons to make the platform one of the most extensible imaginable. Many of the developers work on projects just to make the internet a better place, which is fantastic, but when you’re bringing external code in to a site, the skill of the plugin’s author must be a point of serious consideration.
For a great many sites, this won’t particularly matter. But we specialise in projects for the public sector which often require a high level security accreditation and so security is, and always should be, a deal-breaker.
In fact, for any organisation that collects personal data or has reputational risk around the possibility of their website being damaged or insecure, this is a big deal. Poorly coded plugins could leave space for cross-site scripting and SQL injections amongst other nasties, and the damage to a brand from being labelled as insecure and unsafe is pretty hard to row back from.
So, we’ve launched dxw security, where we are publishing the results of our plugin reviews and inspections. Anything we look at will be written up and put online. You can have a look at how we’re assessing plugins and what we’ve already reviewed here. We’re doing this for anybody who is interested in security, you don’t have to pay anything or register to see our findings.
We’re keen to contribute to the wider WordPress community, and this is just one part of that effort. This is also our first step towards a more comprehensive service from us. In the meantime, if you have a plugin that you want to check but you don’t see online then drop us an email.