PHP code audit / security review (wordpress)

A

Anonymous

Guest
Hello.

I'm looking for some guidance on getting a 3rd party code / security audit of a PHP Plugin.
It's fairly simple and about 2500 lines of code.

They need to be familiar with wordpress plugins as wordpress has their own coding standards / practices they want you to follow.

Who have you used and would you recommend?
What sort of cost am I looking at?
 
Is it a open source plugin or paid?

An effort involved in reviewing the code depends on what the plugin does
 
2500 lines of code is nothing. That is 2 or 3 hours of coding if you have a pot of decent coffee. I do not believe a competent review should take more than that same 2 to 3 hours, unless there are 3rd Party engines involved like SQL or other remote servers, or websockets, or async XML/HTTP exchanges, or other things that the auditor would have to review individually.

I do not see how WordPress' preferences apply to a security audit. The business logic either has loopholes or it does not. The number of carriage returns between the end of one function's closing bracket and the next function definition is a stupid thing to worry about, as is whether the opening bracket is on the same line as the function signature or on the next line.
 
Thanks.
No there is nothing fancy to this. Although it does read from mySQL (Wordpress backend).

There are helper functions and methods which wordpress exposes / requires.

You're not hitting the database directly you are using the wordpress wrapper to prepare and execute your command.
Similarly for input validation and output escaping they have helper functions.
The other aspect is how Wordpress adds filters, hooks and functions etc.

I had though knowledge of this would help.
 
daninmanchester said:
Thanks.
No there is nothing fancy to this. Although it does read from mySQL (Wordpress backend).

There are helper functions and methods which wordpress exposes / requires.

You're not hitting the database directly you are using the wordpress wrapper to prepare and execute your command.
Similarly for input validation and output escaping they have helper functions.
The other aspect is how Wordpress adds filters, hooks and functions etc.

I had though knowledge of this would help.
Click to expand...

Only if you want a security review of WordPress, in which case you should expect pros to laugh heartily while trying to figure out how many zeros they can get away with putting after a 99
 
To find a 3rd party code/security auditor for your WordPress PHP plugin:

  1. Research specialized companies or individuals with experience in WordPress plugin audits.
  2. Look for auditors with credentials, experience, and knowledge of WordPress coding standards.
  3. Prioritize good communication and collaboration throughout the process.
  4. Request cost estimates from multiple auditors to get an idea of the pricing range.
  5. Consider reaching out to WordPress development agencies or companies.
  6. Review terms, agreements, and non-disclosure policies before finalizing the engagement.
 
You must log in or register to reply here.
Back
Top