Security is an important topic.
Security is everyone’s problem. In particular, if you’re a developer, you should take responsibility for things you create. Even if you’re just starting out as a WordPress user or developer, you should make sure that the sites you’re building for your clients are as secure as possible.
There is no such thing as absolute security.
To quote Bruce Schneier from his book “Applied Cryptography”:
The only secure computer system in the world is unplugged, locked in a vault at the bottom of the ocean and only one person knows the location and combination of that vault. And he is dead.
You’ve probably heard that even big companies like Facebook, Microsoft, Adobe and Google have had their share security problems. These companies have many developers and dedicated teams that only deal with security and things still go wrong.
I hope you haven’t forgotten the Sony incident with plain text passwords. If you’re developing anything, please don’t store passwords in plain text, just don’t.
Security and WordPress
There are many tools that can help you better harden your applications. Some of them are general, some very specific. Such tools exist for WordPress too. For a WordPress site, theme quality is a important part of your overall website security. One of the plugins that can help you in this area is VIP Scanner. The VIP Scanner plugin is a UI for VIP Scanner library. You can find the library in the plugins folder under
My current local setup uses Vagrant with Chassis, take a look at this article on Chassis if you want to use it too.
There are two ways to install VIP Scanner. From the plugin page and by installing it manually with git in the plugins folder. The preferred way is to install it is via git. That’s because the VIP Scanner plugin page only has an older version ( v0.7 ) available, as opposed to the GitHub repo which is version v0.8. The developers of this plugin prefer the git way too. To install the plugin navigate inside plugin folder and execute:
git clone https://github.com/Automattic/vip-scanner.git vipscanner
git submodule update --init --recursive
The first command will download the plugin. The second will navigate into our newly cloned directory. The third will clone all the submodules (PHP-Parser).
Now, navigate to your WordPress dashboard and activate the plugin. To see this plugin in action, navigate on Tools > VIP Scanner.
There you will find 3 different types of scanning options:
- Undefined function check
- wp.com theme review
- VIP theme review
When you first run a scan using this tool, it will use the current active theme – it’s worth mentioning that this tool only deals with themes. Each type of scan is different, this comes in handy when you develop WordPress themes and care about code quality (which everyone should).
When you scan a theme (the active theme), you’ll find all sort of problems. The first scan type (undefined function check) does what the name says. It scans the whole theme directory for undefined functions. This is the basic scan and you should use it on every theme that you develop. The other two are more specific. The second scan type (wp.com theme review) is used when you are developing themes for the community. The third scan is used only for WordPress VIP.
So now we know a little bit about VIP Scanner, lets have some fun! Let’s scan the official themes that come preinstalled with WordPress (the latest theme). The first scan (undefined function) will not throw any errors. The second one will display some errors (mostly warnings). There are 3 sections for the scanning, Errors, Notes and Analysis. The first one is the section where errors will be shown, the second are warnings and the third is a nice way where we can find more information about the structure of the theme. Information like the number of classes, functions and author details.
Even with the official WordPress themes, we found a few errors. Most of them are:
The theme uses @package WordPress. This is reserved for WordPress Core files.
This is because you are not supposed to use @package WordPress in any of your themes (despite being the official WordPress themes).
Now go and scan a few more themes with this tool. This tool is very powerful when you’re developing your own themes (or even reviewing) for a client. If you’re writing your own themes, take small steps and then scan. This way you’re less likely to screw things up. Also you can find bugs in the early stages of development, which saves time.
The Bad Parts
One thing that I find very frustrating with WordPress in general is the lack of good quality code. VIP Scanner does its job very well, and from the commits, pull requests and issues it tells us that it’s under active development, which is great. What I’d like to see is the project using git submodules for dependency management. Packagist and Composer exist for that reason. PHP lacked dependency management tools, but they’re finally here. Also, I had a few problems with Code Sniffer. When scanning themes with the “VIP theme review”, I always got the error telling me I didn’t have Code Sniffer installed locally. I tried to work around this and install that tool, but I couldn’t get it to work. Please leave a comment if you figured this out.
This tool does lack a few things, mostly code standards. But, it is a good tool and does its job very well, so you definitely should use it on every theme you develop.
In this article we saw what the VIP Scanner plugin is and how use it to better harden our sites. This is a nice plugin that can help you, not only for existing WordPress sites, but also assist you when you’re developing your own themes. Using this plugin you can speed up the development of your themes, knowing you’re building them with peace of mind. This is a kind of Unit Testing for WordPress themes, so you’ll know for sure that things are working the right way. Security comes from good practices and that will help you grow as a developer.
What do you think about this plugin. Would you consider using it in your workflow? What other plugins are you using when creating themes to improve quality?