WordPress tools to check your code for vulnerabilities and such

[ctrlbrk]

So as to not derail somebody else's thread...

Plugins are a whole different ball game. When you submit a plugin for publication there are a whole lists of applicable standards (including things like input sanitation). If you build your own custom plugins there are various tools you can use to check and test your code (both PHP and JS)

Looking for input as to what these tools are?

Thanks

EDIT: to clarify, not looking for WordPress security plugins (security theatre mostly), looking for tools that scan your own code and tell you what the issues are.

 

[fisicx]

Some useful tools listed here:

Source Code Analysis Tools | OWASP Foundation

Source Code Analysis Tools on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.

owasp.org

I've got a long list of checks I've built up over the years based on the security guidelines issued by wordpress:

Security – Common APIs Handbook | Developer.WordPress.org

Congratulations, your code works! But is it safe? The WordPress development team takes security seriously. With so much of the web relying…

developer.wordpress.org

The big problem is there are no rules on how a plugin is coded as every developer will have their own way of doing things but the main rule is: never trust an input. Sanitise, sanitise, sanitise.

 

[ctrlbrk]

The big problem is there are no rules on how a plugin is coded as every developer will have their own way of doing things

But surely some tools must exist that tell you that something like 'echo $output' should be escaped/sanitised/etc.

For example I was looking at SonarLint which appears to do so. But I don't get how I can install it with, say, Sublime Text.

 

[fisicx]

You need to install on a server (or emulate a server in your PC) to run the tools. This is because php is a server-side application.

Vulnerability and similar security testing is a whole complicated thing. The last plugin I uploaded had to pass around 200 tests.

 

[webhostuk]

On our server we use Imunify360 it does gives details of vulnerability, threats and also quarantines files to avoid server end major issues.
Quit good tool works great with Cpanel hosting.

 

[fisicx]

Does it test plugins for vulnerabilities? For example I had an XSS issue which only became apparent when PHP upgraded from 7 to 8.

 

[ctrlbrk]

On our server we use Imunify360 it does gives details of vulnerability, threats and also quarantines files to avoid server end major issues.
Quit good tool works great with Cpanel hosting.

Thanks - I just checked and it looks like this Imunify360 scans for the vulnerabilities much in the classic sense of the word.

What I am looking for is a tool that scans my own code, which this product does not appear to do.

When I say "my own code" I mean any .php code (for example) that I may have added (e.g. 'echo $output') and warns me that it should be escaped/sanitised/etc.

For example, @fisicx provided a good link to OWASP and in there I found a tool called Graudit, which does what I'm after. Not perfect, but it's a start.

 

[fisicx]

You often find you need to use a number of tools to check everything.

Echo is ubiquitous but esc_html helps protect. And for Wordpress use wp_nonce. Even for things on your dashboard.

 

[Securify]

WPScan will do a very good job for the surface level scanning of existing common plugins with WP, but it won't tell you much about your own code.

It reads like you want a SAST solution (something checking the code rather than dynamic testing of the running application), some options here:

GitHub - exakat/php-static-analysis-tools: A reviewed list of useful PHP static analysis tools

A reviewed list of useful PHP static analysis tools - exakat/php-static-analysis-tools

github.com

Fair warning, these are hit and miss. Paid solutions may have better results, but these can be also very, very noisy.

From what I've heard, Github Copilot is pretty good for live checking in the IDE (checking as you go), and you'd probably get reasonable success asking ChatGPT if you trust it with what you're sending over.