Outside the Box Technology

Better WordPress plugin verification through Artificial Intelligence

Key Points

  • Implement A.I. code review
  • Train A.I. to detect and report malicious code
  • Continually update the A.I. training with current threat vectors.

This blog is hosted on WordPress, I use a limited number of plugins on this site not only because I don’t need sales portals or advanced tracking (FYI I do use Google Analytics) but also because there is a huge security problem with plugins.  Every week I listen to a podcast called Security Now from the TwiT network with the host Steve Gibson, and for a long time, there was basically a weekly WordPress plugin issue being reported.  It’s gotten so bad that the show just stopped reporting all the issues and only covers the truly bad issues now.

Automattic the company behind WordPress can only do so much, they can’t review and verify every plugin submitted to the repository. This is how malicious plugins make it into WordPress and hurt over 82 million websites built on the platform. Sometimes malicious plugins make it past the administrators, but the more common way is to submit a clean plugin to gain a user install base and get past the administrators, then update the plugin with malicious code.

Harnessing A.I. to Protect Users

Since expecting administrators to check every line of code for every plugin and every update would be infeasible, Automattic should instead take advantage of current technology developments and train an A.I. to scan all plugin submissions and updates for malicious code.  If the A.I. scans the code and finds nothing that the administrators have deemed malicious then the plugin or update can be approved and sent to the users for download.

If on the other hand, the A.I. finds something that is deemed malicious then it would place a hold on the plugin or update and notify the administrators for further review.  Once the administrators have reviewed the code they can either mark it as safe and make it available for the users to download, or contact the plugin developer to notify them of an issue with their code that needs to be resolved before it can be pushed to users.

Less work, more security

By harnessing the power of A.I. to scan code WordPress administrators will have less work maintaining the plugin repository and more time to develop new features for their user base.  Not only will A.I. reduce the workload, but A.I. will reduce the chance of malicious code slipping by due to human error.  Let’s face it, how many times have you sent an email with a spelling error because you’ve been emailing all day in front of a computer and you start to miss things?  That happens with code reviews as well, you review great code all day and the last bit of code you review for the day has a small string that opens a backdoor to every user’s site, and because you’re tired you miss that string of code and approve the plugin.

This is the beauty of A.I., it doesn’t get tired.  The A.I. will inspect every line of code for every plugin with the same level of accuracy that it did when it first started 1,000 plugins ago.  A.I. can perform code reviews all day, every day.  It won’t burn out, its eyes won’t get blurry, and it will just work.

Open Source Artificial Intelligence

While open-source A.I. may not be at the same level as OpenAI’s ChatGPT, it can perform basic tasks like code review with some training.  Narrow A.I. or “Weak A.I.” is already able to take on tasks like code review and the open source resources are freely available and ready for implementation and deployment.  PyTorch is just one example of an open-source A.I. that could be used for the task of code review.  It’s maintained by the Linux Foundation and is licensed under the BSD-3 license so there is no commercial restriction on its use.


WordPress and by extension, Automattic have developed a reputation for security issues, which is sad because WordPress is a great platform, and Automattic seems to be doing great work.  If they can implement A.I. to protect their user base then they can begin to rebuild their brand, and deliver an even better product to their customers.  I for one plan to stick with WordPress and hope they will take this approach and give me and the millions of users a better sense of security.

Like what you see?

Sign up to receive new posts in your inbox, every month.

I do not spam! Read my privacy policy for more info.