Pluggable Unplugged

Pluggable Unplugged

partially transparent lock overlayed a world map with 1s and 0s
CC0 source:

Pluggable Unplugged is a WordPress plugin I am working on that fixes several issues with a default WordPress install.

It requires PHP 7.1 or newer with the libsodium PECL extension. That extension is generally already built with PHP 7.2 and newer, but it has to be installed separately for PHP 7.1 and for PHP 7.2 that specifically disabled it at build time.

If you are familiar with WordPress code, you probably recognize the inspiration for the name. Many WordPress functions are defined in a file called pluggable.php within the wp-includes directory.

The plugin is still in development but is mostly finished. Primarily it is waiting for me to complete my Groovytar alternative to Gravatar.

The github for the plugin:

If you are familiar with the command-line, you can play with it now:

git clone
mv PluggableUnplugged /path/to/your/wordpress/wp-content/plugins/awm-pluggable-unplugged

I do hope to have it added to the WordPress collection of plugins that can be installed through the browser once it is fully ready, but it would be premature to do so now. It fixes several things:

Better Hash, Nonce, and Salt Generation

WordPress does not seem to know the definition of the word Nonce. It literally means “Number used only Once”.

In the context of CSRF tokens which is what WordPress used them for, they should not have anything predictable about them and should be at least 128 bits (16 bytes) long.

WordPress not only generates them in a fairly predictable way, but the design of WordPress literally depends upon them being predictable. This really pains me because it is so easy to do it the right way.

They are then reused for twelve hours and remain valid for another twelve hours after they are no longer used.

This plugin does not completely fix the issue, it can’t, that would require patching WordPress itself. It does however improve what can be improved in the use of CSRF nonces in WordPress.

For salts, WordPress uses their password generator function which is rather odd. A salt just needs to have a lot of entropy so that it can not predicted. Reading random bytes from a pRNG and then encoding the raw data in base64 makes a perfectly good salt that does not depend upon the integrity of a password generator that other plugins can replace. It puzzles me as to why they do it the way they do.

With respect to hashing, WordPress uses the deprecated outdated md5 right and left. This plugin fixes at least some of that, using the better hashing methods available from libsodium.

Gravatar Replacement

Gravatar is a nice concept, but it has two major flaws with its implementation, plus some minor flaws.

The minor flaw is that generated avatars are served as PNG images. PNG is a bitmap image format and does not scale very well. SVG is vector and therefore better for generated avatars that may need to display on a wide range of devices with a wide range of pixel density resolution.

The major flaws, first it exposes an unsalted md5 hash of the user’s e-mail address. You can literally scan the web for WordPress (and other) blogs where a person has commented just by using the hash of their e-mail address. This is done by government agencies, this is done by identity thieves and con artists looking for more information about their targets, this is done by anyone who wants to because it is so easy to do.

The second major flaw, the server that serves the avatars uses tracking cookies. Automattic (the company that owns Gravatar) has a lot of tracking tools built in various plugins they pretend to generously give away for free. They really just like tracking people. Commercialized stalking of the masses is big business. Creepy and very dirty, but big.

This plugin salts the hashes used for avatar using salts unique to the blog to solve the first major issue. The minor issue and the second major issue are being solved by using an alternative to for the avatar images. They are served as SVG files so they scale extremely well, and more importantly, tracking cookies are never used.

The github project for the replacement is here:

That is for the avatar server, the WordPress code is done.

Argon 2id Password Hashing

After installing the plugin, there is an option to switch to Argon2id password hashing. This is not enabled by default. The Argon2 password hashing suites are the best way to do password hashing out there. WordPress like to keep their tech behind the times to keep compatibility with older versions of PHP but from a security point of view, that’s just plain stupid.

PHP 7.2 ships with libsodium standard and libsodium is available as a PECL extension for earlier versions of PHP. Libsodium provides support for Argon2id, so since this plugin requires libsodium anyway, the Argon2id password hashing algorithm is available and therefore it made sense to give people who do install this plugin the ability to switch to it now.

Leave a Reply

Your email address will not be published. Required fields are marked *

Anonymity protected with AWM Pluggable Unplugged