How secure is Tainacan as a repository for research? Are there any limitations in terms of using this plug in?
Is the database protected from SQL injection and other common attacks(many monitoring sites have reported that there SQL injections are common within the plugin)?
What security plugins or measures should we use against those attacks(like Jetpack maybe?) or hosting providers like Hostinger is just fine?
Thank you so much!
Hello djafinidad,
Thank you for your questions — they are very important when evaluating any platform for use in research or institutional contexts.
Security Compliance of Tainacan
Tainacan is developed as a plugin for the WordPress ecosystem and fully adheres to the security guidelines and coding standards established by the WordPress Foundation. The development team follows best practices recommended in the WordPress Plugin Handbook and performs continuous code reviews to ensure that all inputs are sanitized, escaped, and validated appropriately, protecting the database from SQL injection and other common web vulnerabilities.
Protection Against SQL Injection
Tainacan is built using WordPress’ native database access methods, including $wpdb->prepare() and other secure query mechanisms. These prevent SQL injection by safely preparing database queries with parameter binding. The plugin does not execute raw SQL from user input without sanitization. Additionally, Tainacan uses WordPress’ nonces, capability checks, and role-based access controls to guard against unauthorized actions and form submission attacks.
While you mentioned reports from some monitoring sites, we encourage users to verify whether those findings refer to current versions, as the Tainacan core team is highly responsive to any reported issues and deploys patches rapidly. The plugin has undergone external security evaluations during public tenders and implementations in governmental institutions in Brazil.
Additional Security Measures
For an added layer of security, we do recommend pairing Tainacan with well-established WordPress security tools such as:
Limitations and Recommendations
As with any plugin-based infrastructure, the security of your repository also depends on:
Tainacan is in active development, open source, and transparent. You can inspect the source code on GitHub and contribute to security reviews or open issues directly with the team.
Best regards,
I would also complement that we registered Tainacan in the Patchstack program, which means our code is sometimes inspected by “security hackers” who are looking for possible exploits. There were moments where they identified flaws and notified us, leaning to security releases.
The WordPress.org repository teams also do some tests time to time, to alert us if they find some weakness. It is a large and complex code, which includes several features that allow users to input data, which makes everything more risky. But we’re always taking care of solving any issue found.
That said it is extremely important to secure your WordPress. We’re entirely build upon it and thus we gain it’s power and flaws. It is not just about installing plugins. I recommend reading content and preferably finding a professional to take care of configuring security rules both at server and application levels. Good practices (such as good passwords, less administrator access) are also something you learn an nurture inside your team.
Thank you so much!