If you’ve not already come across it, Cursor is an AI powered editor that can help write code for you. Inevitably, Recently, a Reddit user used it to create a WordPress plugin…
I know the WordPress plugin review team has seen copious AI generated plugins submitted to them in recent years and they’re often easily spottable due to their low quality, and many users on Reddit identified that something similar was likely to occur here, particularly around security. The OP wasn’t having this and took the feedback badly.
He didn’t help his case by comments such as this…
The WordPress is notorious for having inexperienced developers that don’t know a thing or two about security or don’t even bother.
The code I’ve seen Cursor generate is by far more secure and bullet proof than any plugin code I’ve seen from a junior or medior developer.
The worst thing is, those guys submit their plugins to the official directory, charge a license for it and you get hacked because there’s no mention of any security measures in their code.
So, what is the code quality like? Well, I don’t know because, despite saying they’d share the code in Github, they never did. I don’t use Cursor myself but found that Delicious Brains took advantage of it last month to create a simple plugin of their own. I took their Cursor generated code and parsed it through the official Plugin Check tool – if you submit a new plugin to the official directory, you have to have your code pass this as the most basic initial check.
Now, bear in the mind that this plugin is quite basic, with no admin screen or anything, and is certainly not as complex as the one created by the Reddit poster, which had menu options, admin screens and image manipulation. Having said all that, it failed. It had numerous warnings but, most importantly, 18 errors – all security related.
The plugin is 229 lines of code in total, which can be boiled down to 170 if you remove comments and blank lines. With 18 security errors, that’s one potential vulnerability every 9.5 lines of code.
Look, use AI to help you with code. Even use it to write entire pieces of code for you, like in these examples. But it is NOT ready for primetime – the Reddit poster was wrong about the low security quality of plugins in the directory. Literally, the plugin I looked at here would not have been accepted, and I suspect the poster’s plugin was going to be the same.
Hopefully, in the future, AI can get this right. But for now, “caveat emptor”.
Share this post on social media.
Leave a Reply