Are there procedures to prevent malicious plugin updates?

TLDR: No. It’s all about trust.

So there are some very basic checks on wp.org but generally this can happen (and probably also does happen from time to time). Of course if something like this happens and people notice it wp.org can block updates or replace them with something safe.

Also have a look at the WordPress.org Theme and Plugin Repositories section.

What you can do is not really any different than what you’d do whenever you install software, things like:

  • look at the source code
  • research on the plugin and/or the developer to decide if they deserve your trust
  • talk to other people about the plugin
  • do not randomly install plugins you come along
  • hire someone to do audits

Related Posts:

  1. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  2. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  3. Are WordPress Plugins essential?
  4. what is the correct way to update a plugin via tortoise svn to the repository?
  5. I found this in a plugin. What does it do? is it dangerous?
  6. What are the common security flaws I need to look for? [closed]
  7. Disabled plugins are they security holes – rumor or reality?
  8. What could a hacker do with my wp-config.php
  9. How Can I Securely Implement a Password-less Login Feature?
  10. Security and .htaccess
  11. Why “Contact Form 7” doesn’t update PHPmailer library?
  12. How do you allow plugins to be updated using the GUI without breaking your subversion repository?
  13. Secure WordPress paid plugin
  14. How to make media upload private? [duplicate]
  15. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  16. What does a security risk in a plugin look like?
  17. Sync my svn repositories
  18. WordPress Capabilities: edit_user vs edit_users
  19. Should we use plugins that aren’t available from the official WordPress site?
  20. How to check plugins for malicious code?
  21. How to properly secure my WordPress installation?
  22. Updating a WordPress plugins breaks SVN
  23. Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
  24. Where should my plugin POST to?
  25. Security error WP 4.0 + WP phpBB Bridge [closed]
  26. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  27. Disabled plugins are security holes – rumor or reality?
  28. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  29. Should I use RIPS tool to test my themes and plugins?
  30. Prevent Brute Force Attack
  31. Why users disable the WordPress update?
  32. How many security plugins are too many? [closed]
  33. Will WordPress username displayed somewhere in the site?
  34. Upgrading WordPress 4.0 asks for FTP password
  35. How to handle the Plugin Version on Update using Tortoise SVN and the worpdress.org Plugin Repository?
  36. Is revealing just the AUTH_KEY a security issue?
  37. How Restrict access to admin dashboard by specific static ip?
  38. When is it useful to use wp_verify_nonce
  39. Protecting against malicious code in WordPress plugin updates
  40. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  41. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  42. How to expire all wordpress user passwords instantly?
  43. How to limit WordPress pages during updates?
  44. rms_unique_wp_mu_pl_fl_nm.php
  45. Weird problems after recovery from security breach
  46. How can we deal with unmaintained plugins with vulnerabilities?
  47. Security issues with WP sites
  48. Security checking in meta_box save is reluctant?
  49. Escape when echoed
  50. Should you escape hardcoded URLs?
  51. Preventing BFA in WordPress without using a plugin
  52. wordpress.org codebase
  53. How to update WordPress plugins to latest using SVN
  54. How can I make uploaded images in the editor load with HTTPS?
  55. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  56. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  57. WordPress filter that hook after each action/filter hook
  58. How to delete Passwrd Protected posts cookies when a user logged out from the site
  59. Recreating a local repository from a currently existing wordpress.org repo..which I own
  60. The safest way to automate WordPress backups
  61. wp_create_nonce function doesn’t work inside a plugin?
  62. How to update plugins with database updates if I use svn
  63. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  64. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  65. Headers Content-Security-Policy CSP Major Issue
  66. How to block plugin activations with no known user or coming from unknown IP address range?
  67. Nonce failing on form submission
  68. Check for security updates
  69. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  70. Using SVN to upload plugin created with gutenberg blocks
  71. Why can’t I access my Intranet LDAPS with NADI?
  72. Plugin Repository commit doesn’t show up in activity
  73. Malicious File Upload [closed]
  74. Git Hosting for WordPress SVN Plugin Repository [closed]
  75. What’s the best way to go about updating WordPress plugins when using SVN and multiple environments?
  76. Stop Plugin Enumeration [closed]
  77. Malware installation during plugin update?
  78. Banner not visible after plugin publishing
  79. Change plugin name on WordPress repo
  80. Hack-Proof OR Security in WordPress — is it real?
  81. I should enable automatic updates?
  82. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  83. Security and Must Use Plugins
  84. Is Timthumb still broken? What security measures should be taken?
  85. Prevent direct access to WordPress plugin assets?
  86. Is it safe to use admin-ajax.php in the frontend?
  87. How to resolve these findings from security audit
  88. How I can hide my wp folders from Inspect Element (Developer Tools)
  89. How to Find WordPress site has backdoor login Codes
  90. How to delete Password Protected posts cookies when a user logged out from the site
  91. How to rename files during upload to a random string?
  92. Stop the user if login from the cookies
  93. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  94. Block Root REST API Route using custom &/or iThemes
  95. Is it a good idea to restrict the REST API
  96. WordPress.Security.NonceVerification.Recommended
  97. Secure way to add JS Script to WordPress filesystem
  98. Bullet proofing a server with 150 WP insallations
  99. Code Snippets security when selecting “only run on front end”
  100. How to verify/test that a custom built wordpress theme is as secure as possible?

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)