Are there procedures to prevent malicious plugin updates?

TLDR: No. It’s all about trust.

So there are some very basic checks on wp.org but generally this can happen (and probably also does happen from time to time). Of course if something like this happens and people notice it wp.org can block updates or replace them with something safe.

Also have a look at the WordPress.org Theme and Plugin Repositories section.

What you can do is not really any different than what you’d do whenever you install software, things like:

  • look at the source code
  • research on the plugin and/or the developer to decide if they deserve your trust
  • talk to other people about the plugin
  • do not randomly install plugins you come along
  • hire someone to do audits

Related Posts:

  1. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  2. Are WordPress Plugins essential?
  3. what is the correct way to update a plugin via tortoise svn to the repository?
  4. What are the common security flaws I need to look for? [closed]
  5. How Can I Securely Implement a Password-less Login Feature?
  6. Security and .htaccess
  7. Why “Contact Form 7” doesn’t update PHPmailer library?
  8. How do you allow plugins to be updated using the GUI without breaking your subversion repository?
  9. Secure WordPress paid plugin
  10. How to make media upload private? [duplicate]
  11. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  12. What does a security risk in a plugin look like?
  13. Sync my svn repositories
  14. WordPress Capabilities: edit_user vs edit_users
  15. Should we use plugins that aren’t available from the official WordPress site?
  16. How to check plugins for malicious code?
  17. How to properly secure my WordPress installation?
  18. Updating a WordPress plugins breaks SVN
  19. Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
  20. Where should my plugin POST to?
  21. Security error WP 4.0 + WP phpBB Bridge [closed]
  22. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  23. Prevent Brute Force Attack
  24. Why users disable the WordPress update?
  25. Will WordPress username displayed somewhere in the site?
  26. How to handle the Plugin Version on Update using Tortoise SVN and the worpdress.org Plugin Repository?
  27. Is revealing just the AUTH_KEY a security issue?
  28. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  29. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  30. How to expire all wordpress user passwords instantly?
  31. Weird problems after recovery from security breach
  32. Security checking in meta_box save is reluctant?
  33. Should you escape hardcoded URLs?
  34. Preventing BFA in WordPress without using a plugin
  35. How to update WordPress plugins to latest using SVN
  36. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  37. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  38. WordPress filter that hook after each action/filter hook
  39. How to delete Passwrd Protected posts cookies when a user logged out from the site
  40. Recreating a local repository from a currently existing wordpress.org repo..which I own
  41. How to update plugins with database updates if I use svn
  42. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  43. Headers Content-Security-Policy CSP Major Issue
  44. How to block plugin activations with no known user or coming from unknown IP address range?
  45. Check for security updates
  46. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  47. Using SVN to upload plugin created with gutenberg blocks
  48. Malicious File Upload [closed]
  49. Git Hosting for WordPress SVN Plugin Repository [closed]
  50. Stop Plugin Enumeration [closed]
  51. Malware installation during plugin update?
  52. Change plugin name on WordPress repo
  53. Hack-Proof OR Security in WordPress — is it real?
  54. I should enable automatic updates?
  55. Security and Must Use Plugins
  56. Is Timthumb still broken? What security measures should be taken?
  57. Is it safe to use admin-ajax.php in the frontend?
  58. How to protect WordPress from security scanner [closed]
  59. Specific way to allow WordPress users to view their current password? And edit it?
  60. How to prevent plugins from sniffing/stealing other plugins’ options?
  61. Website show Google Ads when we have no Google Ads linked to our website
  62. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  63. WordPress SVN UTF-8 issue
  64. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  65. Regarding plugin security
  66. How do I determine if the user who registered is not spam?
  67. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  68. WP Insert Post If user refreshes override new post
  69. 404 errors when updating options in admin dashboard
  70. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  71. Is it possible/advisable to set last stable version to previous version?
  72. WordPress search shows protected content
  73. Can I disable xml-rpc by setting it to false?
  74. How can I disable new plugin and theme install, but allow updates?
  75. Help to Create a Simple Plugin to make a post
  76. Validating ajax search
  77. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  78. WordPress disable direct access of files in WordPress installation path
  79. Asking help regarding potential malware
  80. “Fire Secure” menu item
  81. https rewrite not working for All in one security Brute force > rename login url
  82. Tortoise SVN showing ‘Access to ‘/!svn/me” forbidden error.
  83. Redux framework somehow added to my site, can’t locate in plugins
  84. Being hacked. Is there a list of WordPress security holes I can check against?
  85. wp_verify_nonce fails always
  86. Validating values using Settings API?
  87. Unwanted Links and Spam WordPress Pages and Posts
  88. Add plugin by SVN. Current version problem
  89. Problem with permissions in wp-content/plugins
  90. File permissions for wp-minify plugin
  91. What is the recommended way to be notified of security updates to my plugins? [closed]
  92. My WP site and password was hacked, what to do? [closed]
  93. How to resolve these findings from security audit
  94. How I can hide my wp folders from Inspect Element (Developer Tools)
  95. How to Find WordPress site has backdoor login Codes
  96. How to rename files during upload to a random string?
  97. Stop the user if login from the cookies
  98. Is it a good idea to restrict the REST API
  99. WordPress.Security.NonceVerification.Recommended
  100. Secure way to add JS Script to WordPress filesystem

Leave a Comment