Protecting against malicious code in WordPress plugin updates

The security of plugin updates via .org really falls on the shoulders of WordPress to provide a secure repository and method for plugin authors to safeguard assets.

Since 2011 they have improved the system for notification on plugin changes, so plugin authors are notified when their code is altered, this is a good change though it can be argued that additional steps should be implemented.

In order to compromise a .org plugin you would have to compromise the plugin authors computer and password or perform a MITM attack.

On your end you don’t have that many options.

1.. You can manually check the differences committed to the plugin update by browsing the code on trac. Click on “Developers” , browse to Trac and then click “”View changes” by selecting 2 commits.

enter image description here

For example on trac comparing 2 commits of the Jetpack plugin.

The downside is that you have to know how to read code.

2.. You can try a malware scanning pluging, this will not be very effective since anyone with commit access would not be dumb enough to commit code that would be easily detected.

I run wpsecure.net and try to keep it up to date, but it pulls info from various security bulletins, namely secunia.com , osvdb.org and exploit-db.com.

tech