Protecting against malicious code in WordPress plugin updates

The security of plugin updates via .org really falls on the shoulders of WordPress to provide a secure repository and method for plugin authors to safeguard assets.

Since 2011 they have improved the system for notification on plugin changes, so plugin authors are notified when their code is altered, this is a good change though it can be argued that additional steps should be implemented.

In order to compromise a .org plugin you would have to compromise the plugin authors computer and password or perform a MITM attack.

On your end you don’t have that many options.

1.. You can manually check the differences committed to the plugin update by browsing the code on trac. Click on “Developers” , browse to Trac and then click “”View changes” by selecting 2 commits.

enter image description here

For example on trac comparing 2 commits of the Jetpack plugin.

The downside is that you have to know how to read code.

2.. You can try a malware scanning pluging, this will not be very effective since anyone with commit access would not be dumb enough to commit code that would be easily detected.

I run wpsecure.net and try to keep it up to date, but it pulls info from various security bulletins, namely secunia.com , osvdb.org and exploit-db.com.

Related Posts:

  1. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  2. I found this in a plugin. What does it do? is it dangerous?
  3. Disabled plugins are they security holes – rumor or reality?
  4. What could a hacker do with my wp-config.php
  5. How Can I Securely Implement a Password-less Login Feature?
  6. Security and .htaccess
  7. Why “Contact Form 7” doesn’t update PHPmailer library?
  8. Are there procedures to prevent malicious plugin updates?
  9. Should we use plugins that aren’t available from the official WordPress site?
  10. How to check plugins for malicious code?
  11. How to properly secure my WordPress installation?
  12. Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
  13. Where should my plugin POST to?
  14. Security error WP 4.0 + WP phpBB Bridge [closed]
  15. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  16. Disabled plugins are security holes – rumor or reality?
  17. Should I use RIPS tool to test my themes and plugins?
  18. Prevent Brute Force Attack
  19. How many security plugins are too many? [closed]
  20. Will WordPress username displayed somewhere in the site?
  21. Upgrading WordPress 4.0 asks for FTP password
  22. How Restrict access to admin dashboard by specific static ip?
  23. When is it useful to use wp_verify_nonce
  24. How to expire all wordpress user passwords instantly?
  25. How to limit WordPress pages during updates?
  26. rms_unique_wp_mu_pl_fl_nm.php
  27. Weird problems after recovery from security breach
  28. How can we deal with unmaintained plugins with vulnerabilities?
  29. Security issues with WP sites
  30. Security checking in meta_box save is reluctant?
  31. Escape when echoed
  32. Should you escape hardcoded URLs?
  33. Preventing BFA in WordPress without using a plugin
  34. How can I make uploaded images in the editor load with HTTPS?
  35. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  36. WordPress filter that hook after each action/filter hook
  37. How to delete Passwrd Protected posts cookies when a user logged out from the site
  38. The safest way to automate WordPress backups
  39. wp_create_nonce function doesn’t work inside a plugin?
  40. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  41. Headers Content-Security-Policy CSP Major Issue
  42. How to block plugin activations with no known user or coming from unknown IP address range?
  43. Nonce failing on form submission
  44. Check for security updates
  45. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  46. Why can’t I access my Intranet LDAPS with NADI?
  47. Malicious File Upload [closed]
  48. Stop Plugin Enumeration [closed]
  49. Hack-Proof OR Security in WordPress — is it real?
  50. I should enable automatic updates?
  51. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  52. Security and Must Use Plugins
  53. Is Timthumb still broken? What security measures should be taken?
  54. Prevent direct access to WordPress plugin assets?
  55. Is it safe to use admin-ajax.php in the frontend?
  56. How to protect WordPress from security scanner [closed]
  57. Specific way to allow WordPress users to view their current password? And edit it?
  58. Too many login attempts
  59. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  60. How to prevent plugins from sniffing/stealing other plugins’ options?
  61. Custom API plugin to execute 3rd party API to retrieve data
  62. How to deal with Slow HTTP POST (slowloris) vulnerability
  63. Running multiple security plugins
  64. how do I secure my WP website from hackers? [closed]
  65. Webservice credential storage [duplicate]
  66. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  67. Is this plugin safe to run?
  68. Is the Block Bad Queries Plugin Still Relevant?
  69. WP Insert Post If user refreshes override new post
  70. 404 errors when updating options in admin dashboard
  71. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  72. Hide plugins and theme from public
  73. WordPress search shows protected content
  74. Security of a WordPress Plugin
  75. Can I disable xml-rpc by setting it to false?
  76. Help to Create a Simple Plugin to make a post
  77. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  78. prevent anonymous access to WordPress site (non-admin site)
  79. Bing/msn bots is heavily requesting random of my website
  80. “Fire Secure” menu item
  81. Securing a plugin pop-up window
  82. https rewrite not working for All in one security Brute force > rename login url
  83. Redux framework somehow added to my site, can’t locate in plugins
  84. wp_verify_nonce fails always
  85. How can i see/log all requests coming from a registration form (not from the UI)?
  86. Write mysql credentials in plugin
  87. Site is continuously accessing by several IPs
  88. Validating values using Settings API?
  89. using .htaccess only for wordpress security no plugins
  90. SWF in wordpress post
  91. Problem with permissions in wp-content/plugins
  92. My WP site and password was hacked, what to do? [closed]
  93. How to resolve these findings from security audit
  94. How I can hide my wp folders from Inspect Element (Developer Tools)
  95. How to Find WordPress site has backdoor login Codes
  96. How to delete Password Protected posts cookies when a user logged out from the site
  97. How to rename files during upload to a random string?
  98. Stop the user if login from the cookies
  99. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  100. Block Root REST API Route using custom &/or iThemes