Users of WordPress have noticed a weak point in the security of the most popular CMS in the world.
Currently, there is no way to be directly alerted through the repository that the plugins you are using have been flagged as unsafe to use. This means that hackers might have an easier time penetrating into a higher number of sites through insecure and unchecked plugins.
There is no way for someone using a plugin to be alerted that their plugin has been compromised. This puts users of compromised plugins at potential risk.
More and more WordPress users are urging the developers of WordPress to turn attention to the weakness but things have been “in the works” for quite some time. This weak point is something that should be addressed.
But for now, this is a weak link in the WordPress security chain.
What can be done?
There are currently other plugins like the “No Longer in Directory” plugin. This plugin is fairly simple. It does a scan of the plugins you currently have on your WordPress site and compares it to the list for the repository. It also scans for plugins that have returned after being removed.
Unfortunately, this plugin is not an automatic, meaning you must manually run the check in order to detect any new problems on your site.
There are other plugins that will alert a user when a plugin has gone unmaintained but not reported. These unmaintained plugins can create a higher possibility of a security risk. They might also create an unstable atmosphere for your site if they are not designed for your current version of WordPress. So it is important to be aware of unmaintained plugins as well.
Why are plugins removed from the Repository?
Plugins can be removed from the repository for a variety of reason. The most important reason is that the plugin has proven to create a security vulnerability for its users. Here is a list of other possible reasons for plugins being removed:
- they are found to break the GPL
- they are found to break the directory rules
- other plugins by the author are found to be a problem and all are removed pending investigation
- the author asks for it to be closed
- the author asks for it to be closed because they are re-releasing under a different name
- it is being investigated after non-specific complaints
How often should you check?
The more frequent you check for insecure plugins, the better! Since hackers have been known to attack at any hour, there is no such thing as an inappropriate time for a safety check.