I have a client who has a WordPress site that uses a custom plugin written for them by another developer. Recently, they ran the WordPress updater and one of the updates clobbered that custom plugin and replaced it with a plugin from the Plugin Repository that happened to have the same name.

I’m trying to figure out exactly what needs to change in order to avoid this from happening again in the future. The plugin in question didn’t have any particularly unique identifier in the directory/main file names; imagine it’s like this:


So if there’s already a “Foo” plugin in the repository, it’s understandable why WP would confuse the two.

My understanding in the past had been that the way to avoid this was by putting a unique identifier in those names, like:


Adding the “client-” bit, I thought, was the way to reduce the odds of a collision by making the plugin specific to the one WordPress site that was running it.

However, even after renaming the files, I found the updater was still confusing the plugin with the “foo” plugin in the repository.

Next I tried changing the “Name” field in the plugin metadata header, from

Plugin Name: Foo


Plugin Name: Foo (Client)

And this seemed to remove the collision; the updater no longer flagged it as matching the public plugin.

So now I’m confused. Is it really the case that the only thing the updater checks to avoid collisions is the Plugin Name metadata field? That seems really brittle compared to the way I had thought it was doing it (comparing filenames), at least to me.

Anyway, I’ve been unable to find a definitive word on what information the updater uses to make this check, and while I did find this previously asked question the answer thread doesn’t ever come out and say “this is how it works.” So I thought I’d ask.

2 Answers

The way WordPress uses to find a plugin in repository is not public AFAIK.

As per Otto answer in question you linked it involves plugin url header alongside plugin name.

BTW, remove the plugin from the list of plugin to update is the best way to ensure this problem is not going to happen again: once the matching method is not public you can’t know if it is going to change in future.

Leave a Reply

Your email address will not be published. Required fields are marked *