Official WordPress Plugin Directory – Forcing Plugin Updates

For some while we have wondered what happens when a plugin is removed from the official WordPress plugin directory for security reasons. Historically, we haven’t seen much of anything happen – no notification to users, no official blog post, nothing beyond the plugin disappearing from the repo. Sometimes when it did disappear, my understanding is updates were forced – certainly for the major vulnerabilities.

In an interesting move, it looks like some experimental changes have been made to help ensure users quickly learn there is a security problem.

Plugin Directory Message

We wrote a post this week bringing some attention to the spammy actions of a website named and their fake Advanced Search Plugin. As of this morning, when trying to access the Advanced Search plugin page in the WordPress plugin directory you get the following message:

In the message they have officially stated that the plugin was never in the repository, we stand corrected! Here is a quote from the official response:

We rejected the plugin when it was submitted to the plugin directory. However, it seems the same code was offered for download elsewhere, which has resulted in sites infected with spam.

A warning was added to the Advanced Search plugin page along with a link to a clean version of the plugin.

The cool take away here is that this can be done for any plugin that’s in the directory. It could offer a mechanism for users to take action if a vulnerability is discovered.

We often talk about community efforts, I think this could be very helpful, and it’s great to see it coming from

Plugin Updates

Another process coming to life looks to be removal of offending plugins. Below is the process that will occur when a plugin is deemed unsafe and may cause harm to your site and visitors:

1. Plugin Review

Plugin is reviewed and deemed unsafe – critical vulnerabilities where the author is not responsive, or malicious plugins. Vulnerabilities that are or can be actively exploited. This starts the process.

2. Notification Process

On, the code is blanked out, a message is added, and a new update is forced. WordPress dashboards are notified of an available update.

Update available:
Plugin Update Available

Plugin description:
Plugin Description

3. Plugin Updates

Upon updating, the code from the offending plugin is then blanked out from the WordPress installation.

WordPress Plugin Directory Message

If the plugin is readded to the website, the update message will reappear and then deactivate itself.

In the end, it looks like WordPress is experimenting with ways to take a stronger stance on offending code trying to infiltrate self installed instances of WordPress. It truly is a team effort, and it’s great to see them thinking through viable options to responsibly approaching security.

What’s your take? Let us know your thoughts on the new alerting and removal process that looks to be live as of today.

About Tony Perez

Tony works at Sucuri. His passion lies in educating and bringing awareness about online threats to business owners. He spends his time giving presentations and writing content that everyday website owners can appreciate. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at Tony on Security and you can follow him on Twitter at @perezbox.

Share This