Security implications of WordPress repository access restrictions and plugin closures

Published 18 October 2024
Updated 21 October 2024
Table of Contents

Over the past couple of weeks, we’ve noticed an increasing number of plugins not receiving updates through WordPress.org. Some have been banned and others cannot log in to their WordPress.org accounts due to the new login requirement under the checkbox “I am not affiliated with WP Engine in any way, financially or otherwise.“. It seems to be unclear to people if this also applies to all WP Engine customers. The HTML class name of the check box is login-lawsuit, which understandably makes people afraid of the possible consequences.

This has unfortunately caused a ripple effect in the ecosystem, which has resulted in some developers taking preventive measures and switching over to their own update servers. This means that these plugins on the WordPress.org repository are becoming abandoned and possibly closed. This will lead to users not receiving updates anymore – at least not in the way they are used to.

WordPress core does not show plugin closures

Something that we have been talking about for years now is the fact that WordPress core (under wp-admin) does not provide a proper indicator whether an installed plugin or theme has been abandoned, removed from the repository or closed due to security issues. I (Oliver) even talked about this issue at WordCamp Europe 2022 when I gave the State of WordPress security talk (9.49min).

While this has mostly been a problem with low install count plugins in the past, we are now facing an issue where this is happening to popular plugins with thousands of active installations. Currently, WordPress core shows closed plugins just as an up-to-date plugin (as they have no new updates available).

There is also no information about the plugin’s closure in the Site Health screen:

Right now, the simplest way to learn about the closure is to click through the plugins one by one and read the status on the page – it’s far from ideal if you have more plugins or websites to manage:

We highly recommend everyone to monitor the communication channels of the plugins/themes you are using to make sure you will receive the information about potential closures and security issues early on. You can also set up a free Patchstack account to set up alerts for new vulnerabilities in plugins, which can often help to also detect which plugins have become abandoned.

No easy way to switch update servers

Since it is against the WordPress.org policy to upload plugins or code to the WordPress.org repository that have built-in capability to receive updates from elsewhere other than WordPress.org itself – the process of changing to a plugin with a new update server is manual work that users have to do.

Serving updates or otherwise installing plugins, themes, or add-ons from servers other than WordPress.org’s

8.1 – https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/

Users who wish to receive updates for plugins which have switched update servers to their own must download and install the new plugin manually from the website of the vendor.

Security implications and risk of missing security updates

Users who fail to manually install plugins removed from the WordPress.org repository risk not receiving new updates which can include important security fixes. This can leave websites exposed to hackers who commonly exploit known vulnerabilities and may take advantage over such situations.

A recent example of a switch to custom update servers is the Paid Memberships Pro plugin which will no longer receive updates through WordPress.org. This developer maintains 33 plugins in the WordPress.org and has revealed their plans to make this change across all of their plugins.

We will now be serving downloads and updates of our core plugin ourselves. We plan to follow suit for all of our plugins that are hosted at wordpress.org, excepting a few that are co-maintained with other folks there.

https://www.paidmembershipspro.com/pmpro-update-3-3/

List of some plugins that have switched away from WordPress.org or who cannot release updates through WordPress.org:

  • Pods (100K+ active installs) – Developer banned from WordPress.org Update 18.10: Resolved. Developer was able to move ownership to a second (not banned) contributor.
  • Powder – Developer decided to remove their themes Powder and Powder Zero from WordPress.org
  • ACF (2M+ active installs. Owned by WP Engine) – Developer banned. WordPress.org forked the plugin into SCF and took over their WordPress.org repository page. Updating ACF results in getting the fork (SCF) installed instead.
  • NitroPack (100K+ active installs. Owned by WP Engine) – Developer banned. Users need to manually update to a version with the new update server to receive future updates.
  • Gravity PDF (50K+ active installs) – Developer decided to switch to their own update servers. Users need to manually update to a version with the new update server to receive future updates.
  • Paid Memberships Pro (90K+ active installs) – Developer decided to switch their own update servers. Users need to manually update to a version with the new update server to receive future updates.

We will keep this list updated. If you are aware of another plugin whose developer has been banned, can’t access WordPress.org or has decided to move away from the WordPress.org update servers – please let us know. This is important information that needs to reach to as many users as possible.

TLDR?

Some plugins which you have installed may not receive future updates via WordPress.org anymore. These updates may include important security fixes. Our recommendation is to closely monitor the communication channels of the plugins and themes your websites have installed and when needed, make sure to follow the instructions given by the developers to keep receiving future updates.

The latest in WordPress Security

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu