Trust But Verify WordPress Plugin Updates

There have been several high profile plugins lately that have been found to be posting spam and deceptive links on user’s blogs lately.

One such is the “Display Widgets” plugin. You can read Wordfence’s detailed breakdown of the spam. It turns out the original developer of the plugin sold it, and the new owner started to place spammy backlinks and other bad code into the plugin. This gave this “developer” access to tens of thousands of blogs and the site owner’s never knew it was happening.

I was checking the WordPress that runs this blog today to see if there were any plugin or system updates for me to do, as is good practice. I noticed one today had an update, a no-follow plugin I’ve been using for a few years. Today, I saw that plugin had an update, and I looked at the changelog to see what was new, which is also a good thing to look at instead of blindly trusting plugins.

I saw this, which set off my Spidey sense.

No offense to this new maintainer person, but seeing a plugin go to a new person, one that has no other active plugins in the WP repository, has no mention of this plugin on his blog, and whose Twitter feed is mostly links to Twitch videos makes me nervous.

Bad Feeling

It’s not clear if this new developer volunteered to take over the plugin, or buy it outright. I suspect a purchase. The previous owner/developer had a cadre of plugins and a blog focused on monetizing content.

Let me be clear. I’m not against anyone making money by selling their theme or plugin. I am also not saying that this new developer/owner of this particular plugin is going to do anything nefarious. It’s worth keeping in mind that this particular tool has over 30,000 active installs.

The reality of the web nowadays is that we need to be nervous about what we allow into our sites. We need to be careful about what we let have access to our data. I believe one of the reasons WordPress gets a bad rap when it comes to security is that the software makes it extremely easy to install themes and plugins from anywhere on the Internet, not just the WordPress repository. Many people don’t know the difference between a compromised theme and a legit one, unfortunately.

I’m going to hold off on updating this. This new version does not add any functionality, it merely reflects the new owner. I’m going to see what things are added or removed in the next version, and move forward from there. Unfortunately, this may be our new reality going forward.