Closures of Very Popular WordPress Plugins, Week of December 14
While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.
This week three of those plugins were closed and have yet to be reopened.
404 To Homepage
404 To Homepage, which has 30,000+ installations, was closed yesterday. No explanation has been given so far for the closure. In looking over the plugin we didn’t find any obvious security issues.
It has yet to be reopened.
Force HTTPS
Force HTTPS, which has 80,000+ installations, was closed yesterday. No explanation has been given so far for the closure. The plugin is by the same developer as 404 To Homepage. In looking over the plugin we didn’t find any obvious security issues.
It has yet to be reopened.
WordPress phpinfo()
WordPress phpinfo(), which has 30,000+ installations, was closed today. No explanation has been given so far for the closure. In looking over the plugin we didn’t find any obvious security issues.
It has yet to be reopened.
I use LittleBizzy’s plugins (including 404 to Homepage) from the WordPress repository. I was really concerned when they were suddenly not available for download when I wanted to add them to a new subdomain (particularly because your Plugin Security Checker did not pick up any security issues and it seems to be a good guide as to whether an author follows best coding practices or not) so started looking around for info. On their website, there is a banner that says that they have chosen to remove all their plugins from the WordPress repository, with the option to sign up for their newsletter for updates. The plugins are still available on their site for download. The plugin author is a small business that offers WordPress hosting. They are very focussed on efficiency / speed as their value proposition and appear to be security minded (with a list on Github of WP plugins not allowed on their servers due to security issues, non-maintenance or “excessive” logging / API usage). This is just a wild guess, but I believe that if you, as a security expert, were to reach out to them they would probably tell you their reasons for requesting the removal of their plugins from the repo. They had well over a dozen on the repo for a long time. Hope you have a great day!
Our Plugin Security Checker identifies the possibility of some security issues in plugins, it doesn’t attempt and it would not provide a good indication if best coding practices are being followed.
Our only interest in popular plugins being closed at this time is in improving our information on vulnerabilities in plugins, so trying to find out why plugins are closed unrelated to security issues is outside of our focus. We have been thinking of providing something more focused on that issue, but the best solution would be for WordPress to start handling things better and letting people know why they are closed right away, as they are going to have the best information on them. The inability to even discuss their poor handling of that on the Support Forum is part of why have been protesting the inappropriate behavior of the moderators.
LittleBizzy plugins still available free on GitHub:
https://github.com/littlebizzy