As far as we are aware, Ars Technica is considered a reliable news outlet. That is despite having someone covering security, Dan Goodin, who has a long track record of making things up, and generally not doing journal aims. Unlike other “security journalists” who appear to have no academic background, according to his bio he has a Masters of Journalism from UC Berkeley.

In a recent story on a hacking campaign that involves a known problem with the WordPress Plugin Directory, he made this claim:

The WP Query Scan page on wordpress.org says that the plugin was made temporarily unavailable as of October pending review. The hackers behind the attacks were able to get their exploit to download the years-old WP Query Console plugin anyway, because they used a special wordpress.org URL that overrode the block.

He cites no source for the claim in the second sentence and his story only has one source, WPScan, which has been long known for providing highly inaccurate information. Relying on them at all seems like journalistic malpractice, but not getting a second source to confirm their claims is a clear indication he isn’t concerned about the accuracy of this story.

By block, he apparently is referring to the plugin being closed, as can be seen in the message shown on the plugin’s listing.

So what is this special wordpress.org URL he referred to? He apparently doesn’t know, as the end of the story he wrote this:

WordPress.org representatives didn’t immediately respond to an email asking why the override mechanism had been available previously or if it remained available now.

(Giving someone a reasonable chance to reply is what a journalist would do, but wasn’t done there.)

Surely, if he knew what it was, he could check himself.

If he had reached out to us, we could have pointed to the public since March 2022 explanation of what was actually going on. The download link for plugins keeps working after the plugin has been closed, even if it closed for a security issue. There is standard format for the download links. For this plugin, the address to download the plugin is https://downloads.wordpress.org/plugin/wp-query-console.zip and as of writing it still works.

We emailed Dan Goodin and sent a reply through Bluesky hours after he published the post on Thursday. The story hasn’t been updated/corrected, which isn’t what you would expect from a journalist.