In 2017 there was a very bad situation where the two people running the WordPress Plugin Directory allowed a plugin containing malicious code to return in to the directory twice, only to have malicious code added again each time. Somehow that situation didn’t lead to a shakeup of the team running that, to address the two problematic people who have long controlled that.

In the third instance, part of the code was obfuscated using bae64 encoding. In the comments on a post on the WP Tavern about the situation, there were a couple of comments noting that should have flagged that code: [Read more]