Why you should stop your plugin from updating
Published January 17th, 2013 under Practical
Per Soderlind recently alerted me to a rather important security issue regarding plugins hosted outside of WordPress.org. All WordPress.org hosted plugins receive plugin updates from WordPress.org. Commercial plugins often add scripts to provide plugin updates from other sources*, but the vast majority of plugins simply go without automatic updates at all.
Now, imagine a scenario in which you create a custom plugin, but someone with malicious intent registers a plugin with the exact same name and slug as yours with the WordPress.org repository. It is conceivable that you or someone else working on the site could accidentally hit the “update” button and be immediately infected by a malicious plugin launched to attack your site from WordPress.org itself. Joost de Valk made use of this very mechanism for good back in 2010, when he forced an auto-upgrade on the BlogPress SEO plugin, but an evil person could potentially do the same thing in a more malicious way.
Thankfully there is a very easy to use work around for this problem as you can simply deactivate the auto-updates via some code kindly provided by Mark Jaquith, variants of which are posted below.
https://gist.github.com/4171146
* Methods to add plugin update support from other sources include:
Cristian says:
This is like treating the patient by killing him!
This is not a solution to the supposed problem, but a way to screw up your site by not updating plugins any more. Not to mention producing a shit load of work for yourself by manually updating plugins.
A somewhat better solution would be to have a plugin that let’s you configure where you should get updates for each installed plugin in particular. Even better, if you have the non-repository plugin active, you could possibly do this check directly from that plugin.
This way WordPress won’t be able to serve updates for plugins that get automatic updates from other places.
January 17, 2013 at 2:43 pm # //
Ryan Hellyer says:
This is a method of dealing with updates for plugins which are not hosted anywhere. They wouldn’t auto-update anyway.
Methods for updating plugins from alternate sources are listed at the bottom of the article.
January 17, 2013 at 2:47 pm # //
Milan Dinić says:
I use this exact snippet for custom private plugins that I’m 100% sure will not need any update from either WordPress.org repository or any other source.
January 17, 2013 at 6:49 pm # //
Samuel "Otto" Wood says:
The method you gave works, but a simpler solution is to just name your custom plugin something unique.
I like to stick the domain name of the site in my custom plugins. Because I’m pretty sure the people reviewing the plugins at WordPress.org would question a malicious person trying to register a plugin with the name of “ottopress.com – Custom Plugin Name”.
January 21, 2013 at 7:02 pm # //
Ryan Hellyer says:
That won’t help unfortunately if the person knows what the plugin name is (which they will if it loads JS or CSS onto the page since they’ll be able to see the plugin slug in the URL).
You are correct though that something with ottopress.com in the name is unlikely to get through the approval process. I’d rather stick the code in to be on the safe side though.
January 21, 2013 at 7:55 pm # //
Otto says:
By “the people approving plugins”, I meant myself and the other members of the review team. 🙂
Nothing wrong with the code. I just think my way is simpler.
January 26, 2013 at 3:49 am # //
Samuel "Otto" Wood says:
Oh, also, the “Plugin URI” in the plugin header is important. Make it unique and with a domain you control, and you can easily avoid unwanted update messages.
January 26, 2013 at 3:54 am # //
WordPress Kodları says:
After i read your post i begin to doubt to use any kind of plugins..never read such an article before..interesting.thanks for this information.
January 29, 2013 at 3:44 pm # //
Ryan Hellyer says:
There’s no problem with using plugins, it’s just important to make sure you are aware of the security implications involved with each one you use. I have somewhere in the vicinity of 40 plugins in use on my own site right now.
February 12, 2013 at 2:23 pm # //
Ryan says:
Is there any plugin available for this? I am not good at code editing.
Thanks in advance.
June 13, 2014 at 1:29 pm # //
Ryan Hellyer says:
No there is not. This is something for individual plugin developers to do, not via another plugin.
June 13, 2014 at 5:21 pm # //