Comment by toniantunovi
14 hours ago
The supply chain attack surface in WordPress plugins has always been particularly dangerous because the ecosystem encourages users to install many small single-purpose plugins from individual developers, most of whom aren't security-focused organizations. Buying out an established plugin with a large install base is a clever approach because you inherit years of user trust that took the original developer a long time to build.
The deeper structural issue is that plugin update notifications function as an implicit trust signal. Users see "update available" and click without questioning whether the author is still the same person. A package signing and transfer transparency system similar to what npm has been working toward would help here, but the WordPress ecosystem has historically moved slowly on security infrastructure.
Not only that, but so many people are reluctant to pay for anything so your average installation is chock full of freemium plugins. I've worked on plenty of sites whose admin page looked a bit like the IE6 toolbar meme.
Hmmm... I'm reluctant to pay for WordPress plugins because a bunch of them are also single purpose plugins from random developers, and of questionable quality.
And they also make your WP admin page look like an IE6 toolbar.
I've long since stopped building WordPress sites for clients, but you would be blown away by the number of people who have installed the free version of Securi or Wordfence, zero configuration, and then assume their site is completely safe from attacks.
You absolutely can't rely on the free version of WordFence. It should also be the last line of defense to handle anything that can't get caught by the server WAF.
I recently cleaned a WordPress site (that I now get to manage) of some malware that had multiple redundant persistence layers and the attacker had whitelisted the folders in the WordFence scan. Was actually kind of handy as a checklist to see if I'd missed anything.
What WordFence did manage to do was email an alert that there had been an unauthorised admin login as their admin password had been compromised.
A big part is also that wp.org is very tolerant of malicious-adjacent actors.
Actual malware? the plugins will get blocked.
Plugin randomly starts injecting javascript from a third party domain that displays some football related widget with affiliate links? they figured that's perfectly in the (new) owner's right and rejected any action even though it was a classic bait and switch with an entirely unrelated plugin.
At some point you have to assume it's by design.