Comment by jimrandomh

I think the main problem here is the ideology of software updating. Updates represent a tradeoff: On one hand there might be security vulnerabilities that need an update to fix, and developers don't want to receive bug reports or maintain server infrastructure for obsolete versions. On the other hand, the developer might make decisions users don't want, or turn evil temporarily (as in a supply chain attack) or permanently (as in selling off control of a Wordpress extension).

In the case of small Wordpress extensions from individual developers, I think the tradeoff is such that you should basically never allow auto-updating. Unfortunately wordpress.org runs a Wordpress extension marketplace that doesn't work that way, and worse. I think that other than a small number of high-visibility long-established extensions, you should basically never install anything from there, and if you want a Wordpress extension you should download its source code and install it manually as an unpacked extension.

(This is a comment that I wrote about Chrome extensions, where I replaced Chrome with Wordpress, deleted one sentence about Google, and it was all still true. https://news.ycombinator.com/item?id=47721946#47724474 )