When it comes to improving the security of WordPress one the easiest things to do would be to start alerting when websites are using plugins that have been removed from the Plugin Directory for security issues. We have been trying to get that to happen for over five years, but the WordPress team has continued to refuse to do that, while claiming they are “working on it”. Recently the Wordfence Security plugin has started to warn when removed plugins are in use, which has led to more people realizing they are using removed plugins, but leaving them not knowing why the plugin was removed as there are other reasons for removal. That isn’t all the helpful as can be seen by the company behind that plugin touting this feature with a quote from a person that left a plugin with intentionally malicious code in it on their websites after it was removed from the Plugin Directory multiple times. Instead of Wordfence getting behind the effort to get this issue properly resolved, they would rather promote people being reliant on their plugin for incomplete information on removed plugins, while sometimes providing those using their plugin with outright false information about the situation with a removed plugin.

One place people have been looking for answers is the WordPress Support Forum, but unfortunately that is in as bad as shape as the handling of security by the WordPress team. The other day we left a comment correcting a misunderstanding of a comment from someone from the Plugin Directory as to whether a removed plugin contained a security issue and our comment was promptly deleted and the topic closed. So you are not going to be able to rely on getting accurate information there until the moderation of the forum is fixed.

In light all that we thought it would helpful to start putting out post when we become of possible explanation of why plugins were removed. If you are aware of a plugin that has been removed where there isn’t a possible explanation available please get in touch with us, so that we can look in to the situation.

For the first of these posts we will return to the plugin we had tried to help clear up confusion over the other day, Starbox.

As describe in more detail in our vulnerability details post, two weeks ago, which was after the plugin was removed, an authenticated persistent cross-site scripting (XSS) vulnerability that would have allowed logged in users to cause malicious JavaScript code to load on the frontend of the websites and for Administrators in certain instances was fixed. There were several smaller security fixes made, but that seems like it would be what would have gotten the plugin removed.

The vulnerability would be a threat if a website had users with malicious intentions.

Since a fixed version has been submitted to the Subversion repository that underlies the Plugin Directory, it is possible to get access to that if you are familiar with how to work with that. The vulnerability is only exploitable if the plugin is active, so deactivating it would also protect you for now.

Protecting Yourself Against Known Vulnerable Plugins

At this time, even if you deleted any plugins once it got removed from the Plugin Directory you could still be using plugins that have publicly disclosed vulnerabilities. That is due to the fact the no one on the WordPress team is out there making sure they pull plugins once vulnerabilities are disclosed in them and no one else notifies of them of that situation on a systematic basis. In the past we had been doing that, but we suspended doing that until WordPress finally puts forward a concrete plan to warn people about removed plugins and a concrete plan to reform the moderation of the Support Forum, so that the public can get accurate information on security from there and people trying to get vulnerabilities fixed stop getting harassed.

In the meantime installing the companion plugin for our service will get you alerted if you are using plugin that has a vulnerability that is being exploited. With our service not only will you get alerted about all vulnerabilities that we are aware of (which is many more than other providers), but we are available to assist you in determining what is the best option if you are using a plugin with an unfixed vulnerability. In many cases we can provide you with a temporary workaround so that you can continue to use the plugin until the plugin is fixed for everyone (we always try to work with developer to get their plugins fixed as well) or until you can move to another solution. In a situation like this, were there is a fixed version put out, but that you can’t update to it through the normal process, we can help our customers to apply the update as well.

Our service also allows you suggest/vote for plugins to receive a security review from us, so you can find out if the plugins you are using are secure before someone with bad intentions might find a vulnerability in one of them.