First-party WordPress plugins are not a new idea. Here is a post about the head of WordPress, Matt Mullenweg, talking about them, referring to them as canonical plugins, in 2009. And doing it again in 2022. Despite that, there still isn’t a clear indication or verification method that plugins are truly coming from WordPress. Or even consistent labeling of those plugins. You probably wouldn’t guess the plugin Two-Factor is from WordPress as it listed as being by “Plugin Contributors”:

By comparison, the Classic Editor is from “WordPress Contributors:”

And Health Check & Troubleshooting is by “The WordPress.org community:”

With the latter two plugins, WordPress.org is listed as a contributor:

But there are other plugins that list WordPress.org as a contributor that don’t appear to come from WordPress, including this one, this one, and this one.

Another of the plugin, Substack Importer, is harder to figure out. The plugin doesn’t link to anything that would confirm it comes from WordPress. The first commit is from a direct employee of Matt Mullenweg, but the subsequent commits are from a contributor that provides no bio information. It appears they might be an employee of Matt Mullenweg’s company, Automattic. So you can’t really say if the plugin is truly from WordPress.

The security concern here isn’t a new one. Among the relevant situations, there has been an ongoing phishing campaign trying to get people to install plugins posed as if the message is coming from WordPress.

It’s hard to understand how it has gotten so far without something being implemented to better address this.

We reached out to the developers of Two-Factor about confusing labeling of their plugin.