One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, a vulnerability in the plugin Disable Fullscreen Mode that allows those logged in to WordPress to install arbitrary plugins. The plugin doesn’t have to come from the WordPress plugin directory, so an attacker can install an entirely malicious plugin.

We now are also running all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. [Read more]