For years, the handling of security of the WordPress Plugin Directory has been rather poor, caused by a multitude of issues. In addition to the problems with their handling of security, there hasn’t been a willingness to work with the community to address that. One of the two problematic long time leaders of that (and two of only four members overall, somehow) left earlier this year. Notably, as they were leaving, a largely new team was brought in by them without the involvement of the community. So far, the new team doesn’t seem to have been reaching out to those actually interested in helping them improve their handling of security. That isn’t because they are now handling things well now, as yet another problematic situation shows.

In October, we wrote about seeing a hacker targeting a WordPress plugin named Dropshipping & Affiliation with Amazon and finding that the plugin was still in the plugin directory despite having a vaguely disclosed serious vulnerability. The plugin was subsequently closed on the plugin directory. [Read more]