alt Hacker NewsThe supply chain attack surface in WordPress plugins has always been particularly dangerous because the ecosystem encourages users to install many small single-purpose plugins from individual developers, most of whom aren't security-focused organizations. Buying out an established plugin with a large install base is a clever approach because you inherit years of user trust that took the original developer a long time to build.
The deeper structural issue is that plugin update notifications function as an implicit trust signal. Users see "update available" and click without questioning whether the author is still the same person. A package signing and transfer transparency system similar to what npm has been working toward would help here, but the WordPress ecosystem has historically moved slowly on security infrastructure.
Replies
I've long since stopped building WordPress sites for clients, but you would be blown away by the number of people who have installed the free version of Securi or Wordfence, zero configuration, and then assume their site is completely safe from attacks.
Not only that, but so many people are reluctant to pay for anything so your average installation is chock full of freemium plugins. I've worked on plenty of sites whose admin page looked a bit like the IE6 toolbar meme.