As of writing this article, it’s a hot topic. Some plugins which have been available on WordPress.org plugins repository have been moved over to custom distribution systems or to GitHub.
Meanwhile, the official WordPress account recently referred to a vulnerability found in a theme distributed via Themeforest and warned public of such products which are not distributed via .org.
Let’s look into different options and what you should keep in mind in terms of security.
WordPress.org plugin & theme directory
The most obvious option is of course the WordPress.org plugin and theme directory. Every plugin and theme in the WordPress.org directory has to be free to use and have a GPL license.
The vast majority of WordPress plugins and themes are made available there. Plugins and themes which are being submitted to the directory are passed through a security check and verified if they meet the requirements set by the directory. To get an understanding of what is being checked, the plugin review team has released a tool called Plugin Check which you can run before submitting a plugin for a review.
Since you can easily browse the code of any plugin and theme in the WordPress.org directory – it also makes it easier for developers and security professionals to review the code before they install it on their website.
On the other hand, WordPress.org is based on SVN which nowadays is mostly replaced with Git repositories. There are also some concerns raised in the past couple of months about potential supply chain security risk as WordPress.org is controlled by a single person, rather than a company or an organisation.
Premium plugins (Envato, etc.)
Themeforest alone has over 12,500 WordPress products on sale. Recently, I was talking to someone who has been working with large digital agencies for more than a decade and Themeforest remains to be a popular choice when budgets are small and projects need to be completed fast.
ThemeForest and similar marketplaces have received a lot of criticism in the past about themes including PHP functionality that would not be accepted under the WordPress.org directory requirements and that can potentially introduce security vulnerabilities. There has been issues with sellers bundling their products together with other premium products which can later not be updated and can cause a security nightmare. However, having interacted with the Envato team quite a lot recently, their policies are a lot more strict now and they’ve actively removed such products from the marketplace.
As these are all premium products and don’t have the source code publicly available, it’s very had to verify wether a plugin/theme is built professionally and wether it follows the best practices.
Regardless where the premium plugins are being sold, none of which don’t have their source code public will benefit from community driven code reviewing and auditing – which in my opinion is one of the most important benefits of open source software.
Non. .org distributed open-source plugins
There are plugin and theme developers who have decided to set up their own update servers and distribute their software without relying on anyone else. The plugins are often open sourced at places such as GitHub and some who don’t want to maintain their own update server have even built solutions to update plugins directly from a GitHub repository.
GitHub is a very secure infrastructure and my personal opinion is that WordPress core should actually come with an option to install & update plugins directly from GitHub as well. There are also great security solutions that hook into GitHub repositories, monitor security vulnerabilities in linked dependencies and provide the capability to run regular code analysis.
Something to also take a look is https://wpackagist.org/
These are great options for those who know what they are doing.
GPL clubs & nulled plugin marketplaces
Just stay away from those! These places attract people by offering premium plugins with a fraction of their original price. They often strip the licensing from the plugins and often add their own code (which may or may not be malicious) and can require their own update system.
In all of the cases, you’ll be missing out on timely security updates released by the original developer and expose yourself to a supply chain risk where a shady company can push what ever code to your websites. It’s also a common tactic to hide backdoors into websites.
Join the Conversation!
There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!
Group Thread