Security Weekly

Where to get your WordPress plugins and themes?

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 45

As of writing this article, it’s a hot topic. Some plugins which have been available on WordPress.org plugins repository have been moved over to custom distribution systems or to GitHub.

Meanwhile, the official WordPress account recently referred to a vulnerability found in a theme distributed via Themeforest and warned public of such products which are not distributed via .org.

Let’s look into different options and what you should keep in mind in terms of security.

WordPress.org plugin & theme directory

The most obvious option is of course the WordPress.org plugin and theme directory. Every plugin and theme in the WordPress.org directory has to be free to use and have a GPL license.

The vast majority of WordPress plugins and themes are made available there. Plugins and themes which are being submitted to the directory are passed through a security check and verified if they meet the requirements set by the directory. To get an understanding of what is being checked, the plugin review team has released a tool called Plugin Check which you can run before submitting a plugin for a review.

Since you can easily browse the code of any plugin and theme in the WordPress.org directory – it also makes it easier for developers and security professionals to review the code before they install it on their website.

On the other hand, WordPress.org is based on SVN which nowadays is mostly replaced with Git repositories. There are also some concerns raised in the past couple of months about potential supply chain security risk as WordPress.org is controlled by a single person, rather than a company or an organisation.

Premium plugins (Envato, etc.)

Themeforest alone has over 12,500 WordPress products on sale. Recently, I was talking to someone who has been working with large digital agencies for more than a decade and Themeforest remains to be a popular choice when budgets are small and projects need to be completed fast.

ThemeForest and similar marketplaces have received a lot of criticism in the past about themes including PHP functionality that would not be accepted under the WordPress.org directory requirements and that can potentially introduce security vulnerabilities. There has been issues with sellers bundling their products together with other premium products which can later not be updated and can cause a security nightmare. However, having interacted with the Envato team quite a lot recently, their policies are a lot more strict now and they’ve actively removed such products from the marketplace.

As these are all premium products and don’t have the source code publicly available, it’s very had to verify wether a plugin/theme is built professionally and wether it follows the best practices.

Regardless where the premium plugins are being sold, none of which don’t have their source code public will benefit from community driven code reviewing and auditing – which in my opinion is one of the most important benefits of open source software.

Non. .org distributed open-source plugins

There are plugin and theme developers who have decided to set up their own update servers and distribute their software without relying on anyone else. The plugins are often open sourced at places such as GitHub and some who don’t want to maintain their own update server have even built solutions to update plugins directly from a GitHub repository.

GitHub is a very secure infrastructure and my personal opinion is that WordPress core should actually come with an option to install & update plugins directly from GitHub as well. There are also great security solutions that hook into GitHub repositories, monitor security vulnerabilities in linked dependencies and provide the capability to run regular code analysis.

Something to also take a look is https://wpackagist.org/

These are great options for those who know what they are doing.

GPL clubs & nulled plugin marketplaces

Just stay away from those! These places attract people by offering premium plugins with a fraction of their original price. They often strip the licensing from the plugins and often add their own code (which may or may not be malicious) and can require their own update system.

In all of the cases, you’ll be missing out on timely security updates released by the original developer and expose yourself to a supply chain risk where a shady company can push what ever code to your websites. It’s also a common tactic to hide backdoors into websites.

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Care Plan Toolkit

Save time, boost profits, and confidently manage client websites with proven tools, tips, and resources.

Bento Toolkit

More from Security Weekly

Week 49

Increased Volume of Threats During Holidays

We are just a few days away from Christmas holidays and many people have already gone …

Week 48

What Will WordPress Security Look Like in 2025?

I was thinking wether to leave this as the last security weekly, but I recon that …

Week 47

Why Use Virtual Patching for WordPress Security?

Virtual patching is a security strategy that involves applying protective measures to the WordPress application without …