HTTPS Updates WordPress Plugin

HTTPS Updates Screenshot

The plugin's functionality is built-in to WordPress 3.7+.

WordPress performs update checks without verifying the information came from wordpress.org, which leaves the update information vulnerable to being modified by a man-in-the-middle attack. Update downloads are also insecure because the downloaded file is not checked to verify that it has not been modified from the version on wordpress.org. Our plugin reduces the chance of a successful man-in-the-middle attack by modifying the update process so that update checks and update downloads are performed using a HTTPS connection to wordpress.org. This process is still vulnerable to improper HTTPS handling on the server hosting the WordPress installation, to the attacker gaining access to a SSL certificate for wordpress.org, or a weakness in the underlying SSL encryption.

The plugin also modifies the plugin and theme installation processes to make them use a HTTPS connection.

The plugin requires that a proper HTTPS connection can be made on the server hosting the WordPress installation and that a HTTPS connection can be made to wordpress.org. A diagnostic tool is included with the plugin so that you can check if those things are available.

The plugin does not secure the update process of plugins and themes that are not updated through wordpress.org.

If there are pending updates available at the time the plugin in installed those will not be downloaded over HTTPS until after the next update check occurs and the relevant download links are modified so that the download is done using a HTTPS connection.

Getting the Plugin

You can download the plugin, get it at the WordPress.org Plugin Directory, or install it directly in WordPress.

Report an Issue

To report an issue please email us at contact@whitefirdesign.com. Security bugs are eligible for bounties through our bug bounty program for WordPress.

Protect Against Insecure WordPress Plugins

Make sure you are not using WordPress plugins that have been removed from WordPress.org Plugin Directory for security issues (or other issues) with our No Longer in Directory plugin.