The New WordPress Plugin Directory Gives Prominent Placement to False Claims About Plugins

If you visit a page on the WordPress Plugin Directory currently there is a message asking you to “Test out the new Plugin Directory and let us know what you think.”. The new Plugin Directory still seems to be a work in progress, for example, until very recently if you did a search for our plugin “Plugin Vulnerabilities” by its name it wouldn’t show up on the first page of results (the rest of the results didn’t look relevant either). What looks to be a more permanent change with new version is that reviews of plugins will be featured prominently on the main page for each plugin. That could be useful, but also allows for inaccurate or outright false information to receive prominent placement.

Reviews do not always provide useful information, for example with security plugins what we see is that there are a lot of claims made about the supposed security that they provide that don’t appear to be based on actual evidence. It looks like the testing we have done over at our Plugin Vulnerabilities service is just about the only time anyone has actually tested to see if they provide any protection against real world threats. The results of that has been that most of them provide no protection against any of the vulnerabilities tested and the ones that provided any protection were almost always easily bypassable (that may be in why providers focus so much on making up threats and then claiming they protect against them).

While inaccurate positive reviews are problematic, something else we looked at recently over at blog for the Plugin Vulnerabilities has the potential be much troubling when giving such prominently placement, baseless claims that plugins contain exploits that lead to website being hacked. With both plugins we discussed not only was there no evidence provided to support the claim, but when we looked over the plugins we didn’t find code that even look to have the possibility of allowing the claimed exploit.

Unfortunately in the new Plugin Directory both plugins currently have those claims prominently on the main page for the plugin:

In both cases we left replies mentioning that we didn’t find anything that looks like it could have allowed this, so adding a mention that there are replies to the review might improve this bad situation to some extent.

Leave a Reply

Your email address will not be published.