HTTPS Updates WordPress Plugin

HTTPS Updates Screenshot

The plugin's functionality is built-in to WordPress 3.7+.

WordPress performs update checks without verifying the information came from, which leaves the update information vulnerable to being modified by a man-in-the-middle attack. Update downloads are also insecure because the downloaded file is not checked to verify that it has not been modified from the version on Our plugin reduces the chance of a successful man-in-the-middle attack by modifying the update process so that update checks and update downloads are performed using a HTTPS connection to This process is still vulnerable to improper HTTPS handling on the server hosting the WordPress installation, to the attacker gaining access to a SSL certificate for, or a weakness in the underlying SSL encryption.

The plugin also modifies the plugin and theme installation processes to make them use a HTTPS connection.

The plugin requires that a proper HTTPS connection can be made on the server hosting the WordPress installation and that a HTTPS connection can be made to A diagnostic tool is included with the plugin so that you can check if those things are available.

The plugin does not secure the update process of plugins and themes that are not updated through

If there are pending updates available at the time the plugin in installed those will not be downloaded over HTTPS until after the next update check occurs and the relevant download links are modified so that the download is done using a HTTPS connection.

Getting the Plugin

You can download the plugin, get it at the Plugin Directory, or install it directly in WordPress.

Report an Issue

To report an issue please email us at Security bugs are eligible for bounties through our bug bounty program for WordPress.

Protect Against Insecure WordPress Plugins

Make sure you are not using WordPress plugins that have been removed from Plugin Directory for security issues (or other issues) with our No Longer in Directory plugin.