In order to keep your plugins up-to-date, WordPress sends information about all it’s plugins (including any inactive ones) to WordPress.org. There are concerns around the information sent as it includes details on each plugin’s developer including name and website address. While not much of a privacy issue for public plugins, there are implications for plugins custom written for specific clients.
The information is used to check if a plugin exists in the WordPress.org repository. If a plugin with the same name and a later version number exists, WordPress will dutifully offer to update/overwrite the installed plugin. A potentially disastrous situation for any custom plugins given a generic sounding name.
Maybe just something to consider for the paranoid. This also introduces the possibility of targeting users of externally hosted plugins such as those only available on GitHub by releasing an identically named WordPress.org plugin. It has been done before. As pointed out by Joost de Valk, each plugin is reviewed before being accepted into the plugin repository and any bad plugins would no doubt be identified and removed.
Mark Jaquith wrote up a solution back in 2009 which included a snippet plugin authors could incorporate into their code to remove their plugin from the list sent to WordPress.org. However, changes in WordPress 3.7 require the snippet to be updated. The format of the update check has been changed from XML to JSON and is now sent over an SSL connection.
The following snippet has been updated to reflect these changes and should be included in the main plugin file or updated to reference the path to the plugins main file relative to the plugins directory (e.g. plugin-dir/plugin-file.php).
I’ve touched on the privacy concerns around the information sent to WordPress.org which from WordPress 3.7 is now encrypted. Looked at the possibility of accidentally overwriting custom written plugins and gone over one of the solutions to prevent WordPress from updating your own custom plugins. If it’s all a bit too much, Dinesh Karki has an alternative solution with his plugin Block Plugin Update which has a nice interface for selecting which plugins to exclude from the update check.
Recent Comments