Forums

WP Tavern Forums Discussions Abandoned plugin (and owner domain) – a cause for concern?

Abandoned plugin (and owner domain) – a cause for concern?

  • Author
    Posts
    • #150276
      brokkrbrokkrOctober 19, 2023 at 3:58 PM

      I would be curious to hear some perspectives on the following even though I think I know the answer.

      I selfhost a multisite install. I recently noticed that

      a) My cache plugin had not been updated in over two years (still worked like a charm, though)
      b) the “By: ” attribution in the Plugins list on the install (you know, the line underneath the description that tells you version, authorship and “View details”) referred to an abandoned domain. I won’t link for obvious reasons but the domain had been snatched up by a reseller who apparently valued it at 5000 dollars US.
      c) On the wordpress.org listing the attribution goes to a different, product specific site that is (or at least appears to be) still under the control of the original developers.

      Now, seeing as it isn’t being maintained and updated anymore, I obviously need to find a new cache plugin, or switch to cacheing on my reverse proxy or something.

      However, I am curious to hear: How bad is this on a scale from lavatory on fire to not that big a deal?

      I have reason to believe the devs did change the plugin ownership to accounts with adresses pointing at a newer domain. But if they didn’t… well all it would take for a malicious actor to get access is 5000 US and a few guesses at the right email address, right?

    • #150575
      Plugin VulnerabilitiesPlugin VulnerabilitiesOctober 30, 2023 at 10:10 AM

      As long as you don’t have the plugin set to automatically update and the plugin doesn’t make any requests to the abandoned domain, then you should be okay to continue using the plugin for the time being. The worst-case scenario in that situation is that a vulnerability would be found in the plugin and there wouldn’t be an update. But considering how poorly developers respond to security issues in actively supported plugins, that isn’t a big risk. Depending on how long you are considering using the plugin and the security profile of your website, you could get a security review of the plugin done to hold you over.

      If you are concerned the plugin might get taken over through the abandoned domain, you can contact the team running the plugin directory at plugins@wordpress.org about that.

    • #150773
      vibethemesvibethemesOctober 30, 2023 at 10:10 AM

      Someone purchasing a plugin to put malware is not going to happen. At best you can expect more updates with more ads.
      There have been few instances where the new owner changed the core functinality of the plugin but that is very unlikely.

  • Author
    Posts
Viewing 2 reply threads
  • You must be logged in to reply to this topic.

Recent Replies

Recent Topics