Comments on: WordPress Plugins – check before you upgrade automatically

By: massimux

massimux — Mon, 20 Oct 2008 11:39:02 +0000

Hello,

I have installed your plug-in but reflected problems with rss feeds unfortunately no longer reachable at http://miosito.com/blog/feed

How can I fix this?

By: moserw

moserw — Sun, 17 Aug 2008 15:16:12 +0000

Sounds freaky. Will need to be careful and double check henceforth after upgrading to see if it is indeed the plugin that I had before. Thanks for the update.

By: Microkid

Microkid — Sat, 02 Aug 2008 08:40:53 +0000

@Matt
Nope, it’s stilling updating to Joost de Valk’s Permalink Redirect plugin.

By: Matt

Matt — Fri, 18 Jul 2008 22:28:49 +0000

Now that you’ve added your plugin to the repository, has the problem gone away?

By: scotty

scotty — Fri, 18 Jul 2008 01:13:40 +0000

@Glenn — indeed, and I think you can compare that with Firefox add-on auto-updates. First of all, you shouldn’t need to host your plugin with WordPress but something like updateURL directive can be added to direct WordPress installs to find where the new update is.

Then updates must be signed with a unique key so that if the 3rd party repository has been compromised, they would not be able to temper with the binary zip files.

By: Glenn

Glenn — Fri, 18 Jul 2008 00:50:57 +0000

Why doesn’t the WordPress repository generate a guid for it’s plugins, then require that to be added as a key in the plugin file. That would then be what your blog looked for in the repository when it goes to upload

By: scotty

scotty — Fri, 18 Jul 2008 00:09:15 +0000

@Pablo — when I said “Do Not Click Upgrade Automatically”, I am talking about my specific example of Permalink Redirect because you would be upgrading to Joost’s plugin instead of mine.

Now, Joost is a nice guy who is willing to work around now, and his plugin is so different from mine that my users picked up the difference straight away so we are sure there is no sneaky activities around.

Imagine it is Joost’s evil twin (sorry Joost!), who grabbed my plugin, add his code to turn all infested WordPress installation into part of his evil botnet that DDoS websites who he has blackmailed for a ransom. Everything still points at me as “Permalink Redirect 2008″ on WordPress.org still has “Scott Yang” all over the place, and most people who automatically upgraded have no idea as it appears functional… Meanwhile Australian Federal Police knocks on my door for committing cyber crime.

Now. You have automatically upgraded all 47 plugins. Did you check whether they are genuine and they all came from the original author.

By: Pablo DiCiacco

Pablo DiCiacco — Thu, 17 Jul 2008 23:06:20 +0000

OK, I counted…. I upgraded 47 plugins on eight sites today with no problems anywhere.
Out of the WordPress 2,571 available plugins, I think it may be prudent for you to cite more examples of your “alert” before claiming this as a potential epidemic.
I’m not discounting that the problems you mention are needing attention, but to state “Let me repeat, Do Not Click on Upgrade Automatically” might be a bit of an overreaction at this point.

By: Joost de Valk

Joost de Valk — Thu, 17 Jul 2008 19:08:36 +0000

Let me make clear that it was absolutely NOT my intention to do this! We’ll have to find a way to make this system a bit more robust :)