upvote

points

by toniantunovi1 days ago |
comments
upvoteby stratts1 days ago|
next
[-]
Not only that, but so many people are reluctant to pay for anything so your average installation is chock full of freemium plugins. I've worked on plenty of sites whose admin page looked a bit like the IE6 toolbar meme.
reply
upvoteby Pikamander21 days ago|
parent|
next
[-]
The premium plugins are arguably even worse.

Unlike the free plugins, they're not reviewed by the WordPress.org team, and if you stop paying for them then you'll lose access to their future plugin updates, including critical security fixes.

I wouldn't say that their code quality is noticably higher, either; there have been countless CVEs for premium WordPress plugins over the years, and no shortage of discontinued/abandoned premium plugins that are no longer being maintained but are still installed on thousands of sites.

reply
upvoteby sunnybeetroot17 hours ago|
parent|
[-]
It makes sense that you wouldn’t receive updates if you stopped paying. You’re paying for the labour up until that point. It’s like paying to have your grass mowed and then complaining because it wasn’t mowed again in the future without you paying.
reply
upvoteby BenjiWiebe1 days ago|
parent|
prev|
[-]
Hmmm... I'm reluctant to pay for WordPress plugins because a bunch of them are also single purpose plugins from random developers, and of questionable quality.
reply
upvoteby post-it1 days ago|
parent|
[-]
And they also make your WP admin page look like an IE6 toolbar.
reply
upvoteby SunshineTheCat1 days ago|
prev|
next
[-]
I've long since stopped building WordPress sites for clients, but you would be blown away by the number of people who have installed the free version of Securi or Wordfence, zero configuration, and then assume their site is completely safe from attacks.
reply
upvoteby dwd1 days ago|
parent|
[-]
You absolutely can't rely on the free version of WordFence. It should also be the last line of defense to handle anything that can't get caught by the server WAF.

I recently cleaned a WordPress site (that I now get to manage) of some malware that had multiple redundant persistence layers and the attacker had whitelisted the folders in the WordFence scan. Was actually kind of handy as a checklist to see if I'd missed anything.

What WordFence did manage to do was email an alert that there had been an unauthorised admin login as their admin password had been compromised.

reply
upvoteby luckylion1 days ago|
prev|
[-]
A big part is also that wp.org is very tolerant of malicious-adjacent actors.

Actual malware? the plugins will get blocked.

Plugin randomly starts injecting javascript from a third party domain that displays some football related widget with affiliate links? they figured that's perfectly in the (new) owner's right and rejected any action even though it was a classic bait and switch with an entirely unrelated plugin.

At some point you have to assume it's by design.

reply