How to Prevent Hacks Through Malicious Plugin Slug Changes with MalCare

Did you know that a simple change in the slug of a WordPress plugin can hide critical updates and leave your site vulnerable to security threats? A hacker can also upload outdated plugins to your site and introduce vulnerabilities to it.

WordPress security can often feel like a game of whack-a-mole: you smack one threat on the head, and another pops up. This is why partnering with a security provider that does the whacking for you—so to speak—is the best way to protect your site. 

Today, we are introducing a security enhancement for our vulnerability reporting system to whack yet another mole.

Leaving the backdoor open

WordPress plugins are frequently updated by good developers to patch security vulnerabilities and enhance functionality.

However, if a plugin’s slug is changed—something that can be done intentionally by a developer or maliciously by a hacker—WordPress may not recognize the plugin to notify you of available updates.

This gap can lead to your website running outdated, vulnerable plugins without your knowledge. And these plugins can turn into backdoors for hackers who know of their vulnerabilities.

Tamper-proof vulnerability alerts

Earlier, MalCare’s constant monitoring would check plugin slugs and alert you if any vulnerable plugins were detected. 

Now, we are going one step deeper and further: MalCare will check not only the plugin slug but its readme files as well. Furthermore, it will compare plugin names, plugin authors, and more, to ensure airtight vulnerability monitoring.

So no matter what changes are made to the plugins, you will still be alerted about the vulnerable ones. You can then apply updates, while our firewall fends off attacks. 

Already part of MalCare

No configuration is necessary. The feature is already in place, as you read this article.