WordPress.org

Make WordPress Core

Opened 14 months ago

Last modified 14 months ago

#45058 new enhancement

Proposal for plugin/theme public hashes to prove authenticity of installed code

Reported by: duanestorey Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Upgrade/Install Keywords:
Focuses: Cc:
PR Number:

Description

There have been some discussions recently online about issues surrounding nulled (pro) themes and plugins, as well as unauthorized, possibly modified versions of themes and plugins hosted on WordPress.org, but installed from other sources.

I would like to propose adding a plugin/theme hashing mechanism to the deployment system (i.e. when you tag a plugin or theme, part of the package generation process generates the archive hash for display publicly on the associated plugin/theme page of wordpress.org, and also available via the API to the plugin page and auto-updater within WordPress).

Ultimately this would let both end-users and WordPress itself potentially understand whether or not a plugin or theme had been modified. Possibly as part of the nightly cron WordPress could check the local plugin/theme hashes against the published ones -if they didn't match, it indicates something has been changed locally. Conceivably Pro plugin authors could implement a similar approach, the goal of course not being to prevent people from taking advantage of the freedoms associated with the GPL, but to help alleviate issues where ZIP files floating around have malicious code in them but the end-user doesn't have the ability to detect that themselves. At the bare minimum providing hashes would allow someone to know if a plugin or theme had been modified after the author(s) officially released them.

I have seen various other open source projects now provide hashes of the official downloads online. It might be a good direction for WordPress to go towards in the future as well. I wanted to post this to possibly generate some discussion around it. Cheers.

Change History (2)

#1 @joyously
14 months ago

Related: #32101 and #14179 (especially comments at the end)

#2 @SergeyBiryukov
14 months ago

  • Component changed from General to Upgrade/Install

Related: #25052

Note: See TracTickets for help on using tickets.