How to report malware in plugins?

You will have to report it to the plugins team, just as you have done previously.

I have not been able to find where to report it to the plugins team. All I have been able to do so far is rate it a 1 star, and review it descriptively on the plugin’s page.

I also subscribed to updates from the author’s page, which brought the topic up again, as he is recruiting his friends (or possibly just creating new emails) to positively review the scam to boost ratings. I see thousands of downloads of this plugin.

Oh, it’s an email to the team mailing list: plugins [at] www.remarpro.com

Great thanks Andrew, sent.

Why not list the plugins here?
I mean, SMTP Mail, Google Analytics and Google Maps plugins are very popular. We should know if any are dangerous.

Why not list the plugins here?

Because a) it’s often incorrect and the plugins had nothing to do with the user’s site being exploited and b) it’s irresponsible to just post plugins like that.

If someone suspects a plugin or being exploitable then follow Andrew’s advice.

The plugin was written with malicious code hidden at the end of the file. The plugin isn’t exploitable, it’s an exploit. Installing these plugins begins the exploit. Exploitable just means insecure / poorly written code. But I know what you mean about people posting possible false alarms.

I see that they have been removed from the listing which is good, but does that notify the users of the plugin? Or are they all still in the dark?

Maybe a good routine to start is checking your plugins’ “View details” link, and if it’s gone then it’s probably a good idea to uninstall the plugin as well.

I’d like to add some relevant feedback related to one of the replies in this topic.

I see that they have been removed from the listing which is good, but does that notify the users of the plugin? Or are they all still in the dark?

No, I don’t think that currently there is such a mechanism that could notify users in case a plugin has been proved to be malware. This is similar to the cases that ownership of a plugin changes and the new owner decides to exploit the active users of the plugin (there’s a very good read in the plugins make site about it). A notification system or other mechanism is possibly needed.

To take it one step further and in addition to the above, the current plugin search results, which imho sometimes are too generous to very new plugins with very few active users, combined with the fact that the plugin titles can be freely changed regardless of the plugin slug, could trick inexperienced users and facilitate the distribution of malware. The lack of a notifications mechanism just makes it worse, because affected web sites remain in the dark.

PS: I just know that the following clarification is not needed, but just to be sure, all the above are just feedback for improvement. The job that is being done is fantastic, the repository imho is doing much more work for the users than it had to, and I’m certain that everyone involved has earned the respect of all users with their great work! ??

We raised the issue of a lack of notifications for removed plugins like this a while ago, unfortunately it has been three years since it was indicated that is was being worked on and it still hasn’t been resolved.

We have added listings for Breadcrumbs EZ (breadcrumbs-ez) and Enable Google Analytics (enable-google-analytics) to one of one our plugins that warns about this type of thing and will be adding it to the other plugin shortly. If someone can let us know what the other plugins were so that we can add those as well, we would appreciate. If you don’t want to post that information here, you can contact us directly [Moderated]

@whitefirdesign, Good cause but please don’t ask people to contact you.