via pluginvulnerabilities.com => original post link
Making backups of WordPress websites is an important security measure, but it can also create security risks of its own. That too often comes in the form of security vulnerabilities that are in backup plugins, where even plugins with millions of installs can be failing to implement basic security. It turns out that can also come from a third-party you are paying to handle doing backups for you.
Recently there was news coverage of a tool that claimed to detect “malicious plugins” and a research paper about it, titled, “Mistrust Plugins You Must: A Large-Scale Study Of Malicious Plugins In WordPress Marketplaces“. The research is odd, since it is mixing together plugins that apparently contained malicious code when they were added to websites and malicious code that was added to plugins after a hacker had gotten access to websites. The latter is an odd thing to focus on, since once hackers have gained access to websites, they often plant malicious code in various places on the website. That really has nothing to do with WordPress plugins, since the same code could in other files on the websites as well. [Read more]