diff --git a/public/language/en-GB/error.json b/public/language/en-GB/error.json
index 4eb92d2d92..7d02231e02 100644
--- a/public/language/en-GB/error.json
+++ b/public/language/en-GB/error.json
@@ -200,5 +200,7 @@
 	"cannot-block-guest": "Guest are not able to block other users",
 	"already-blocked": "This user is already blocked",
 	"already-unblocked": "This user is already unblocked",
-	"no-connection": "There seems to be a problem with your internet connection"
+	"no-connection": "There seems to be a problem with your internet connection",
+
+	"plugin-not-whitelisted": "Unable to install plugin &ndash; only plugins whitelisted by the NodeBB Package Manager can be installed via the ACP"
 }
diff --git a/src/plugins/install.js b/src/plugins/install.js
index 54b675a679..a0061bc77f 100644
--- a/src/plugins/install.js
+++ b/src/plugins/install.js
@@ -7,6 +7,7 @@ const nconf = require('nconf');
 const os = require('os');
 const cproc = require('child_process');
 const util = require('util');
+const request = require('request-promise-native');
 
 const db = require('../database');
 const meta = require('../meta');
@@ -66,6 +67,20 @@ module.exports = function (Plugins) {
 		return { id: id, active: !isActive };
 	};
 
+	Plugins.checkWhitelist = async function (id, version) {
+		const body = await request({
+			method: 'GET',
+			url: `https://packages.nodebb.org/api/v1/plugins/${encodeURIComponent(id)}`,
+			json: true,
+		});
+
+		if (body && body.code === 'ok' && (version === 'latest' || body.payload.valid.includes(version))) {
+			return;
+		}
+
+		throw new Error('[[error:plugin-not-whitelisted]]');
+	};
+
 	Plugins.toggleInstall = async function (id, version) {
 		pubsub.publish('plugins:toggleInstall', { hostname: os.hostname(), id: id, version: version });
 		return await toggleInstall(id, version);
diff --git a/src/socket.io/admin/plugins.js b/src/socket.io/admin/plugins.js
index 16f112130d..b73623c49c 100644
--- a/src/socket.io/admin/plugins.js
+++ b/src/socket.io/admin/plugins.js
@@ -19,6 +19,7 @@ Plugins.toggleActive = async function (socket, plugin_id) {
 
 Plugins.toggleInstall = async function (socket, data) {
 	require('../../posts/cache').reset();
+	await plugins.checkWhitelist(data.id, data.version);
 	const pluginData = await plugins.toggleInstall(data.id, data.version);
 	await events.log({
 		type: 'plugin-' + (pluginData.installed ? 'install' : 'uninstall'),