WordPress.org

Ready to get started?Download WordPress

Ideas

Alert When Installed Plugins Have Been Removed From the Plugin Directory

  1. WhiteFirDesign
    Member

    Currently when a plugin is reported to have a security vulnerability it is removed from the plugin directory until the vulnerability has been resolved, but no warning is provided to anyone who already installed it. While many plugins are promptly fixed, there are quite a few that remain vulnerable for a long time or are never fixed. WordPress should alert on the Installed Plugins page in WordPress if an installed plugin has been removed from the directory and provide at least a general reason it has been removed, as many are removed for reasons other than security vulnerabilities, so that appropriate action can be taken by admins. In many cases the details of the vulnerability are publicly available, so not providing a warning that a plugin contains a vulnerability will not help to limit the chance of the vulnerability being exploited.

    We have created a plugin that provides a more limited version of this functionality until the issue has been properly resolved.

    Posted: 1 year ago #
  2. modus
    Member

    12345

    I'd like to add, that any solution that would mean having to check each install of WP at least on a daily basis would not be satisfactory. Unless an email is sent to either the site admin and / or additional recipients in the moment of removal detection, it'd be just the same as checking vulnerability services.

    Posted: 1 year ago #
  3. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod

    FWIW, we're working on a solution. Part of the problem is we'll close a plugin for many reasons:

    * Guideline violations
    * By request
    * Security
    * Licensing

    And then of course there are subsets to these, like would you care about an alert if I told you a plugin was closed because it has affiliate links on the repository page? It doesn't impact the user as much as all that. So we have to sort out how best to alert the right times, and then we have to figure out the best way to alert without spreading FUD.

    We've actually started a step one on the backend, to allow the admins who moderate a better way of seeing what's closed and what isn't. Next up, a way for us to tag WHY a plugin was closed. It's being worked on though :)

    Posted: 1 year ago #
  4. sLa NGjI's
    Member

    12345

    Currently when a plugin is reported to have a security vulnerability it is removed from the plugin directory until the vulnerability has been resolved, but no warning is provided to anyone who already installed it.

    I'm not shure if it' is really true.

    1st

    More plugins, or your bugged versions, with secunia or others vulnerability, are not removed from WordPress Plugin Repository.

    For example: (i'm not write real plugin name ...) famous caching plugin has secunia problem and security alert on two release versions. The Author Developer patched it with new version that solve any trouble, but this two old and unsecure version are available for download on WordPress Plugin Repository and not removed. More people continue to download it and expose your installations to potential issues. The stats of plugin, on fact, indicate that download of this two bad version is 25% of total plugin downloads and latest version is only 48% plus all forked and mirrored copy to other sources, out of the official WordPress Plugin Repository.

    Without official and internal core notification on DashBoard, IMHO, all is related.

    2nd

    More plugin was removed for external motivations to WordPress Guidelines, but working fine.

    3rd

    Is possible that More outdated plugin, 2 years older for example, work perfectly with latest version of WordPress.

    :)

    Posted: 8 months ago #
  5. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod

    More plugins, or your bugged versions, with secunia or others vulnerability, are not removed from WordPress Plugin Repository.

    They are if you actually report the plugin to us!

    Please, please PLEASE email plugins AT wordpress.org with a link to Secunia or a detailed explanation of the issue and how to reproduce, along with a link to the plugin itself.

    We WILL review it and, if it's accurate, pull the plugin till it's fixed.

    (And we do want to figure out how to alert people, but it means we need to beef up the API so that we have a way to explain WHY we closed a plugin.)

    Posted: 8 months ago #
  6. Ellen Hopkins
    Member

    Great idea, thanks for making a temporary plugin until this gets worked on.

    Posted: 3 months ago #

RSS feed for this topic

Reply

You must log in to post.

  • Rating

    12345
    16 Votes
  • Status

    Good idea! We're working on it