WordPress.org

Ideas

Alert When Installed Plugins Have Been Removed From the Plugin Directory

  1. WhiteFirDesign
    Member

    Currently when a plugin is reported to have a security vulnerability it is removed from the plugin directory until the vulnerability has been resolved, but no warning is provided to anyone who already installed it. While many plugins are promptly fixed, there are quite a few that remain vulnerable for a long time or are never fixed. WordPress should alert on the Installed Plugins page in WordPress if an installed plugin has been removed from the directory and provide at least a general reason it has been removed, as many are removed for reasons other than security vulnerabilities, so that appropriate action can be taken by admins. In many cases the details of the vulnerability are publicly available, so not providing a warning that a plugin contains a vulnerability will not help to limit the chance of the vulnerability being exploited.

    We have created a plugin that provides a more limited version of this functionality until the issue has been properly resolved.

    Posted: 3 years ago #
  2. modus
    Member

    12345

    I'd like to add, that any solution that would mean having to check each install of WP at least on a daily basis would not be satisfactory. Unless an email is sent to either the site admin and / or additional recipients in the moment of removal detection, it'd be just the same as checking vulnerability services.

    Posted: 2 years ago #
  3. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue, Volunteer Forum Mod & Plugin Referee

    FWIW, we're working on a solution. Part of the problem is we'll close a plugin for many reasons:

    * Guideline violations
    * By request
    * Security
    * Licensing

    And then of course there are subsets to these, like would you care about an alert if I told you a plugin was closed because it has affiliate links on the repository page? It doesn't impact the user as much as all that. So we have to sort out how best to alert the right times, and then we have to figure out the best way to alert without spreading FUD.

    We've actually started a step one on the backend, to allow the admins who moderate a better way of seeing what's closed and what isn't. Next up, a way for us to tag WHY a plugin was closed. It's being worked on though :)

    Posted: 2 years ago #
  4. sLa NGjI's
    Member

    12345

    Currently when a plugin is reported to have a security vulnerability it is removed from the plugin directory until the vulnerability has been resolved, but no warning is provided to anyone who already installed it.

    I'm not shure if it' is really true.

    1st

    More plugins, or your bugged versions, with secunia or others vulnerability, are not removed from WordPress Plugin Repository.

    For example: (i'm not write real plugin name ...) famous caching plugin has secunia problem and security alert on two release versions. The Author Developer patched it with new version that solve any trouble, but this two old and unsecure version are available for download on WordPress Plugin Repository and not removed. More people continue to download it and expose your installations to potential issues. The stats of plugin, on fact, indicate that download of this two bad version is 25% of total plugin downloads and latest version is only 48% plus all forked and mirrored copy to other sources, out of the official WordPress Plugin Repository.

    Without official and internal core notification on DashBoard, IMHO, all is related.

    2nd

    More plugin was removed for external motivations to WordPress Guidelines, but working fine.

    3rd

    Is possible that More outdated plugin, 2 years older for example, work perfectly with latest version of WordPress.

    :)

    Posted: 1 year ago #
  5. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue, Volunteer Forum Mod & Plugin Referee

    More plugins, or your bugged versions, with secunia or others vulnerability, are not removed from WordPress Plugin Repository.

    They are if you actually report the plugin to us!

    Please, please PLEASE email plugins AT wordpress.org with a link to Secunia or a detailed explanation of the issue and how to reproduce, along with a link to the plugin itself.

    We WILL review it and, if it's accurate, pull the plugin till it's fixed.

    (And we do want to figure out how to alert people, but it means we need to beef up the API so that we have a way to explain WHY we closed a plugin.)

    Posted: 1 year ago #
  6. Ellen Hopkins
    Member

    Great idea, thanks for making a temporary plugin until this gets worked on.

    Posted: 1 year ago #
  7. webaware
    Member

    12345

    The biggest issue with plugins removed from WordPress.org without notification in the admin is that they can age greatly / carry a vulnerability / become obsolete, and there's no indication to the admin. If an active plugin is pulled from the repository, then it would be good if the regular update check marked that plugin as such, so that the admin knows not to expect automatic updates.

    Posted: 6 months ago #
  8. mailworm
    Member

    With regards to the add/remove_query_args issue just discovered recently I absolutely agree to implement this idea.

    Having a warning attached to each plugin in the plugins list, that it is no longer maintained/ avaible in the wordpress.org repository is a must have!

    I just came about this, while first time using wordshell for updating a dozen websites I am managing.

    Now I have to find replacements for 4 plugins, which even seems to be not being updated/ maintained for months!

    Please take this idea into consideration!

    Posted: 2 months ago #
  9. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue, Volunteer Forum Mod & Plugin Referee

    We are.

    I know this sounds like I'm on repeat, but there's a significant amount of back end infrastructure that has to take place first. We also have to keep in mind not all plugins come from .org and support that as well.

    You wouldn't want your CodeCanyon plugin to show as 'unavailable' just because it wasn't hosted on .org :)

    Posted: 2 months ago #
  10. Julie @Niackery
    Member

    12345

    +1 for this idea as well. Just showing my support. Thanks for the update, Mika.

    Posted: 2 months ago #

RSS feed for this topic

Reply »

You must log in to post.

  • Rating

    12345
    27 Votes
  • Status

    Good idea! We're working on it