Alert When Installed Plugins Have Been Removed From the Plugin Directory

  1. ThaiFM

    This is a very nice feature! That makes WordPress also a bit safer. Thanks guys.

    Posted: 5 years ago #
  2. nerdworker


    From a users standpoint, I wish the plugins were left in the directory, but with the ability to download them removed and a prominent note at the top to explain why it's been disabled.

    I recently had a plugin I was using disappear and I was left to search around the internet to try to find out what happened. It would have been so helpful to be able to come here and just see why it was pulled.

    My vote for functionality would be to have the plugins "disabled" instead of removed, with a prominent note displayed at the top, and then have a notice similar to the update notice, but for a disabled plugin, show in the plugins list on your WordPress plugins page with the reason listed. I don't know if that's doable, and I know there would be a lot of backend work that would need to be done, but I'm just throwing out ideas. :)

    Posted: 5 years ago #
  3. The plugin API is not mature enough for this yet as you may have guessed.

    Of the myriad issues, paramount is determining if a plugin really was removed or if it never existed. Right after that is how to properly notify people. If we tell everyone right away that a plugin was removed, say, for a vulnerability, we are IMMEDIATELY putting you all at risk for hacks because there may not be a patched version.

    Reasonable disclosure.

    Not to mention I'm sure many of you don't care if we pulled a plugin for spamming or fake reviews, so long as the code is fine, eh?

    Right now, we actually do have disabled as an option, which means a plugin is removed but still able to push updates. That functionality would need to be revisited.

    Posted: 5 years ago #
  4. I posted this on a couple of other threads so apologies if the same audience is here on this one...

    I've created a plugin you might find useful and is related to the OP's request. It adds information to the plugin admin page including:

    1. WordPress plugin repository status i.e. in repository, removed from repository, never in repository
    2. last update date
    3. overall rating
    4. number of votes
    5. WordPress version compatibility range

    The way I determine if a plugin has been removed from the repository is by comparing its status on wordpress.org/plugins/ vs. svn.wp-plugins.org/. That is, a "live" plugin is in the plugin repo and one that is removed isn't, but it still has an entry in SVN.

    Also, some thresholds can be set and if not met, info on the plugin admin page are highlighted in red.

    If you have other ideas of what to add, let me know.


    Posted: 4 years ago #
  5. Thanks for the plugin @Marios.

    I think it's a great feature to see the "last update date" of the plugins.

    Posted: 4 years ago #
  6. KIsmay


    I'd like to see a status notice in installed plugins as well.

    A plugin from wordpress.org that has been pulled for security reasons should be flagged as such, especially if an exploit exists!

    If an exploit exists, hackers will be targeting the vulnerability en-mass. I was recently bit by the wp-mobile-detector bug (https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/), and wasn't sure if that was the cause of the problem at first because I could not find any announcement. Had I left the plugin in place, I would have been reinfected.

    Plugins from outside of the wordpress.org environment should also be flagged as such, as many premium plugins don't include auto updates, and may have been bundled with a theme. I sometimes find myself maintaining sites I did not create, so it would be useful to have these features in core so I know where to look for updates.

    Looking forward to this feature.

    Posted: 4 years ago #
  7. We cannot provide this service at this time.

    IF an exploit exists and we publicize that fact without a patch, we put you MORE at risk.

    If an exploit exists, hackers will be targeting the vulnerability en-mass.

    That's exactly the issue. If we make it known there is an exploit, the hackers attack everyone :/

    If we don't tell anyone, then hackers who DO know will attack, but they would have anyway.

    Posted: 4 years ago #
  8. J.D. Grimes

    IF an exploit exists and we publicize that fact without a patch, we put you MORE at risk.

    This logic really doesn't make sense to me. First off, the very fact that the plugin has been removed will alert hackers to the fact that an exploit exists. Secondly, your argument assumes that everybody will continue to run the plugin on their site even though they know that hackers are actively exploiting it. If the users do that, they have to take total responsibility when their site gets hacked. (But if you don't tell them, and they get hacked, they should rightly blame you for not telling them about the issue.) But if you tell the users about the vulnerability then they will have the option to delete that plugin and find an alternative if the vulnerability is serious.

    All things considered, I'd say that letting users know about the existence of the vulnerability should put everybody much less at risk, since most users should then delete the plugin from their sites, and in that case there will be much less motive for hackers to put together an exploit for that plugin, since there will be very few sites to exploit. :-)

    Posted: 3 years ago #
  9. Jan Dembowski

    The goal of the plugin (and theme) update API is not to report exploits or scare users. It is to deliver updated code.

    First off, the very fact that the plugin has been removed will alert hackers to the fact that an exploit exists.

    It really does not. It tells hackers that the plugin was removed and that can happen for many reasons.

    The problem with this whole idea is that users start thinking about security incorrectly and that causes more problems then it thinks.

    The update mechanism should not be used for this sort of notification. That sort of notification is best reserved as an option of last resort via https://wordpress.org/news/

    Posted: 3 years ago #
  10. I checked and the last 50 plugins removed from .org, less than half were for security.

    Most actually are 'Please close my plugin' and guideline violations (like sock puppets ;) ).

    Posted: 3 years ago #

RSS feed for this topic

Reply »

You must log in to post.

  • Rating

    80 Votes
  • Status

    Good idea! We're working on it