Alert When Installed Plugins Have Been Removed From the Plugin Directory

  1. J.D. Grimes

    I didn't realize that so many plugins were removed for other reasons, and you're entirely right that there really isn't any need to notify folks about some of that. Although personally I would certainly like to know any time a plugin is no longer going to be maintained, for whatever reason.

    >The problem with this whole idea is that users start thinking about security incorrectly and that causes more problems then it thinks.

    I wasn't quite sure what you were referring to in terms of how users would think incorrectly, so I just read back through most of the comments here, and I didn't really get any clues. I assume that you mean that you're afraid that users will totally freak out for every kind of vulnerability, even when they aren't at all serious. That is definitely a reasonable concern, but I think it could be mitigated by only showing notices for especially critical vulnerabilities, or by giving a general rating of the vulnerability's severity to the user.

    Posted: 2 years ago #
  2. Thinking about security incorrectly cuts both ways.

    Without the preceptive to understand what the vulnerability rating means to me, it's incredibly hard for people to grasp the situation.

    Take, for example a privilege escalation bug. One that gives subscribers access to write posts and delete them. Okay, that's a HUGE deal. But... If I don't have any other users on my site besides me, is it a huge deal for me? No. Is it enormous for someone with a forum or open registration site? You bet!

    So that also is a huge part of the issue. There's a lot more education than just slapping a rating on a vulnerability (which IMO is where most security sites miss the mark). I'm afraid, based on experience, that users will simultaneously think a situation is not as dire as all that and grossly over inflate the FUD factor :/

    None of this is a reason not to do it, of course, but we're simply not in a place where we can responsibly manage it. Right now, we would put people in a worse situation by providing them with contextless information. We have neither the tools nor the manpower to manage a feat. Heck, neither do most security firms, and that oughta scare you.

    Posted: 2 years ago #
  3. 50M

    I am in total disbelief that there's not either a page that shows which plugins were removed and why WordPress.org removed them, or an email list one can subscribe to so that they receive notifications of plugin removals.

    As an example, it seems ridiculous that the only way I found out that the Social Media Feather plugin was removed from the repository (due to them sneaking in all kinds of tracking scripts) was by accident. I went to the repository to download it to load on a new site, and I could not find it. The only way I found out about the issue was by Googling for a few minutes.

    At the very least, would it be so hard for the WP.org admins to add a note on the plugins page so that users could know it's been removed and why?

    Posted: 1 year ago #
  4. We actually have a ticket for that, but it all comes back to FUD (Fear, Uncertainty, Doubt).

    There are many different reasons a plugin is removed. Security, behavior, guidelines, retirement, and more. Not all should be given the same amount of attention. At the same time, closing a plugin for security without a fix means we are publishing a problem without mitigation, and putting people at risk.

    There isn't a good answer here. We've not yet found one that properly balances all the concerns. So right now we don't disclose at all. It has about as many issues as full disclosure would :/

    Posted: 1 year ago #
  5. Ambyomoron

    I think it is important to maintain a trace of plugins removed from the repository, with a simple classification of why they have been removed, something like:
    - failure to meet WP plugin standards
    - significant security risk
    - removed by the owner

    Posted: 11 months ago #
  6. timmarker

    I know and trust you all are working on it. I think, you should immediately remove any plugin that has been sold/purchased. May be some kind of policy that plugin developers can only sell their plugins to users, and not other developers. I know that's a little anti-open source, but things are getting a little crazy.

    Posted: 10 months ago #
  7. abhishek23

    when there is some error in plugin the whole website goes down. It even don't show the bugged plugin name. Some time its irritate me.

    Posted: 10 months ago #
  8. We're not going to remove any plugin that's been purchased for two reasons:

    1) We don't always know
    2) Many purchases are perfectly fine.

    Even if you said 'close them when someone new is added' they could just hand over the user account to someone else.

    Software being purchased, without your notice, is common. It happens on your phones, your laptops, everything. It's the nature of the beast :/

    And while you feel it's getting out of hand, you should keep in mind that dozens of plugins change hands a month. You hear about 4 or 5 that, over the course of a year, are handed over to bad actors. Less than 5% of all plugins have this problem. It's not widespread, it's just a hassle when it happens.

    A far bigger issue remains good people using bad code and leaving you open to hacks :(

    Posted: 10 months ago #

RSS feed for this topic


You must log in to post.

  • Rating

    76 Votes
  • Status

    Good idea! We're working on it