Hi @pdjp ,
Thanks a lot for the report. You diagnosed it exactly right, this is a false positive on Vigilant’s side, not a problem with your site.
The Closed Plugins check looks each plugin up by its slug (the plugin’s folder name) against the WordPress.org API, not by its display name or author. WPML installs into the folder sitepress-multilingual-cms, and that slug was hosted on WordPress.org years ago (till 2017), back when it was a free plugin by icanlocalize. When WPML moved to a paid, self-hosted model, that old listing was closed, and WordPress.org still serves it as “closed” forever, frozen at the last free version (2.0.4.1).
The commercial WPML you have installed (WPML Multilingual CMS by OnTheGoSystems, v4.9.5) reuses that same folder name, so it collides with the old closed listing and gets flagged. It is a legitimate, fully supported plugin and there is nothing wrong with your install.
WPML is a special case, because most premium plugins were never on WordPress.org at all, and Vigilant already skips those silently. WPML is different because it was there and then got closed when it went commercial, which is exactly the gap the current check does not handle yet.
For now you can silence the alert without losing any protection: go to Vigilant → File Integrity → Closed + Removed Plugins and click “Ignore” on the sitepress-multilingual-cms row. It stays tracked, but drops out of the results list and the email alerts.
I have already added this to the roadmap and will teach the check to recognize legitimately reused slugs like WPML’s in an upcoming release, so it will stop flagging it. Until then, the Ignore button is the way to go.
Thanks again for taking the time to report it so clearly. It genuinely helps.
Best,
Fernando