I agree 100%. I just noticed that myself this morning with the AnimateIt plug-in.
It’s marked as a Critical update, but the only change to that version of the plug-in is additional language support. Hardly “critical” in any way.
Agree. Tired of false warnings, also tired of all the shouting about plugins I don’t even use. More, one wonders if the Wordfence WAF takes up any bandwidth defending against exploits for plugins we don’t use? Seems like that list will become hundreds if not thousands…
Be all this as it may, the onus rests on the Worpress plugin system, which clearly is broken and will obviously lead to some major web-wide problems if it has not already.
MTN
Actually I believe that the WordPress plugin system is undergoing some sort of change but I can’t really say what because I’m not privy to that information. We certainly would love it if WordPress would dump old unsupported and vulnerable plugins. It would save many people unnecessary heartache when their sites are compromised because of it. I can say that some pretty smart people are working on that and I trust that their solution is going to be a good one.
As for what we can do, we are in the process of evaluating the best way to handle that so that we alert you for actual security changes and not the cosmetic ones. However, we still maintain one of the best ways to stay safe is to keep things updated, especially your plugins.
tim
Maybe just not reporting whether it’s “critical” or not – but simply advising the user there’s an update?
At the time of the check, if there is insufficient information to determine whether an update is actually critical or not, maybe the “criticality” of it shouldn’t be reported on at all – just advise about an available update.
Having said that, this complaint is likely largely one only relevant to developers… for the average user, it’s probably better to report something as critical and forcing them to keep things updated, rather than for them to take the time to check whether it’s a critical update. Call everything “critical” and it keeps them safer because they’ll perform the update.
I get why it would be annoying for developers, though…
“some pretty smart people are working on that” could be the second most scary 8 words in the English language, or for that matter any language. But if they get it right, wonderful. They sure blew it on the internet, er., I mean “hackernet.” MTN
I’ve had numerous plugins I had to downgrade to keep working. I eliminate when I can, but one does not always have hours to spend looking for and testing a replacement. And yes on the changelogs, they’re lame and clearly don’t always list everything, sometimes more a publicity stunt than anything else. In terms of “update everything” being a security priority, I question that and would like to see the statistics that back that up. Not a day goes by when we don’t hear of a new version of WordPress, or a plugin or something else having a new attack vector. One has to wonder how much enhanced security is obtained by blindly updating everything at every chance. MTN
Thanks @wfsupport et al for responding. This isn’t a complaint just a suggestion.
Part of my services include support & maint for WordPress customer sites so when I see the word “Critical” I jump up and take notice.
Because every plugin update is marked as critical and the volume of emails I get for the many supported sites is large, it’s becoming a case of – critical alert, oh that’s just a plugin update, I’ll handle that at the end of the day.
I actually missed what was a critical malware alert in the sea of plugin updates.
Something to think about maybe.
Cheerz,
Wil.
