Support » Requests and Feedback » Highlight plugins with security updates

  • It would be handy if plugins that have critical security updates in them where highlighted in the plugins page (and dashboard too as a bonus).

    For example, on many sites I run updates on a monthly or quarterly basis. However if a visual flag or message appeared that these plugins had a critical security update than this would help devs to make sure they run these asap and not on the usual update schedule.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    It would be handy if plugins that have critical security updates in them where highlighted in the plugins page (and dashboard too as a bonus).

    Great GNU, I hope that is never done here!

    *Drinks coffee*

    That is not a good idea because then that highlight becomes a curated list for hackers to (easily) compromise WordPress sites that have not updated.

    You can easily confirm that auto updates for plugins is enabled on your site.

    https://www.wpbeginner.com/plugins/how-to-enable-automatic-updates-for-wordpress-plugins/

    When you log into your admin, you can easily see what plugins need updating and your code should be maintained.

    Thread Starter katmacau

    (@katmacau)

    How would hackers see your plugins page? If hackers can see your plugins list in your wordpress admin you have bigger problems.

    Plugins currently show in their changelog if they have security fixes. This concept would simply visually highlight this in the plugins page without having to click on the View Version X details for each plugin.

    Aware of auto update that but that is not always suitable for all sites. This idea would re-enforce when an update is critical.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    How would hackers see your plugins page? If hackers can see your plugins list in your wordpress admin you have bigger problems.

    The same way you would from the outside.

    There is not a single attacker in the universe that says “Oh, I can’t see those plugins. I should skip that site.” They do not need to see your plugins page. They probe a site with a kit that contains as many exploits as they are looking for and see which attacks had an indication that exploitable code is present on the targets being scanned.

    Aware of auto update that but that is not always suitable for all sites. This idea would re-enforce when an update is critical.

    All plugin and theme updates are critical and labeling them from WordPress.org that way just created curated lists for people to exploit. There are already more than enough valid lists of CVEs. There is no reason to add a new one.

    If someone is concerned, and that is a good thing, they should avail themselves of a 3rd party plugin that does exactly what you are suggesting. Such as Wordfence.

    https://wordpress.org/plugins/wordfence/

    There are other plugins as well.

    There are scenarios where the WordPress community does get informed for security risks like that. But that ends up in the WordPress dashboard news feed and is an extraordinary instance.

    Yoru Oni

    (@yoruoni)

    katmacau, I like your idea, but this is utopia. Take, for example, the fact that many developers do not maintain a changelog, or deliberately keep silent about security issues in it, and there are no sanctions for this.

    meascal

    (@meascal)

    it is individual thinking, I don’t think changelog will help hackers

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Highlight plugins with security updates’ is closed to new replies.