Support » Plugin: XML Sitemaps » Plugin removed from repository

  • Wordfence just notified me of this critical problem:

    * The Plugin “Google XML Sitemaps” has been removed from

    Was the plugin removed for security reasons, or because it’s gone out of maintenance, or has it transitioned to a different plugin?

    I’m wondering how important it is to replace the plugin on all sites that use it.

Viewing 15 replies - 1 through 15 (of 26 total)
  • Apparently the plugin is now being maintained by W3edge. It may be that they need to resubmit to the repository. Would be nice if they weighed in here to tell us what’s up.



    The XML SiteMaps plug is getting flagged as an issue on my client’s websites. Looks as though there is a new owner — maybe the new owners have to resubmit to the repository?

    The plugin seems to still be working as far as I can tell — but WordFence is not happy that it has been flagged.

    Am posting this here so hopefully, I’ll get a notification once someone posts whatever the resolution to this issue is.

    Switching to the sitemap function of Yoast for now. Will reconsider when this plugin is reinstated.

    • This reply was modified 9 months, 3 weeks ago by Floris. Reason: Checked 'notify me'

    It looks like an update was made to the plugin and it was removed by WordPress for review.

    My guess is that once WordPress reviews the plugin and any issues it finds are fixed it will be available again.

    There was an update 3 days ago.

    Two days ago :

    This plugin has been closed as of April 6, 2022 and is not available for download. This closure is temporary, pending a full review.

    I really hope this full review is quick. It’s all-time installation total is almost 30 million sites. I’ve got it on 34 sites, and while I can use the AIOSEO sitemaps or the SEO Press sitemaps, I just don’t have the spare time to make the changes to that many sites.

    I too genuinely shared the same concern upon seeing Wordfence flagging the item as no longer being available in the repository.

    When looking into it myself, it was noted here, as others have mentioned, that maintenance was taken over by w3edge, which advertises W3Cache and actually from Boldgrid so that’s a little odd.

    However, the original author, Arne Brachhold, last update their changelog on their site as 4.0.9, an entry from 2017-07-24 and a look at the updates indicated a new version was updated 3 days ago for version 4.1.2 and notes addressing fixing a security issue related to Cross-Site Scripting attacks on debug page by a new contributor.
    More important, it’s noted that the plugin is being renamed again to “XML Sitemaps Plugin for WordPress” by a new contributor so chances are it’s just under review. With that said, the new version does seem to have some significant changes so I imagine it’s just standard review process.

    • This reply was modified 9 months, 3 weeks ago by chillpanda. Reason: w3edge was mistaken credited with W3 Total Cache based on initial view of the website, this was corrected

    I don’t know if it’s a coincidence but in the last 3 days I have several cases of sites that have this plugin installed and were hacked (user_login field modified inside wp_users)

    Would you recommend deactivating this plugin until further notice? I have it installed on 15 sites as well.

    Thread Starter Andy Giesler


    The comment from @fmosse about hacked sites was enough to make me temporarily remove the plugin out of an abundance of caution. Note that I only had it installed on five sites, and none of them change page structure often enough for the plugin to be critical, so this wasn’t a big decision for me.

    I’m deleting it rather than deactivating. In some cases, a security vulnerability can remain even when the plugin is deactivated. I have no idea whether that would be true in this case — again, just erring on the site of over-caution, and this doesn’t affect many of my sites.

    Thread Starter Andy Giesler


    I’ve contacted both W3-Edge and Arne Brachold to see whether they can shed any light on the situation.

    • This reply was modified 9 months, 3 weeks ago by Andy Giesler.
    Thread Starter Andy Giesler


    I contacted Arne Brachold through his website asking him to confirm that he handed over support to w3edge, and asking whether he was aware of the current situation. He replied:

    “That is correct, I’m no longer affiliated with the plugin for quite some time.”

    Using the link from his site to w3edge, I used their contact form to reach out to them. Their contact form dropdown only lists options for W3 Total Cache support. They replied:

    “As you can see from the form on the website, this is a contact form exclusively for the W3 Total Cache plugin. We are not offering any support for the mentioned plugin and I do not have any information that we actually took over this project. This being said, I am sorry, however, I am unable to assist you with this.”

    So it’s unclear to me who’s maintaining the plugin, or who recently submitted an update for it (including renaming the plugin).

    @fmosse Did you also find mplugin.php files in your plugin directory?

    I’ve checked a random half dozen of my sites, no mplugin.php file to be found.

    @coyotech Yes, it is auto generated at this location :-> mu-plugins/wp-fail2ban.php I don’t know, what is roll of this file?

    I’ve checked another random dozen sizes, I don’t have any unknown php files.

    If you want to know what the file is, open the file in an editor and see what it says, or google the file name.

Viewing 15 replies - 1 through 15 (of 26 total)
  • The topic ‘Plugin removed from repository’ is closed to new replies.