ClassicPress PetitionsClassicPress Petitions
This is a read-only archive. Post or comment on the live version of this page on our forums.

Show notice if plugin update path does not exist any more

September 7, 2018 · 15:59 · Dora D.
Description

in local plugin/theme listing e.g. if plugin/theme is removed from repository or external update-source is not reachable. Maybe dismissable for 'a week, month, forever' or similar.

Voters
+2 more
Tags
Request: Modify feature
Discussion
Fabian Wolf

That is an awesome idea indeed. Having at least two plugins which have been closed down or are not available for download anymore, which are giving me major headaches on how to avoid the situation of accidential clicking "update now" out of habit - and then bang! boom! bang! installation broken and have maybe to do all changes this day again, because the latest backup is from the day before.

Avrom

Very good idea. And plugins are removed from the repository for good reason.

Mike

I like this idea on paper, but not so much in practice. I think this could lead to security issues. For example, say an ambitious hacker installed every last plugin in the repo across a network of "monitoring" sites. All they have to do is wait for notices to come up in the dashboard indicating that an update path is no longer available, which is sometimes an indicator that a plugin was removed for security reasons. These notices could direct hackers straight to vulnerable plugins.

George L.

I can see Mike's point regarding security, but i think it's probably worse for admins to never realise a plugin was removed from the repository as it gives hackers plenty of time to exploit the site.

Take a look at Postman SMTP (https://wordpress.org/plugins/postman-smtp/) for example. It was closed months ago and it still has 100k+ installations, even though a direct replacement (fork) exists (https://wordpress.org/plugins/post-smtp/)

A hacker can already monitor the whole WP repository quite easily using scripts and identify which plugins get removed.

To me, it would make even more sense for CP to also send an email to the admin user asking them to replace/deactivate the plugin immediately. It's then up to the admins if they'll do this or risk their site.