WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 4 years ago

#29046 closed feature request (wontfix)

Plugin Vulnerability Notices

Reported by: DoodleDogCody Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.9.1
Component: Plugins Keywords: has-patch
Focuses: ui, administration Cc:

Description

Plugin Updates are set up great for maintenance and minor bug fixes, however it is lacking in critical updates.

I would like to suggest the ability for plugin authors to be able to tag an update as severe vulnerability fix or something of that nature. This would then give a big warning across all admin screens until the plugin is updated or the notice is dismissed.

They way it is now, a lot of people do not update plugins immediately and some don't update plugins at all. With a warning of this nature, most people would see the importance of updating a plugin that has security issues which could cause their site to go down.

Attachments (1)

29046.diff (2.7 KB) - added by voldemortensen 5 years ago.

Download all attachments as: .zip

Change History (7)

#1 @michalzuber
6 years ago

Something like update_nag() might be could for that http://i.imgur.com/gqtR14Z.png

#2 @michalzuber
6 years ago

  • Summary changed from Plugin Vulberability Notices to Plugin Vulnerability Notices

@voldemortensen
5 years ago

#3 @voldemortensen
5 years ago

  • Keywords has-patch added

The idea behind this patch is that a plugin developer can add the 'security-update' tag to a release on the .org repo. This checks for that tag and displays a notice if its found.

To test this I changed 'security-update' to 'api' and installed different versions of Jetpack.

I think this would be a good tag to reserve for this because http://wordpress.org/plugins/tags/security-update returns nothing.

This ticket was mentioned in IRC in #wordpress-dev by nacin. View the logs.


5 years ago

#6 @DrewAPicture
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Based on the above-linked feedback from @nacin in IRC 13 months ago, this seems to be wontfix territory:

what I'd kind of rather do is two-fold. one, get people conditioned to always update, so they're not picking-and-choosing (this is almost always a disaster)

two, to force-push security updates as much as possible, like what we did with jetpack

Note: See TracTickets for help on using tickets.