WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 12 months ago

#33374 new enhancement

Improvements for the messages visible in the plugin manager

Reported by: dziudek Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Plugins Keywords:
Focuses: ui, administration Cc:

Description

Hello,

WordPress is more and more popular and I think that it is the time to prepare better security-related messages into plugin manager.

Outdated plugins are probably the most popular way to compromise websites based on WordPress.

That’s why I suggest that in the plugin manager the following messages should appear too:

  • “This plugin has not been updated for more than 2 years” - some plugins are no longer developed and can contain vulnerabilities which are not managed by the plugin developer
  • “Security update” - it would be great to provide the plugin authors a possibility to add a message that the current update is a security update. Then users will know that they should update their plugin immediately (Currently I often check every changelog to make sure that I can made an update in weekend).
  • “No longer in directory” - some plugins were removed from the repository and of course are no longer maintained - it is a similar issue as the first one. Additionally it will help users to detect plugins which was accepted but breaks the WordPress.org rules.

Sending e-mails connected with these messages would be also great for administrators.

Yes, I know that there are plugins for the above features, but I think that due a big popularity of WordPress and more and more massive attacks which appears sometimes after few hours (!) after disclosure, WordPress should contain better tools which are built-in into the core code. Because a lot of people currently ignore updates or uses very old and vulnerable extensions. In my opinion “security” is a keyword which forces people for the updates.

Change History (6)

#1 follow-up: @atomicjack
3 years ago

I feel that this should be looked into for 4.4 or 4.5.

Here's how I see some things working:

  • When a plugin author submits a plugin update, there is a checkbox "Does this update fix any security issues?" or similar, and if checked, it sets 'security' to 1. If a WordPress installation finds a plugin update where security = 1, then it displays a more prominent message to the admin(s) highly recommending an update. Possibly also send out an email, too.

For out-of-date plugins, I'm leaning towards, if a plugin hasn't been updated in X months since the current version of WordPress that is installed.

@wonderboymusic can we possibly see this for 4.4/4.5?

#2 in reply to: ↑ 1 ; follow-up: @jdgrimes
3 years ago

Replying to atomicjack:

  • When a plugin author submits a plugin update, there is a checkbox "Does this update fix any security issues?" or similar, and if checked, it sets 'security' to 1.

It wouldn't work exactly like that, because plugin updates aren't submitted through a form. It is all done "programmatically", you might say. But yes, there should be some way for the plugin author to mark the update as a security update. This would probably be a flag in the readme file, maybe in the Changelog or Upgrade Notice sections.

#3 in reply to: ↑ 2 @atomicjack
3 years ago

Replying to jdgrimes:

Replying to atomicjack:

  • When a plugin author submits a plugin update, there is a checkbox "Does this update fix any security issues?" or similar, and if checked, it sets 'security' to 1.

It wouldn't work exactly like that, because plugin updates aren't submitted through a form. It is all done "programmatically", you might say. But yes, there should be some way for the plugin author to mark the update as a security update. This would probably be a flag in the readme file, maybe in the Changelog or Upgrade Notice sections.

Ah right, I've never really looked into the plugin upload process; just assumed an upload form would be the way it was done, as that's how I've seen it be done by other platforms in the past.

#4 @wonderboymusic
3 years ago

  • Milestone changed from Awaiting Review to Future Release

this may require work to be done with the .org endpoint - if someone wants to pick this up, could move into the release

#5 follow-up: @dd32
3 years ago

“This plugin has not been updated for more than 2 years” - some plugins are no longer developed and can contain vulnerabilities which are not managed by the plugin developer

IMHO A plugin not being updated in more than 2 years for an existing user isn't something we need to point out, plenty of plugins continue to work without issue past the 2 year mark. The plugins directory does alert and remove it from the search results however, as for a new user, it's more likely the plugin won't work as intended.

“Security update” - it would be great to provide the plugin authors a possibility to add a message that the current update is a security update. Then users will know that they should update their plugin immediately (Currently I often check every changelog to make sure that I can made an update in weekend).

We allow for a Upgrade Notice to be set at present, plenty of plugins have used something of the form of SECURITY UPDATE: x.y.z is an important security update, all users should update. Many plugins skip this and/or don't know it exists. We also don't make it as prominent as we could in the update UI. (See the example readme.txt file.

“No longer in directory” - some plugins were removed from the repository and of course are no longer maintained - it is a similar issue as the first one. Additionally it will help users to detect plugins which was accepted but breaks the WordPress.org rules.

Plugins get removed from the directory for all kinds of reasons, often temporarily (security issue, guideline violation, license violations, and of course no-longer-maintained just to name a few) drawing attention to most of those isn't in the best interests of the vast majority of plugin users IMHO.

These are just a few initial thoughts, and isn't designed to say "we shouldn't do any of these" simply to point out some pitfalls.

#6 in reply to: ↑ 5 @tigertech
12 months ago

Replying to dd32:

IMHO A plugin not being updated in more than 2 years for an existing user isn't something we need to point out, plenty of plugins continue to work without issue past the 2 year mark. The plugins directory does alert and remove it from the search results however, as for a new user, it's more likely the plugin won't work as intended.

As some feedback on this, I work at a hosting company and we're seeing more and more WordPress core or PHP updates fail due to outdated plugins. The conversation goes like this:

Customer: "I upgraded WordPress or PHP and now my site has an error."

Us: "Hmmm. Did you upgrade all the plugins before updating WordPress or PHP?"

Customer: "Yes, I made sure that every plugin was showing that there were no updates available in the dashboard, so I'm sure they're all current."

Then we find the customer didn't realize that one of the plugins hadn't been updated in many years and no longer works when paired with modern WordPress, or with other plugins, or with PHP 7, etc.

If the reason the plugins directory shows "This plugin has not been updated for more than 2 years" is to discourage people from using it with (say) new WordPress 4.8 installs, it seems like the same logic should apply to (say) WordPress 4.8 upgrades within the dashboard.

A warning before doing a core update would be better than nothing, but I'd like to see it in the plugin list because it would give people a hint that they should be aware of unsupported software on an ongoing basis (particularly from a security perspective), and perhaps it would encourage them to switch to something that's better maintained before they have a later problem from a PHP update, etc.

Note: See TracTickets for help on using tickets.