#47084 closed defect (bug) (fixed)
Site Health instructs users to remove plugins that are active on other sites in network
Reported by: | iandunn | Owned by: | desrosj |
---|---|---|---|
Milestone: | 5.2 | Priority: | normal |
Severity: | normal | Version: | 5.2 |
Component: | Site Health | Keywords: | dev-reviewed site-health commit |
Focuses: | administration, multisite | Cc: |
Description
Your site has 22 inactive plugins. Inactive plugins are tempting targets for attackers. If you’re not going to use a plugin, we recommend you remove it.
That doesn't take into account that those "inactive" plugins (and themes) are active on other sites in the network, and therefore they shouldn't be removed.
Attachments (2)
Change History (13)
This ticket was mentioned in Slack in #core by iandunn. View the logs.
6 years ago
#3
@
6 years ago
- Keywords commit added
47084.patch adds a quick ! is_multisite()
confirmation to plugin and theme checks, to prevent checking for outdated assets in these scenarios.
#4
@
6 years ago
Another place an ! is_multisite() || is_main_site()
is probably needed is for check_wp_version_check_exists()
. It looks for the presence of the 'wp_version_check'
hook but it is not present when on multisite and not on the default site (it's never added there by design). See at the bottom of wp-includes/update.php:
if ( ( ! is_main_site() && ! is_network_admin() ) || wp_doing_ajax() ) { return; } add_action( 'admin_init', '_maybe_update_core' ); add_action( 'wp_version_check', 'wp_version_check' ); ...
This shows an incorrect "A plugin has prevented updates by disabling wp_version_check()" when testing if auto updates work.
Edit: Actually an is_main_site()
is enough as it always returns true on single installs.
#5
@
6 years ago
In 47084.2.patch: also skip the check_wp_version_check_exists()
test on multisite when not on the main site.
#6
@
6 years ago
47084.2.patch looks good for commit. I started playing with the idea of hiding other information from ! is_main_site()
, but I don't think it matters too much since it's only the network administrator by default that will see this.
Sounds like we need a quick patch to account for multisite specific scenarios here and for themes as well.
I propose, for now, we drop the recommendation if it's a mulsitie setup, it's too late to introduce mechanics and strings specific for this scenario, so just not including them seems acceptable. Any person running a multisite hopefully has experience enough to consider these things for now at least, especially as it would be a network admin capable of removing the plugins that would see this in the first place and may make a misjudgment if we tell them to remove things.