WordPress.org

Make WordPress Core

Opened 4 months ago

Closed 4 months ago

Last modified 2 months ago

#47084 closed defect (bug) (fixed)

Site Health instructs users to remove plugins that are active on other sites in network

Reported by: iandunn Owned by: desrosj
Milestone: 5.2 Priority: normal
Severity: normal Version: 5.2
Component: Site Health Keywords: dev-reviewed site-health commit
Focuses: administration, multisite Cc:

Description

Your site has 22 inactive plugins. Inactive plugins are tempting targets for attackers. If you’re not going to use a plugin, we recommend you remove it.

That doesn't take into account that those "inactive" plugins (and themes) are active on other sites in the network, and therefore they shouldn't be removed.

Attachments (2)

47084.patch (864 bytes) - added by Clorith 4 months ago.
47084.2.patch (1.3 KB) - added by azaozz 4 months ago.

Download all attachments as: .zip

Change History (13)

#1 @Clorith
4 months ago

  • Milestone changed from Awaiting Review to 5.2

Sounds like we need a quick patch to account for multisite specific scenarios here and for themes as well.

I propose, for now, we drop the recommendation if it's a mulsitie setup, it's too late to introduce mechanics and strings specific for this scenario, so just not including them seems acceptable. Any person running a multisite hopefully has experience enough to consider these things for now at least, especially as it would be a network admin capable of removing the plugins that would see this in the first place and may make a misjudgment if we tell them to remove things.

This ticket was mentioned in Slack in #core by iandunn. View the logs.


4 months ago

@Clorith
4 months ago

#3 @Clorith
4 months ago

  • Keywords commit added

47084.patch adds a quick ! is_multisite() confirmation to plugin and theme checks, to prevent checking for outdated assets in these scenarios.

#4 @azaozz
4 months ago

Another place an ! is_multisite() || is_main_site() is probably needed is for check_wp_version_check_exists(). It looks for the presence of the 'wp_version_check' hook but it is not present when on multisite and not on the default site (it's never added there by design). See at the bottom of wp-includes/update.php:

if ( ( ! is_main_site() && ! is_network_admin() ) || wp_doing_ajax() ) {
	return;
}

add_action( 'admin_init', '_maybe_update_core' );
add_action( 'wp_version_check', 'wp_version_check' );
...

This shows an incorrect "A plugin has prevented updates by disabling wp_version_check()" when testing if auto updates work.

Edit: Actually an is_main_site() is enough as it always returns true on single installs.

Last edited 4 months ago by azaozz (previous) (diff)

@azaozz
4 months ago

#5 @azaozz
4 months ago

In 47084.2.patch: also skip the check_wp_version_check_exists() test on multisite when not on the main site.

#6 @jeremyfelt
4 months ago

47084.2.patch looks good for commit. I started playing with the idea of hiding other information from ! is_main_site(), but I don't think it matters too much since it's only the network administrator by default that will see this.

#7 @Clorith
4 months ago

#47090 was marked as a duplicate.

This ticket was mentioned in Slack in #core by desrosj. View the logs.


4 months ago

#9 @desrosj
4 months ago

  • Keywords dev-reviewed added

#10 @desrosj
4 months ago

  • Owner set to desrosj
  • Resolution set to fixed
  • Status changed from new to closed

In 45275:

Site Health: Disable recommendations that could be problematic on multisite installs.

When viewing Site Health for a multisite install, there are a few recommendations that are not appropriate and could have negative implications for other sites on the install if the administrator follows the advice provided.

For example, Site Health recommends that inactive plugins and themes for a site should be removed. On a single site install, this is a great recommendation. However, on a multisite install, inactive plugins and themes for one site should not be removed because they could be active for other sites on the network.

This change also disables the test_wp_version_check_attached() test for multisite. This test checks for the presence of the wp_version_check() function on the wp_version_check hook, which is not present for every site on multisite.

Reviewed by jeremyfelt and desrosj.

Props iandunn, Clorith, azaozz, jeremyfelt.
Fixes #47084.

#11 @spacedmonkey
2 months ago

  • Component changed from Administration to Site Health
Note: See TracTickets for help on using tickets.