Opened 19 months ago
Last modified 19 months ago
#47653 new enhancement
Site Health plugin security check
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.2 |
Component: | Site Health | Keywords: | 2nd-opinion |
Focuses: | administration | Cc: |
Description
Having inactive plugins is not necessarily a bad thing. It is if they're up to date, if they haven't had an update in a few months or if they're untested with the current version of WordPress core.
Also, when there are outstanding updates and inactive plugins, the main notice (H4, visible while collapsed) should be about the updates, not the inactive plugins.
Change History (3)
#1
@
19 months ago
- Focuses administration added
- Keywords 2nd-opinion added
- Type changed from defect (bug) to enhancement
- Version changed from 5.2.2 to 5.2
#2
@
19 months ago
Sure, fine tuning makes sense and these ideas are great. I still think that having plugins that haven't been updated is of higher consequence, and I still think the issues should be reported by their risk level.
In fact, inactive plugins should appear separately from out-of-date ones.
Note: See
TracTickets for help on using
tickets.
The attack surface and risk rises/diminishes by the number of functions and complexity of each extensions, active or inactive, probably somewhere between linear and exponentially.
Having one or two, the risk is very low, having only trusted and well maintained ones, like the two bundled may be a very low or ignorable risk.
Sometimes you need to deactivate a plugin or two for a while, and they will stay on the "recently active" list for some time.
Long time inactive plugins and themes should be regarded as a risk, maybe small, but it's completey unnecessary and bad practice. For wp.org hosted plugins you may re-install any by few clicks, using the favourites tab or search. For others there should be a private/local repo.
Idea 1: Ignore inactive plugins recently being active
Idea 2: Ignore of two or less inactive
As current behaviour is clearly intended, this is not a bug.