WordPress.org

Make WordPress Core

Opened 19 months ago

Last modified 19 months ago

#47653 new enhancement

Site Health plugin security check

Reported by: galbaras Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.2
Component: Site Health Keywords: 2nd-opinion
Focuses: administration Cc:

Description

Having inactive plugins is not necessarily a bad thing. It is if they're up to date, if they haven't had an update in a few months or if they're untested with the current version of WordPress core.

Also, when there are outstanding updates and inactive plugins, the main notice (H4, visible while collapsed) should be about the updates, not the inactive plugins.

Change History (3)

#1 @knutsp
19 months ago

  • Focuses administration added
  • Keywords 2nd-opinion added
  • Type changed from defect (bug) to enhancement
  • Version changed from 5.2.2 to 5.2

The attack surface and risk rises/diminishes by the number of functions and complexity of each extensions, active or inactive, probably somewhere between linear and exponentially.

Having one or two, the risk is very low, having only trusted and well maintained ones, like the two bundled may be a very low or ignorable risk.

Sometimes you need to deactivate a plugin or two for a while, and they will stay on the "recently active" list for some time.

Long time inactive plugins and themes should be regarded as a risk, maybe small, but it's completey unnecessary and bad practice. For wp.org hosted plugins you may re-install any by few clicks, using the favourites tab or search. For others there should be a private/local repo.

Idea 1: Ignore inactive plugins recently being active
Idea 2: Ignore of two or less inactive

As current behaviour is clearly intended, this is not a bug.

#2 @galbaras
19 months ago

Sure, fine tuning makes sense and these ideas are great. I still think that having plugins that haven't been updated is of higher consequence, and I still think the issues should be reported by their risk level.

In fact, inactive plugins should appear separately from out-of-date ones.

#3 @juliobox
19 months ago

Hello there
As a Web Security Consultant I agree to let this check ON. Like @knutsp said, this is not a good practice.
Also I think that ignoring the "recently active" plugins could be a good compromise. +1 on that point.

Note: See TracTickets for help on using tickets.