Show information from Plugins Directory into WP-Admin plugins page

[arberbr]

Hello everyone,

This is my first ticket/suggestion here.

First of all, hope this is not a duplicate request.

Recently one of the websites my company has been maintained got hacked:
​https://www.wordfence.com/blog/2019/09/rich-reviews-plugin-vulnerability-exploited-in-the-wild/
Issue was on the Rich Review plugin.

The root cause of the problem was that we had installed on that website (was a theme requirement) the Rich Review plugins. We kept up to date all the plugins, WP core itself and themes on that websites and still the website got hacked.

The general guideline to keep your WordPress website safe is update everything. In this case though it failed.

It failed because we did not know that the Rich Review plugin was abandoned.

On plugin directory it clearly tells that the plugin has been closed for security reasons:
​https://wordpress.org/plugins/rich-reviews/

So my question, request is, can it be made that we show this kind of information right away on the plugins list?

To improve it even further, show a WordPress notice on wp-admin when an administrater logins and he can directly see that plugin X has been abandoned or has been closed.

Thank you,
Arber.

[dkarfa]

Hey @arberbr,

Welcome to WordPress Trac!

If we call ​https://api.wordpress.org/plugins/info/1.2/?action=plugin_information&request[slug]=rich-reviews, we will get no response for disable plugin i.e. error: "Plugin not found."

[arberbr]

Thank you,

Ok did not know about the existence of this API endpoint.

Now that i saw this and tested with it for a bit i think the API itself might need to be improved a bit.

First of all, might be different reasons why a plugin is not found anymore on the plugins directory. So just returning the answer:
"plugin not found"
might not be the best answer.

IMO needs to be improved by firstly showing different messages for different scenarios. When a plugin has security issues and has been closed (Rich Reviews case) just saying plugin not found does not give any info about the security problems to the WordPress website (which serves as a client to the API in this case).

If the client (the WordPress website) knows from the API that the plugin does have security problems then the core of the plugin updater might be changed to let the users know about the security issue.

So first step IMO is to improve the API endpoint itself.

Secondly what needs to be done on WordPress level (the client of the API in this case).

On Plugins view

• show for each abandoned plugin (if this info is known to the API) some kind of message that the plugin has been abandoned
• show for each plugin with a confirmed security issue a message and recommendations on what to do (example deactivate but keep, or deactivate and delete, etc)
• for older plugins (lets say plugins that havent been updated in 2 years or more) show this info to the users. Might be good for the end user to know that a certain plugin he uses, might be abandoned.

Also, for critical security issues, a plugin that is abandoned and has security issues to me looks like a critical issue, an email needs to be sent from WordPress to the website admins to let them know that those plugins are a security risk for the website.

My idea is all these changes to be implemented on the core.

I know there are plugins that offer some of the features i mentioned but its easier for admins to just check this information on the plugins list.

Also a lot of people don't use any security plugin at all (lets say WordFence, iThemes Security, etc) so without these plugins and without the features i described above, those websites will be the first ones to be hacked.

Thank you,
Arber.

[dkarfa]

Hi @arberbr,
I agree with you. API response needs to update, a better endpoint for plugin status.

Also might be we need to create cron jobs that will hit the endpoint with to check status of the plugin. If a found issue, show notice in the Admin dashboard.

[zodiac1978]

Possible duplicate of #30465