Make it possible to bookmark plugins in backend

[prestonwordsworth]

Can we have the functionality to bookmark plugins for future use?

It often happens admins see a plugin that’s not going to be installed immediately but we think is going to be useful in the future. Currently, the way to bookmark it is to leave the backend, go to the plugins site, log in, and favourite it.

The only other alternative is to install but leave it deactivated.

[nikunj8866]

In my opinion, this feature may not be very useful within wp-admin itself. Generally, users search for plugins only when a functionality is required, not in advance.

If someone does like a plugin for later, WordPress.org already provides the ability to "favourite" plugins, which acts as a bookmarking system. That keeps the workflow consistent across all sites, instead of storing site-specific bookmarks locally.

[prestonwordsworth]

I realise WP has different subsets of users.

On a personal blog, yes, the flow @nikunj8866 described would be the most natural one. But in an organisational setting, one often needs to plan ahead and won’t have the luxury to add plugins on the fly.

Not having a centralised inventory of bookmarked plugins in wp-admin also forces someone in a team to ‘favourite’ a plugin in their personal account.

I suggest it take the place to the right of | Drop-in |.

[nikunj8866]

I believe this proposal is too niche and not aligned with WordPress's core philosophy of "designing for the majority," as outlined in ​https://wordpress.org/about/philosophy/.

The existing "Favorites" feature on WordPress.org already provides a way to bookmark plugins, without adding extra complexity to wp-admin.

For these reasons, I am closing this ticket as wontfix.

[westonruter]

To implement this it would require having a way to link a user account in a WordPress site with a user on WordPress.org. I recall this being discussed when there was discussion of WordPress.org serving an an oAuth proxy for apps, but that didn't happen.

Maybe a good workaround for this would be to use usernames on a WordPress site that matches the username on WordPress.org. In my case, that would be westonruter. You could then have a plugin that automatically pre-populates the username for favorite plugins. For when usernames don't match, there could be a new WordPress.org Profile URL field added to a user's contact info.

Otherwise, the existing workaround of just installing a plugin but not activating it also works! That seems like a good solution too because not all plugins are even on WordPress.org to be able to favorite in the first place.

I agree this should be closed. But I do like finding a better way to surface favorites!

[prestonwordsworth]

Thanks for the discussions!

Replying to nikunj8866:

I believe this proposal is too niche and not aligned with WordPress's core philosophy of "designing for the majority,"

There’s no data on this point. I’d imagine organisation/business sites are actually the majority.

My original proposal was somewhat different from the one described by @westonruter in that I was arguing for a centralised place for the team managing a site to bookmark inactive plugins. It was made in reaction to the following Site Health warning:

Inactive plugins are tempting targets for attackers. If you are not going to use a plugin, you should consider removing it.

If, in default of newer workarounds, the decision is to recommend installing but not activating such plugins. Then, one could probably revise the warning to say instead that if inactive plugins are intentionally kept, they should still be updated to receive security patches?

[SirLouen]

Replying to prestonwordsworth:

There’s no data on this point. I’d imagine organisation/business sites are actually the majority.

The problem as @nikunj8866 has suggested, is that this has not been a frequent petition. It seems extremely niche and it adds a new layer of integration with .org (apart from the directory itself), which is never desirable.

You already have this link, which is very convenient if you want to add a new plugin to the fav list

From there, you can simply add to your favorites, which will afterward, pop in the Favorites tab. Its not a one-click solution, but it's pretty much a workaround for a not popular requirement.

You can always leave them not activated (I've done this always), it poses a minor security risk if the plugin is poorly developed and it has callable files, so you need to keep them update as any other plugin.

[prestonwordsworth]

Replying to SirLouen:

You can always leave them not activated (I've done this always), it poses a minor security risk if the plugin is poorly developed and it has callable files, so you need to keep them update as any other plugin.

Yeah, makes sense to me. If most users are doing this (I did too) and choose to accept the risk rather than try to address it, any proposal to address the risk is by definition niche.

The only thing I’d add to this is that poorly developed plugins remain a risk even when kept up to date, so the attack vector depends not so much on the number of inactive vs active plugins (up to date or not) as on their attention to security.