I am pretty sure that everyone of you is using plugins from the official directory. All of those plugins are reviewed before they went live and if they haven’t been updated in the last two years, you can’t find them anymore using the search (but you cann still download them, if you know the direct link). But have you ever wondered, what happens, when a plugin is being closed and removed from the directory, for whatever reason?
A potential security issue
Currently, plugins can be closed and/or remove for different reasons. The current reasons are the following:
- Security Issue
- Author Request
- Guideline Violation
- Licensing/Trademark violations
- Merged into Core
Two of my own plugins are likely to be closed in the near future, because their functionality is either already merged into core or will be with one of the next releases. So in this case, it might not hurt to keep them, unless they don’t conflict with the core functionality. But what about plugins that have been closed for security issues. This can be a real issue.
No notification to the users
When a plugin is closed, any user who has it still installed (and maybe active) will not be nofitied about this. Even if the plugin’s author found a way to fix a potential security, no user will get this new fixed version, because the only way to update the plugin for this plugin is through the official plugin directory. In the meantime, any site using the old version can potentially be hacked.
A plugin for the rescue
This problem has been around for a while. And as the plugin team was unable to come up with a quick solution, the plugin No Longer in Directory has been published. When you install the plugin and browse to it’s settings page, you will see a list of all plugins that haven’t been updated for two or more years or have not been found in the plugin directory at all.
But this second list would also show plugins that have never even been in the directory. Especially premium plugins or custom plugins written specifically for a client project. So this solution is also not ideal.
A new way to highlight closed plugins
Through the “Ideas” section on WordPress.org, the issue was discussed for quite a while. On yesterday WordCamp US Contributor Day, the meta and plugin team annonuced, that they have worked hard on a solution to that problem. They have posted some mockups in the main ticket and there is also a first version of a plugins page for a closed plugin. Before that, the link to a closed plugin would result in a 404, with no information that there once was a plugin and why it has been closed/removed.
Conclusion
Handling the closing and removal of plugins in a transparent way is very important to not risk the website security of WordPress users, as those plugins can easily be used to attack a website. I am not sure if a forced removal or additional warnings in the dashboard would be necessary, but I hope the finally this issue will get some more attention.
Hi Bernhard,
first of all, I completely agree with all you wrote in this post.
Also, thanks a lot for sharing your first-hand experiences from the WCUS Contributor Day. I know of discussions here and there about closed plugins for quite a while now, but I didn’t know about the Meta Trac ticket. It’s a good start.
However, I do hope (as well as am pretty sure) that there will never be a forced removal of closed plugins from WordPress installations. I’d be the first one to provide a plugin to disable that (if possible). ?
Cheers,
Thorsten