Hm… But how do we know that those who maintain the plugins they do it right? Who is checking out the updates before they come out?
Likely no one.
LOL… so what sort of security updates are these? If no one is checking out the code for errors or in purpose created vulnerabilities then I can’t see where is the security…
Any plugin that is installed on your site will be checked for updates. This is an important distinction. When you deactivate a plugin, it’s still installed…it’s just not run. This is why you will see update notices even for plugins that are deactivated. The updates are not automatically applied, you still have to click to perform the update. And, note that those aren’t even necessarily security updates – any time a new version of the plugin is released, it will nag you to update…whether the update was for security, a basic patch, more features…or whatever.
1 Like
Anyway you can use “Block Specific Plugin Updates” plugin to block a specific plugin to be updated.
They are not updated automatically but if you don’t get the updates then you keep on seeing notifications in the dashboard that some of them might be more important than others. You might miss something important if you ignore for a while the updates as these pile up in time.
I think that it would be more convenient to have a default blocking option for the inactive plugins without using yet another plugin that will need updates too.
Generally speaking I prefer to keep my plugins as minimal as possible and that because I don’t know how to merge the cms and make them load faster. So by the time that whatever plugins I run on my website load individually and by doing this delay the speed that my website loads, I use only the nesessary ones and I disable those that I need to use occassionally or I’m bored to install and uninstall whenever I need them.
I keep them installed to have them handy and not for any other particular reason. I have 9 active permanently and 6 inactive ( almost permanently).
And now that I’m thinking about it I think that some of the functions that the major plugins offer ought to be offered along with the cms. Not as features of the individual themes but as part of the cms.
I use for instance a plugin for the lightbox, a plugin for disabling the right click on images ( who doesn’t disable the copy paste of images? ) another one to block pinterest, a plugin to block unwanted ips etc.
These features should exist as part of the cms by the time that the majority of users need these features and get them with the plugins. These are very basic things.
The solution is simple: if you (fully) uninstall those plugins, 1) they won’t show you update notices, and 2) you won’t open your site to getting hacked by leaving unpatched security holes that may arise from time to time.
This doesn’t actually secure your images in any way. Your images can be saved in a number of other ways that are equally fast and easy. Or the visitor can just disable your scripts. If you want to protect your images, watermark them – that will make them less likely to be lifted and used elsewhere.
Example:
2 Likes
My images are already watermarked or better say I have embedded on them the url of my website. The problem is not after all that some people copy the images of my paintings. It is that they don’t bother to mention where they got them. That is the reason why I blocked completely pinterest after all ( that is an awful website. It steals people’s images by transferring the responsibility to its users and it messes up search engines’ image results. I have blocked it on the searches too).
I can disable completely the right click on my website but I prefer not to do it because there are people who are interested to my tutorials and perhaps they want to print or copy them.
By disabling completely the right click it makes the blog unusable.
But whatever is the case, blocking some things could have been a default feature of CP.
As it is now it differentiates from WP only on whatever has to do with the text editor but not that much else as all extra functions have to be done with plugins which plugins, depending on how they are written or maintained, can be vulnerable to attacks or malware.
I see your point.
What CP is aimed at is arriving there. To offer a core lean and fast equipped with a bunch of “main plugins” that are part of core and that you may enable/disable according to your needs.
What I think is that differentiation takes time, working on all those features means collecting competent devs around the project and plan every step with dedication and care.
Thanks to inputs like yours @Marialena.S the community and the project gain scope and shape. The revolution had to start somewhere, gb was the occasion to start this new “trip to the unknown and beyond, where no human has ever been”. For sure, people in the long run aren’t going to buy in just for the absence of GB, but the fact people are actively thinking about solutions and implementing new ideas while discussing the bigger picture it’s winning people who are willing to help CP grow. That is IMHO the point.
I explain it better in the last posts of this discussion.
Blocking some things is going to be a feature of ClassicPress. That’s part of the point of the concept of core plugins. But it will never be possible for ClassicPress to stop someone copying your images unless someone changes how the web works. I know Sir Tim Berners-Lee would like to do so …
1 Like
Core plugins is the best idea ever. But start with the basics in order to get rid off some plugins for a start.
I have solved the image stealing matter long time ago.This is not something that bothers me anymore.
The truly correct answer to this is to read and understand the code for any plugin you install on your site, and verify proper security practices (inputs validated/sanitized correctly, appropriate error handling, query parameters and output escaped properly, etc.)
Often this is not realistic, so we have to rely on trust and on the “many eyes effect” of open-source software in order to find most vulnerabilities.
Here is a plugin I’ve started using recently that notifies about known vulnerabilities for any other plugins installed on the site: WPScan – WordPress Security Scanner – WordPress plugin | WordPress.org
1 Like
I assume that you said that as a joke or something.
Who has that much time and is so advanced on reading code to do this for each and every plugin that installs in a website. Not to mention that some of the plugins are huge - they have thousands of code lines.
But now I’m scared…
And how do I know that this is a plugin that does what it says and it is not a plugin that - let’s say- spies me?? 
Can you send to my email the code ( with commentary on which line does what thing) to check it out before installing it?? LOL
Joking aside, that is the reason why I strongly believe that less is more.
I have 9 active plugins, 5 inactive that occasionally use, 23 pages that update whenever is needed and a small blog and that’s all.
1 Like
What @james said is the actual truth.
Some do make time for it. It’s an absolute requirement in some cases where the site is mission-critical to the business. In those cases, plugins often can’t even be updated until the update is vetted.
No need to be scared. Things are working the same as they always have. The only difference is that now you know more about how it actually works. Nothing has fundamentally changed except your understanding. 
As previously mentioned, you would have to read and understand the code or rely on the “many eyes” factor.
Now, that is a true LOL!
4 Likes
This is the way we manage the classicpress.net sites (along with many other security measures).
4 Likes