WP 5+ plugin updates and security concern

Yes, once a plugin moves to WP5+ you stop getting updates (including any security updates). I wonder how many CP users think their plugins are up to date when they are actually way behind.

If this is the case, then for me it just confirms that using WP Plugins on CP is not a good idea and we should even more proactively advise people to not do it. I have already updated our DOCs where we suggested to use WP Plugins, but I think we need to go further and remove the Plugin area/move it to our api, soon, not later.

This is going to be a massive mess in a few months, maybe a year from now. As soon CP gains a little traffic, it becomes a target for hackers. If they find CP users basically run on whatever outdated stuff, we will be seeing a lot of stuff we don’t want to see.
Yes yes, “we need to use those plugins as there are none for CP” and “it is not that bad” are all true statements, and yet, “Security” is not really what this all suggests. Rather ignored problems.

4 Likes

Moving this to a separate discussion.

For now, we can try to recommend alternatives from the directory. Maybe we should do some blog posts about CP alternatives to WP plugins? For example, I successfully got user to switch to CP and replace Jetpack email subscriptions with Subscribe2.

Version 2 will include directory integration but will not remove WP repository integration.

@james should we consider adding a message to WP repository search page with a link to an article that explains possible security issues and lack of updates? Could even be a modal confirmation screen while installing 4.9 compatible plugin to ensure user understands possible risks. Maybe recommend they look for an alternative instead.

The problem is that what’s fine today might not be fine tomorrow. And unless you are checking the minimum required version almost on a daily basis (and who is going to do that?) you run the risk of using an outdated and possibly insecure plugin.

Subscribe2 is a ClassicPress plugin, that’s the one I was referring to.

1 Like

Sorry, didn’t realise that. :blush:

1 Like

This is not going to be a mess, it already is since plugins are not updated and give no warning an update needs to be done.

If there is no mechanism in place that checks for updates soon we’re going south. I wasn’t aware of this. I think CP should stop offering the connection to the WP repository a.s.a.p. and replace it with it’s own “plugin section” in the dashboard. Apart from that it should “flag” the plugins installed as “no longer supported” (if they are). Preferable not in the plugin section itself but at the start, when a user opens te admin page. So users would at least be aware of this.

This is of course breaking away from WP – but that is, or was, of course inevitable this would happen one day. Time to cut ties with Wordpress I’m afraid.

Also – recommending WP plugins for security? Mmm… I recently installed Shield Security and I love it. But what if a plugin like that also stops supporting CP (a.k.a. WP 4.9.x) without any warning? People trust their website is safe and secure but if the security plugin is outdated… :frowning:

Not having a good mechanism in place for these issue might be a real break-point one day soon and be the end of CP. As in: people will no longer switch to CP.

I’ve been enthusiast about CP since it’s early start and have it installed as CMS for several websites but if this isn’t resolved any time soon it will probably mean I will need to go back to WP. And I won’t be the only one I’m afraid. You can’t expect business to run CP if this means they run outdated plugins without knowing. In that case I can no longer suggest CP as an alternative for WP.

2 Likes

Self promotion :sweat_smile:
If you want to monitor your plugins you can install CPCompatibility that puts a warn when a plugin has released a newer version that is not CP compatible.

7 Likes

Can’t agree more and it is what I lobby for since a while.
We need that break - it’ll hurt, but less than where we are headed now.

Panic/Ditch the project is not the solution IMO, but we need to do something abut it.
The very least is a heads up in dashboard/our intros (website, etc)

I think @Simone’s plugin would be a very good start.

1 Like

I first raised this back in January.

2 Likes

Done! Works well. I think this should be included in the CP distribution by default! :+1:

3 Likes

BTW I can confirm that if a plugin officially requires WP 5.0+, and you run it on CP, then it will not push any notifications about updates.
I have confirmed this on a site that I cannot disclose here but I have notified its owner because there are … guess what, disclosed, unpatched (due to outdated plugin) vulnerabilities on said site (thru its plugins)

So yes, this is urgent. I have seen that there are CP installs actually using plugins requiring 5.0 and I am not sure why this unwise choice was even made, but the results are exactly those: Updates are not pushed. And thus, security issues are left open.

1 Like

When I chose ClassicPress, I know that these things will be an issue, but I jumped in anyway, hoping for the best. And now I am glad that the developers are actively facing these problems.

I think that the advantages of using CP far outweighs the pains involved in a growing CMS. As they say — no pain, no gain. As for me, after I’ve built my website, I plan to manually monitor the plugins I’m using.

I used your plugin to find a couple more WP plugins to use, but I didn’t know it can give warnings about outdated plugins. But how about other WP plugins not on the list? I have some of those.

@Paul the creator of Shield Security, is an active member of this community, and though I can’t speak for him, I take it that he’s willing to support CP in the long term. Thanks Paul!

2 Likes

That’s awesome! Must say I am pretty impressed (as a staunch WordFence user… :wink: ) how it “looks and feels” so far.

2 Likes

I am all for including this specific feature in ClassicPress core. It should probably also show a global notice (in all admin pages) in the same style as the one that appears when a new ClassicPress update is available:

It might even be a good idea to make this an “error” notice with a red border instead.

One thing that needs to be thought through further is what the call to action would be for this notice. When there is a core update available it is simple: “Please update now”. However, when there are potentially incompatible plugin updates available, the solution may not be so simple.

The simplest call to action would be to disable the affected plugins. This is easy for us but it’s likely to degrade the functionality of the affected sites.

We might consider adding a feature that lets site owners opt-in to report these incompatible plugins to our API server so that we can see which plugins are most commonly in this situation, and a way to offer to install forked versions of the most common plugins. It would be a lot of work to maintain this but I can’t think of another solution that would fix this issue while keeping the affected ClassicPress sites in full working order.

5 Likes

That would be an ideal solution. I could then add some code to my utility plugin to send me an email if this happens, the same as I do for plugin updates.

If this is sorted out then I can confidently start using CP again. :heart_eyes:

1 Like

Shield Security is in ClassicPress directory since they support CP.
It’s in the directory with the same name as for WP repo so I don’t know if the two versions are different, but since it’s there it can be considered a CP plugin.

I think we should leave it to the user deciding what to do ultimately and not disable things for them.

Since this is clearly encompassing security I think it’s ultimately something to put in our famous security page

We could:

  • check for outdated plugins in General and list them
  • check for plugins requiring 5.0+ and state that those might be out outdated
  • provide a clear message why outdated plugins can be a problem but without generating panic

Something like:
We detected outdated plugins on your site. We suggest you consider updating them. (Link to a doc post about security)

And for the case where we detect plugins with a 5.0+ requirement:
We detected plugins that require WordPress 5.0 and above. You will not receive notifications when they update. Please visit the plugins page (link) and consult with the author of security updates are necessary. It might be safe to continue running this plugin but we suggest looking for alternatives (link to our repo)

There’s a problem case when the user has a plugin installed that still required 4.0 above WP on current install but bumped its requirement during an update
They won’t see those update nags.

That means we’d have to query WP remote api to check if the plugin requires a update and that means we’d add slowness in the backend.
Perhaps here a button that can be clicked (instead of a always running query) could help:
„Check for issues with plugins“.

Then only we run the code to check for updates of those plugins.

This way we could avoid overhead and still offer a way to find potentially unsafe code

I didn’t look at the plugin but I think it should be possible running the plugins queries on demand instead of always, speak „on press of a button“

Said button of course would live in security page.

I would agree with that. A clear, prominent warning should be sufficient.

I like this idea. I’ve always thought CP needs to be targeting the most-used plugins to make sure there are good working alternatives for users. This would help find out where work was most needed.

1 Like

While we add something more robust to the core, why don’t we make the migration plugin either recommend or pre-install/activate @Simone’s plugin when migrating WP to CP? This could help “solve” the temporary updates issue now. Give us time to develop a robust solution in the core that @james described above.

4 Likes

I think this will work much better if it is not hidden away inside the security page, rather, it should be always active and completely integrated into the plugins screen like Simone’s plugin is.

Since CP is already checking for updates for WP plugins, there shouldn’t be any extra network requests, it is more a matter of making better use of the information that CP already has available to it.

6 Likes