How to Check if Installed Plugins Are No Longer in the Plugin Directory

When we wrote about why plugins sometimes disappear from the WordPress plugin directory, it generated a healthy discussion in the comments. One of the topics of discussion brought up is whether or not users should be notified when a plugin disappears and if so, how?

Currently, when a plugin is hidden on the directory, users are not notified. If it’s removed due to a security vulnerability and the author chooses not to fix it or move the plugin somewhere else such as GitHub, users are left in the dark.

Donna Cavalier shared a recent example of why users should be notified. Contact Form DB is a popular plugin that saves contact form submissions from many popular Contact Forms plugins to the database. As of October 30th, 2016, it was actively installed on more than 400K sites.

Approximately one month ago, the plugin was hidden due to a security vulnerability. Instead of releasing a patch, Michael Simpson, creator of Contact Form DB, moved the plugin to GitHub and subsequently released a new version that patched the vulnerability. Simpson says the person on the plugin review team that he spoke with was condescending, unprofessional, and rubbed him the wrong way.

“I’m happy to address any issues and meet any standards, but I’m at the limit of my patience,” Simpson said.

“I try to be a good citizen and give back to the community. I’ve put in countless hours for close to seven years now. When I’m treated like this, it seems WordPress doesn’t value me or my contribution to its community.

“Anyway, I put the code on GitHub and I will continue to support it. But at this point I’m not sure I want to deal with people like this to re-list the plugin on this site. I don’t need the frustration.”

If you use Contact Form DB, please update to 2.10.30 as soon as possible as it contains the aforementioned security fix.

It’s impossible for Contact Form DB users to automatically install updates from GitHub without installing an updater plugin. This leaves thousands of sites at risk.

How to Know When Installed Plugins Are No Longer in the Directory

In the comments of our article, Tavern reader Central Geek shared links to a couple of plugins aimed at providing useful information such as, whether a plugin has been abandoned and better plugin compatibility information.

One of the plugins he mentions is called No Longer in Directory, developed by White Fir Design. The plugin adds a page to the WordPress backend that informs users if any of the plugins that are installed are available in the plugin directory. It also separately lists installed plugins that haven’t been updated in two years or more.

NoLongerInTheDirectoryScreenshot

The check is performed using the plugin directory’s folder name. The author notes that this could lead to plugins that have never been in the plugin directory to be flagged if they use the same name as a plugin that was in the directory in the past. If you encounter this situation, you’re encouraged to create a new thread on the plugin’s support forum.

So far, No Longer in Directory is actively installed on more than 1K sites. Out of a total of six reviews, its average rating is 4.8 out of 5 stars. I tested the plugin with WordPress 4.8 alpha and didn’t encounter any issues.

If this is a feature you’d like to see implemented in WordPress, consider voting for it. So far, the idea has 43 votes with a five-star average rating. Mika Epstein, Plugin Directory Representative, responded to the idea four years ago noting that it was being worked on.

As Epstein mentioned in our previous article, explaining WHY a plugin has been closed is complex.

“Obviously the last thing we want are people getting hacked, but it presents us with a few options and they all have flaws,” she said.

“We’ve not been able to determine a way to tell people ‘This plugin is gone, don’t use it’ and ‘This plugin is gone, but use it if you want.’ without putting users at risk.”

If a Plugin Is Permanently Removed From the Directory, Users Should Be Notified

I believe users should be informed if a plugin is permanently removed from the directory. It doesn’t make sense to notify users if it’s temporarily hidden due to violating a guideline or a security issue. Plus, between upgrade and admin notices, users are receiving enough notifications as it is.

I’m unsure if the notification should be an admin notice as we’ve already documented how plugin authors are using them to advertise. Users are increasingly getting annoyed by them and they’re usefulness is in decline.

There’s also the question as to who is responsible for informing users. This responsibility should fall squarely on the plugin author. If I was a plugin author and not interested in someone adopting my plugin and wanted it removed from the directory, I’d do so by pushing out one last update.

I’d explain in the plugin’s description and changelog that support and updates would no longer occur and that users should seek alternatives. I might even suggest a few that come to mind. Then, after about a month, I’d submit a request to the plugin review team to permanently remove it.

This would give users a heads up and plenty of time to seek out an alternative. The Post Template plugin is a good example of this idea in action. Here is the notice it displayed on all of its settings pages before it disappeared.

Since version 4.0.0, the plugin has been released under a commercial license. New features such as addition of custom fields to the templates have been added. Furthermore, this version is discontinued, which means that no further bug fixes, new features and compatibility fixes for new WordPress versions will be implemented. If you want to buy the latest version of Post Template, please visit the plugin web page.

By notifying users ahead of time, the responsibility shifts to the user to find an alternative.

Simpon said he’ll work to get the plugin re-listed but it may take some time as he’s swamped with work. At the time of publishing, the plugin is not available on WordPress.org.

An Unfortunate Situation for Users of Contact Form DB

While users sympathized with Simpson over his decision, I think it’s partly irresponsible. If a plugin has a security vulnerability, patching it and making it available as soon as possible should take precedence over how one feels about a situation.

Instead of putting aside differences and pushing out an update to patch a security vulnerability, Simpson chose to move the plugin and the patched version to GitHub. The decision not to work with the plugin review team has put thousands of sites at risk with no easy way for users to update.

Hopefully, Simpson will work with the team to get a patched version of Contact Form DB back onto the directory as soon as possible. Until then, if you use Contact Form DB, please update to 2.10.30 manually as it patches the security vulnerability.

36 Comments


  1. But what will happen if No Longer in Directory is no longer in directory?

    Report


    1. As long as it is, enjoy.

      Report


  2. Thanks for the mention Jeff.

    While I have stated that it isn’t the responsibility of volunteers to inform people of plugins being removed or hidden on WordPress, if there was a push to include such notifications in the dashboard of WordPress installations, I would be one person who would appreciate it.

    As many (including me) in past have complained about nearly all solutions having to be plugins, it does become quite a problem when general plugins just to manage options for WordPress begin to add up on top of added functionality plugins.

    WordPress already checks for updates. Adding a function that checks status (discontinued, permanently removed for violation of rules, current version contains vulnerability and author notified – in the mean time install Wordfence (or similar security plugin) to protect your website), or whatever notices triggered and show it in the dashboard shouldn’t be that difficult to accomplish.

    Next, “What to do when you receive the following notices . . .” If and when you visit your dashboard.

    Report


  3. “While users sympathized with Simpson over his decision, I think it’s partly irresponsible.”

    Disagree. Automattic should fund/add/foster an option for people to subscribe to updates and allow the Plugin Directory to let plugin developers email users with key information (critical updates, and moving off the directory, etc).

    Then Automattic or WordPress.org (or WordPress.com if need be for security) would have your email address and the developer wouldn’t – limiting spam risk.

    If I were Automattic, I’d also contact the developer and try to sort out the animus.

    Not saying WordPress.org or Automattic did anything wrong, but I don’t think the developer necessarily did either. Nevertheless, Automattic has the resources to implement the (above) permanent solution.

    Report


      1. You know what I mean, WordPress.org’s plugin directory should do it.

        Automattic has steering control over WorPress.org and a financial incentive to put the resources in to solve this. Issues worth debating more… but not the point.

        Report


      2. I do know what you mean but others don’t which is why I felt the need to respond with that comment.

        Report


      3. I would be stunned to find someone aware of this situation and not aware of the link between Automattic and WordPress.org. Regardless, saying they have “nothing to do” with it isn’t correct either. They steer it.

        And again, that isn’t a rebuke of the system. Just a focused argument to quickly improving it.

        Report


      4. The plugin directory is managed by volunteers, most of whom are not paid directly by Automattic or the WordPress Foundation for their efforts. There are a few Audrey Human Capital employees such as Otto and Scott Reilly (coffee2code) who work on WordPress.org stuff which includes the plugin directory. The directory redesign is being directed by Konstantin Obenland who is an Automattic employee.

        What do you mean when you say Automattic steers it?

        This conversation is an aside to the issue at hand which I believe Automattic has nothing to do with.

        Report


      5. Jeff, the difference is purely semantic, both belong to @matt and unless he has multiple personalities (which I have no reason to assume he has, or wish him to have), it is just impossible to have total separation between the two.

        @matt should just give up its control over wordpress.org, the conflict of interest is too obvious. I am sure there are ways for him to donate money for its maintenance without being implicitly or explicitly involved.

        It is just not healthy that the operation of it depends on just one person that might lose interest in it (however unlikely it seems right now).

        Report


      6. I of all people understand the differences, the semantics, and the relationships between .org, Audrey Capital, Automattic, and the WordPress Foundation. The operation of it is not dependent on one person. There are people who work on WordPress.org that have as much access to the site as he does. Matt is pretty good about contingency plans.

        Report


      7. Matt is pretty good about contingency plans.

        That is good to know

        Report


  4. From a plugin author perspective, claiming that it is somehow the responsibility of the author to notify users, without giving him tools to do that is kinda hypocritical.

    Currently I want to release a new version of my plugin, to solve two annoying bugs that I estimate (based on the lack of complaints) that are not bugs people actually run into right now. Since I would like to release a new version in about two months, I don’t want to force people to go through the upgrade process if they don’t actually run into the bugs. What I would like to do is send them a message saying, there is a new version fixing some minor bug, if you are interested, get it from github.
    Such a thing is impossible to do.

    The way I see it, users of plugins downloaded from wordpress.org are not my users, they are wordpress.org’s users, and it is wordpress.org responsibility to make them happy. It is not only plugin authors that don’t have much value in what wordpress.org offers, users also do not find it very useful as a support channel, and many prefer to use alternative support channels, which in my case are actually not very easy to find.

    WordPress.org is google for plugins and themes, just slightly more than that, and the same way you don’t expect google to notify you about changes to plugins you found by a google search, there is no reason to expect to get notifications from wordpress.org.
    We have in our plugin, and I assume many other authors do the same, links to our twitter and FB account, so you will not even need to lets us know anything about you (except for your handle) to be able to keep track with what is going on with the plugin, and still not even 1% of the users follow us.

    If users like Donna (nothing personal, just a name to use here) can’t be bothered to do the minimal effort of following someone on the social networks they are already on, I am sorry, but I frankly can’t care about how hard it is for them. This is just an entitlement problem, they don’t want to do anything (not even talking about paying for someones work lol) but want to get everything.

    Report


    1. One wonders though: Why don’t you just put in that info in the plugin readme? Ie. something like “this is just the WP.org mirror release, but the latest and bestest things are happening in the official repository at github.” and then maybe point the Plugin URI towards Github, too.

      Pretty simple, aka end of story.

      cu, w0lf.

      Report


      1. it is there, but there is no way to notify users that X happened without doing a new release, and users (almost) never read changlogs or the readme, or anything.

        Report


      2. I think you answered your own question, most users aren’t going to read anything you put in front of them. The more complex the process comes the less people will engage. If they aren’t engaging now, adding further notifications isn’t going to aid the situation.

        Just upgrade and release your plugin. They get what they are given and tough luck if they don’t want it and didn’t read the upgrade notes, who do these users think they are!

        Report


  5. While the usefulness of admin notices is up for debate, I think the chances of the average user seeing the note in the changelog or long description before it is permanently removed, when they already have the plugin installed, is slim.

    Perhaps a Security Notices submenu item under Dashboard? It can highlight plugins with no updates for a certain time (though that’s not a defining factor in whether its a security risk) along with plugins that have known vulnerabilities.

    This way the number of issues can be noticed with a red indicator within the submenu item title (and combine with the normal number of updates in the parent Dashboard menu item). If wp.org volunteers have additional information (such as a patch located elsewhere) they could also list it there.

    From the comments on that old wp.org feature suggestion it looks like a lot of the above is being considered, so worth a vote :)

    Report


  6. While users sympathized with Simpson over his decision, I think it’s partly irresponsible.

    I disagree. If I were Simpson, I would probably have done the same thing.

    Report


    1. I totally agree. I don’t understand why plugins and the plugin repository don’t have a higher priority. Plugins make WordPress work. Plugins allow WordPress to do the things end users want it to do. Need an e-commerce website? WordPress cannot do it without a plugin. Need a simple contact form? You need a plugin for that. Want to stop spam? You’ll need a plugin for that too. I could go on and on.

      That fact that the plugin repository is staffed by volunteers is quite telling. It should be staffed by people who are being paid. The work they do is crucial to the success of WordPress.

      Report


      1. I agree. But, just wanted to point out that some .org “volunteers” are paid by large companies (i.e. GoDaddy, Dreamhost, and Automattic, to name just 3) to volunteer, so they’re not actually volunteers. There are paid “volunteers” working in both the plugin repo and on WP core. Obviously, they have to look out for who pays them. Not saying that’s a problem but something worth noting.

        Report


  7. There is a quick way to scan the list of installed plugins for those not in the directory that doesn’t require a plugin. If the “View details” link is missing from any plugin in the plugin list that means it’s not listed in the directory. It’s not as obvious as an alert or red flag though.

    My own plugin Gauntlet Security includes a basic assessment of all installed plugins including: development activity, rating, if it needs updating, and if it’s not in the official plugin directory. But I really don’t think this sort of functionality is important enough to be in core – there’s too much judgement involved in calling out plugins for things which could be quite innocent.

    This sounds harsh but I’d also like to float the idea that ultimate responsibility is on the site maintainer who chooses what software to install on their site. Until the plugin directory is less of a free-for-all, every plugin should be vetted with great caution.

    Report


  8. Thanks for telling us. I came here by pure chance (as I hardly ever follow links from my dashboard).

    I’m still at a loss as to how to update this plug-in from GitHub.
    I tried to follow instructions on the WP Codex page – but still don’t get an update option on my dashboard. The page isn’t even clear if I have to upload a ZIP file (like you do with themes) or an extracted version (for which my mobile internet is too weak – I lose the connection in the process). I guess I would face the same questions if I would add the GitHub updater; and I really don’t want yet another plugin!

    Worse: since the release of WP 4.7.2 WordPress is no longer sending me *some* email notifications. I only get notifications about new post comments. But I don’t receive emails about successful UpDraft back-ups, nor about new contact form submissions. So without the plugin new contact form submissions are lost – in cyberspace.
    GRRR! I need help.

    Report


  9. There seems to be more discussion about this than something that is hard to understand. The issues are simple and cross the entire WordPress Enterprise. I am actually very surprised that so many truly brilliant folks, volunteers at that (paid volunteers still count) haven’t seen this as an unreasonable situation for themselves on their own sites or as an issue for those that are paying them and fixed it without this discussion.

    If WordPress can tell me when a plugin needs to be updated or make the view details link go away. It can without even a significant amount of code changes tell me that it is no longer in the directory and perhaps the date it was removed if not the reason it was removed. Why couldn’t this be something as simple as Security Vulnerability (in red maybe) without going into significant details.

    I absolutely believe that whoever has determined that if it was bad enough to be removed but they can’t share with us because of the security implications are just telling me and everyone else how smart and important (and probably good looking) they are and how everyone except for their closest circle is just too stupid, irresponsible, or lazy (and probably fat or old if not both) to make their own decisions. Tell me what is going on. I am capable of making my own risk assessment and acting on it. BTW, that applies across the board (Operating Systems, Browsers, Applications, National Security, etc . . . ) not just to WordPress Plugins and themes. Way too many folks today are just making themselves far too important or grasping for any kind of influence especially when it isn’t justified.

    Report


  10. Please…. with regards to business, companies, and organisations, there is no such thing as a ‘paid volunteer’… by definition.

    If a company is paying an employee for time that they spend working on a non-profit project, that is not volunteering… it is a form of charitable donation from that company to the non-profit benefiting from the work.

    I would even suppose there will be some tax deductibles involved.

    Report


  11. Jeff,

    I can see your argument on plugin author responsibility particularly when it comes to security issues, but I’m not cleare if we have the full story behind why Michael felt that way.

    I’ve been on the receiving end of a security issue in one of my plugins and I had to pull a feature because of compatibility issues rather than because of security. I wasn’t treated in a condescending manner, to be clear.
    But, it wasn’t ideal as I had many users complaining about a feature that actually speeded things up!
    Now, I’m developing it as a add-on I’ll host on GitHub and my website and try to deploy updates via Software Licensing which isn’t ideal given I need to actually buy the plugin.

    Then again, I chose to continue to support the plugin on WP.org and felt it important that users get the updates straight through there.

    I’d like to believe that Michael would eventually be back in the directory when he finds the time to make a proper update.

    Report


  12. Hard to keep up with mdsimpson (as of 2/20/17)
    Contact Form 7 DB v Version 2.10.30 mdsimpson released this 26 days ago

    v 2.10.31 GitHub Update Support mdsimpson released this 13 days ago. Added support for GitHub updater. Install that plugin as well so that you can update CFDB directly from GitHub of from WP.

    Report


  13. The thing that bugs me is that I have some simple plugins that “just work”. Unless something fundamental changes in WP they will always work.

    So a couple of times now I’ve gone to install my own plugin and it’s gone simply because Ive had no reason to update if for two years.

    I’d hate to think people are removing the plugin thinking it is somehow defective. I guess I just need to get better at making a minor tweak to my readme files!

    Report


  14. What Simpson did is irresponsible. How many sites are out there with the compromised version of the plugin that will NEVER get updated because he decided to take his ball and go home?

    Once your plugin is out there you have a responsibility. That responsibility is that your plugin does no harm, and if it does you fix it ASAP. Storming off in a huff because someone hurt your feelings just screws your users. I USED to use this plugin on all my clients’ sites with CF7 installed, but will be looking for alternatives.

    Report


    1. Lol the entitlement problem is strong with you. If you didn’t pay for a service you are for sure not entitled for anything. With 400k users, if each of them had paid 25 cents a year I have a feeling that simpson would have been much more patient with whatever were the difficulties he had with the process of updating his plugin.

      Report


      1. If money is a motivator, charge for the product.

        I don’t see how this is an “entitlement” problem. Simpson left thousands of users hanging out to dry and AFAIK didn’t even make any attempt to notify them that a) they’re at risk and b) what to do next.

        If that’s an unreasonable expectation of plugin developers then WordPress as a whole has a big problem.

        Report


  15. Has anyone had any luck downloading Contact DB Form 2.10.30? If so, how can I get the file?

    Report

Comments are closed.