10 Comments

  1. BK
    · Reply

    This is what happened when ProfilePress overhauled its WP User Avatar plugin, turning it into a full-fledged membership solution.

    Didn’t they replace the old plugin completely? If so, “overhaul” isn’t the correct term.

    Great article! Thanks for your work on this.

    Report

  2. David Artiss
    · Reply

    Thanks for writing this up Justin.

    My fork of the plugin is probably different from the others in that it’s been modified in preparation for hitting the wp.org directory. In particular, I’ve removed the build-in translation so that GlotPress will take it over (https://translate.wordpress.org).

    If you intend to run the Github version of a fork, and need any language other than English, then I’d recommend looking at the other two, and not my own.

    On the upside (and the reason for the delay), when my version does appear in the directory, it will have had a ton of changes made to it, including around security, due to the requirements for plugin quality.

    Report

  3. Jeffrey Paul
    · Reply

    Note that if you’re looking to migrate from WP User Avatar / ProfilePress to Simple Local Avatars, Philip John crafted a migration script to help: https://gist.github.com/philipjohn/822d3521a95481f6ad7e118a7106fbc7.

    Report

  4. Saad
    · Reply
  5. Daniel Tara
    · Reply

    An important detail when switching to any alternative is to remember not to delete the WP User Avatar plugin through the WordPress plugins admin screen. Doing that would run an uninstall script that would delete all your existing avatars without warning. Instead, just deactivate the plugin and delete it via FTP.

    Report

  6. Daniel James
    · Reply

    It’s good to see more options available for those that found themselves stuck with this plug-in being manipulated.

    It actually pushed me to go back to Dark Mode and redevelop it so people have an option of using sustainable plugins.

    Report

  7. Paal Joachim Romdahl
    · Reply

    Related to custom avatars.
    Here is an old and long WordPress Trac ticket: https://core.trac.wordpress.org/ticket/16020
    The ticket is about incorporating a local avatar and additional privacy controls into WordPress core. The last movement was 2 months ago.

    Report

  8. pepe
    · Reply

    Avatar Privacy (https://wordpress.org/plugins/avatar-privacy/) also provides local avatars.

    Report

  9. Jon Brown
    · Reply

    And in “overhauling” they introduced unauthenticated cross site scripting vulnerabilities. Oops!

    https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/

    This is the other side of this issue of “popular free plugin take over and replacement” that I haven’t seen discussed. These “overhauls” of what was an extremely popular simple and secure plugin, now has a massively larger vulnerability surface.

    Report

Leave a Reply to pepe Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: