1. Li-An

    But what will happen if No Longer in Directory is no longer in directory?


  2. Central Geek

    Thanks for the mention Jeff.

    While I have stated that it isn’t the responsibility of volunteers to inform people of plugins being removed or hidden on WordPress, if there was a push to include such notifications in the dashboard of WordPress installations, I would be one person who would appreciate it.

    As many (including me) in past have complained about nearly all solutions having to be plugins, it does become quite a problem when general plugins just to manage options for WordPress begin to add up on top of added functionality plugins.

    WordPress already checks for updates. Adding a function that checks status (discontinued, permanently removed for violation of rules, current version contains vulnerability and author notified – in the mean time install Wordfence (or similar security plugin) to protect your website), or whatever notices triggered and show it in the dashboard shouldn’t be that difficult to accomplish.

    Next, “What to do when you receive the following notices . . .” If and when you visit your dashboard.


  3. Christopher Price

    “While users sympathized with Simpson over his decision, I think it’s partly irresponsible.”

    Disagree. Automattic should fund/add/foster an option for people to subscribe to updates and allow the Plugin Directory to let plugin developers email users with key information (critical updates, and moving off the directory, etc).

    Then Automattic or WordPress.org (or WordPress.com if need be for security) would have your email address and the developer wouldn’t – limiting spam risk.

    If I were Automattic, I’d also contact the developer and try to sort out the animus.

    Not saying WordPress.org or Automattic did anything wrong, but I don’t think the developer necessarily did either. Nevertheless, Automattic has the resources to implement the (above) permanent solution.


  4. mark k.

    From a plugin author perspective, claiming that it is somehow the responsibility of the author to notify users, without giving him tools to do that is kinda hypocritical.

    Currently I want to release a new version of my plugin, to solve two annoying bugs that I estimate (based on the lack of complaints) that are not bugs people actually run into right now. Since I would like to release a new version in about two months, I don’t want to force people to go through the upgrade process if they don’t actually run into the bugs. What I would like to do is send them a message saying, there is a new version fixing some minor bug, if you are interested, get it from github.
    Such a thing is impossible to do.

    The way I see it, users of plugins downloaded from wordpress.org are not my users, they are wordpress.org’s users, and it is wordpress.org responsibility to make them happy. It is not only plugin authors that don’t have much value in what wordpress.org offers, users also do not find it very useful as a support channel, and many prefer to use alternative support channels, which in my case are actually not very easy to find.

    WordPress.org is google for plugins and themes, just slightly more than that, and the same way you don’t expect google to notify you about changes to plugins you found by a google search, there is no reason to expect to get notifications from wordpress.org.
    We have in our plugin, and I assume many other authors do the same, links to our twitter and FB account, so you will not even need to lets us know anything about you (except for your handle) to be able to keep track with what is going on with the plugin, and still not even 1% of the users follow us.

    If users like Donna (nothing personal, just a name to use here) can’t be bothered to do the minimal effort of following someone on the social networks they are already on, I am sorry, but I frankly can’t care about how hard it is for them. This is just an entitlement problem, they don’t want to do anything (not even talking about paying for someones work lol) but want to get everything.


    • fwolf

      One wonders though: Why don’t you just put in that info in the plugin readme? Ie. something like “this is just the WP.org mirror release, but the latest and bestest things are happening in the official repository at github.” and then maybe point the Plugin URI towards Github, too.

      Pretty simple, aka end of story.

      cu, w0lf.


      • mark k.

        it is there, but there is no way to notify users that X happened without doing a new release, and users (almost) never read changlogs or the readme, or anything.


        • Jez

          I think you answered your own question, most users aren’t going to read anything you put in front of them. The more complex the process comes the less people will engage. If they aren’t engaging now, adding further notifications isn’t going to aid the situation.

          Just upgrade and release your plugin. They get what they are given and tough luck if they don’t want it and didn’t read the upgrade notes, who do these users think they are!


  5. Brian Hogg

    While the usefulness of admin notices is up for debate, I think the chances of the average user seeing the note in the changelog or long description before it is permanently removed, when they already have the plugin installed, is slim.

    Perhaps a Security Notices submenu item under Dashboard? It can highlight plugins with no updates for a certain time (though that’s not a defining factor in whether its a security risk) along with plugins that have known vulnerabilities.

    This way the number of issues can be noticed with a red indicator within the submenu item title (and combine with the normal number of updates in the parent Dashboard menu item). If wp.org volunteers have additional information (such as a patch located elsewhere) they could also list it there.

    From the comments on that old wp.org feature suggestion it looks like a lot of the above is being considered, so worth a vote :)


  6. Jeffrey

    While users sympathized with Simpson over his decision, I think it’s partly irresponsible.

    I disagree. If I were Simpson, I would probably have done the same thing.


    • Rick Rottman

      I totally agree. I don’t understand why plugins and the plugin repository don’t have a higher priority. Plugins make WordPress work. Plugins allow WordPress to do the things end users want it to do. Need an e-commerce website? WordPress cannot do it without a plugin. Need a simple contact form? You need a plugin for that. Want to stop spam? You’ll need a plugin for that too. I could go on and on.

      That fact that the plugin repository is staffed by volunteers is quite telling. It should be staffed by people who are being paid. The work they do is crucial to the success of WordPress.


  7. cornelius

    There is a quick way to scan the list of installed plugins for those not in the directory that doesn’t require a plugin. If the “View details” link is missing from any plugin in the plugin list that means it’s not listed in the directory. It’s not as obvious as an alert or red flag though.

    My own plugin Gauntlet Security includes a basic assessment of all installed plugins including: development activity, rating, if it needs updating, and if it’s not in the official plugin directory. But I really don’t think this sort of functionality is important enough to be in core – there’s too much judgement involved in calling out plugins for things which could be quite innocent.

    This sounds harsh but I’d also like to float the idea that ultimate responsibility is on the site maintainer who chooses what software to install on their site. Until the plugin directory is less of a free-for-all, every plugin should be vetted with great caution.


  8. Juergen

    Thanks for telling us. I came here by pure chance (as I hardly ever follow links from my dashboard).

    I’m still at a loss as to how to update this plug-in from GitHub.
    I tried to follow instructions on the WP Codex page – but still don’t get an update option on my dashboard. The page isn’t even clear if I have to upload a ZIP file (like you do with themes) or an extracted version (for which my mobile internet is too weak – I lose the connection in the process). I guess I would face the same questions if I would add the GitHub updater; and I really don’t want yet another plugin!

    Worse: since the release of WP 4.7.2 WordPress is no longer sending me *some* email notifications. I only get notifications about new post comments. But I don’t receive emails about successful UpDraft back-ups, nor about new contact form submissions. So without the plugin new contact form submissions are lost – in cyberspace.
    GRRR! I need help.


  9. Al Brown

    There seems to be more discussion about this than something that is hard to understand. The issues are simple and cross the entire WordPress Enterprise. I am actually very surprised that so many truly brilliant folks, volunteers at that (paid volunteers still count) haven’t seen this as an unreasonable situation for themselves on their own sites or as an issue for those that are paying them and fixed it without this discussion.

    If WordPress can tell me when a plugin needs to be updated or make the view details link go away. It can without even a significant amount of code changes tell me that it is no longer in the directory and perhaps the date it was removed if not the reason it was removed. Why couldn’t this be something as simple as Security Vulnerability (in red maybe) without going into significant details.

    I absolutely believe that whoever has determined that if it was bad enough to be removed but they can’t share with us because of the security implications are just telling me and everyone else how smart and important (and probably good looking) they are and how everyone except for their closest circle is just too stupid, irresponsible, or lazy (and probably fat or old if not both) to make their own decisions. Tell me what is going on. I am capable of making my own risk assessment and acting on it. BTW, that applies across the board (Operating Systems, Browsers, Applications, National Security, etc . . . ) not just to WordPress Plugins and themes. Way too many folks today are just making themselves far too important or grasping for any kind of influence especially when it isn’t justified.


  10. Jeff C

    Please…. with regards to business, companies, and organisations, there is no such thing as a ‘paid volunteer’… by definition.

    If a company is paying an employee for time that they spend working on a non-profit project, that is not volunteering… it is a form of charitable donation from that company to the non-profit benefiting from the work.

    I would even suppose there will be some tax deductibles involved.


  11. Ajay


    I can see your argument on plugin author responsibility particularly when it comes to security issues, but I’m not cleare if we have the full story behind why Michael felt that way.

    I’ve been on the receiving end of a security issue in one of my plugins and I had to pull a feature because of compatibility issues rather than because of security. I wasn’t treated in a condescending manner, to be clear.
    But, it wasn’t ideal as I had many users complaining about a feature that actually speeded things up!
    Now, I’m developing it as a add-on I’ll host on GitHub and my website and try to deploy updates via Software Licensing which isn’t ideal given I need to actually buy the plugin.

    Then again, I chose to continue to support the plugin on WP.org and felt it important that users get the updates straight through there.

    I’d like to believe that Michael would eventually be back in the directory when he finds the time to make a proper update.


  12. Roy

    Hard to keep up with mdsimpson (as of 2/20/17)
    Contact Form 7 DB v Version 2.10.30 mdsimpson released this 26 days ago

    v 2.10.31 GitHub Update Support mdsimpson released this 13 days ago. Added support for GitHub updater. Install that plugin as well so that you can update CFDB directly from GitHub of from WP.


  13. Jez

    The thing that bugs me is that I have some simple plugins that “just work”. Unless something fundamental changes in WP they will always work.

    So a couple of times now I’ve gone to install my own plugin and it’s gone simply because Ive had no reason to update if for two years.

    I’d hate to think people are removing the plugin thinking it is somehow defective. I guess I just need to get better at making a minor tweak to my readme files!


  14. Jeff

    What Simpson did is irresponsible. How many sites are out there with the compromised version of the plugin that will NEVER get updated because he decided to take his ball and go home?

    Once your plugin is out there you have a responsibility. That responsibility is that your plugin does no harm, and if it does you fix it ASAP. Storming off in a huff because someone hurt your feelings just screws your users. I USED to use this plugin on all my clients’ sites with CF7 installed, but will be looking for alternatives.


    • mark k.

      Lol the entitlement problem is strong with you. If you didn’t pay for a service you are for sure not entitled for anything. With 400k users, if each of them had paid 25 cents a year I have a feeling that simpson would have been much more patient with whatever were the difficulties he had with the process of updating his plugin.


      • Jeff

        If money is a motivator, charge for the product.

        I don’t see how this is an “entitlement” problem. Simpson left thousands of users hanging out to dry and AFAIK didn’t even make any attempt to notify them that a) they’re at risk and b) what to do next.

        If that’s an unreasonable expectation of plugin developers then WordPress as a whole has a big problem.


  15. Maureen

    Has anyone had any luck downloading Contact DB Form 2.10.30? If so, how can I get the file?


Comments are closed.

%d bloggers like this: