When we wrote about why plugins sometimes disappear from the WordPress plugin directory, it generated a healthy discussion in the comments. One of the topics of discussion brought up is whether or not users should be notified when a plugin disappears and if so, how?
Currently, when a plugin is hidden on the directory, users are not notified. If it’s removed due to a security vulnerability and the author chooses not to fix it or move the plugin somewhere else such as GitHub, users are left in the dark.
Donna Cavalier shared a recent example of why users should be notified. Contact Form DB is a popular plugin that saves contact form submissions from many popular Contact Forms plugins to the database. As of October 30th, 2016, it was actively installed on more than 400K sites.
Approximately one month ago, the plugin was hidden due to a security vulnerability. Instead of releasing a patch, Michael Simpson, creator of Contact Form DB, moved the plugin to GitHub and subsequently released a new version that patched the vulnerability. Simpson says the person on the plugin review team that he spoke with was condescending, unprofessional, and rubbed him the wrong way.
“I’m happy to address any issues and meet any standards, but I’m at the limit of my patience,” Simpson said.
“I try to be a good citizen and give back to the community. I’ve put in countless hours for close to seven years now. When I’m treated like this, it seems WordPress doesn’t value me or my contribution to its community.
“Anyway, I put the code on GitHub and I will continue to support it. But at this point I’m not sure I want to deal with people like this to re-list the plugin on this site. I don’t need the frustration.”
If you use Contact Form DB, please update to 2.10.30 as soon as possible as it contains the aforementioned security fix.
It’s impossible for Contact Form DB users to automatically install updates from GitHub without installing an updater plugin. This leaves thousands of sites at risk.
How to Know When Installed Plugins Are No Longer in the Directory
In the comments of our article, Tavern reader Central Geek shared links to a couple of plugins aimed at providing useful information such as, whether a plugin has been abandoned and better plugin compatibility information.
One of the plugins he mentions is called No Longer in Directory, developed by White Fir Design. The plugin adds a page to the WordPress backend that informs users if any of the plugins that are installed are available in the plugin directory. It also separately lists installed plugins that haven’t been updated in two years or more.
The check is performed using the plugin directory’s folder name. The author notes that this could lead to plugins that have never been in the plugin directory to be flagged if they use the same name as a plugin that was in the directory in the past. If you encounter this situation, you’re encouraged to create a new thread on the plugin’s support forum.
So far, No Longer in Directory is actively installed on more than 1K sites. Out of a total of six reviews, its average rating is 4.8 out of 5 stars. I tested the plugin with WordPress 4.8 alpha and didn’t encounter any issues.
If this is a feature you’d like to see implemented in WordPress, consider voting for it. So far, the idea has 43 votes with a five-star average rating. Mika Epstein, Plugin Directory Representative, responded to the idea four years ago noting that it was being worked on.
As Epstein mentioned in our previous article, explaining WHY a plugin has been closed is complex.
“Obviously the last thing we want are people getting hacked, but it presents us with a few options and they all have flaws,” she said.
“We’ve not been able to determine a way to tell people ‘This plugin is gone, don’t use it’ and ‘This plugin is gone, but use it if you want.’ without putting users at risk.”
If a Plugin Is Permanently Removed From the Directory, Users Should Be Notified
I believe users should be informed if a plugin is permanently removed from the directory. It doesn’t make sense to notify users if it’s temporarily hidden due to violating a guideline or a security issue. Plus, between upgrade and admin notices, users are receiving enough notifications as it is.
I’m unsure if the notification should be an admin notice as we’ve already documented how plugin authors are using them to advertise. Users are increasingly getting annoyed by them and they’re usefulness is in decline.
There’s also the question as to who is responsible for informing users. This responsibility should fall squarely on the plugin author. If I was a plugin author and not interested in someone adopting my plugin and wanted it removed from the directory, I’d do so by pushing out one last update.
I’d explain in the plugin’s description and changelog that support and updates would no longer occur and that users should seek alternatives. I might even suggest a few that come to mind. Then, after about a month, I’d submit a request to the plugin review team to permanently remove it.
This would give users a heads up and plenty of time to seek out an alternative. The Post Template plugin is a good example of this idea in action. Here is the notice it displayed on all of its settings pages before it disappeared.
Since version 4.0.0, the plugin has been released under a commercial license. New features such as addition of custom fields to the templates have been added. Furthermore, this version is discontinued, which means that no further bug fixes, new features and compatibility fixes for new WordPress versions will be implemented. If you want to buy the latest version of Post Template, please visit the plugin web page.
By notifying users ahead of time, the responsibility shifts to the user to find an alternative.
An Unfortunate Situation for Users of Contact Form DB
While users sympathized with Simpson over his decision, I think it’s partly irresponsible. If a plugin has a security vulnerability, patching it and making it available as soon as possible should take precedence over how one feels about a situation.
Instead of putting aside differences and pushing out an update to patch a security vulnerability, Simpson chose to move the plugin and the patched version to GitHub. The decision not to work with the plugin review team has put thousands of sites at risk with no easy way for users to update.
Hopefully, Simpson will work with the team to get a patched version of Contact Form DB back onto the directory as soon as possible. Until then, if you use Contact Form DB, please update to 2.10.30 manually as it patches the security vulnerability.