What to do when a plugin is removed from WordPress.org
On a few occasions recently, high-profile plugins with thousands of installs have been removed from the WordPress.org repository. Sometimes this is due to a security vulnerability. Often though, the plugin just disappears with no warning and the user is left none the wiser.
Most of us know about the two year warning for plugins that haven’t been updated by their authors. We can either prompt the plugin developer to release an update or prepare to find a replacement. But a plugin vanishing suddenly can catch us unawares.
Why do plugins disappear?
Some of the reasons plugins disappear from WordPress.org are outlined by moderator Mika Epstein:
- The plugin has broken one or more of the WordPress Plugin Guidelines. WordPress developer and core contributor Mark Jaquith has a longer list of 11 ways to get on the plugin review team’s naughty list.
- The plugin author has requested deletion of the plugin.
- The plugin has a security vulnerability that makes it unsafe to use.
- Licensing issues. All plugins should be compatible with the GNU General Public License v2 or later.
Plugins can go bad if they’re not actively maintained and kept up to date with the latest coding standards. WordPress.org is pushing for adoption of PHP 7.0 or greater.
Sometimes an established plugin is sold by a developer to someone less scrupulous who inserts malicious code into it.
How do you report an issue with a plugin?
There are two recommended channels:
- Email [email protected]
- Join the WordPress.org Slack and leave a message in the #pluginreview channel.
The plugin review team will investigate and if necessary, remove the plugin while the issue is fixed.
If the issue isn’t resolved, the plugin can be banned completely from WordPress.org.
How do plugin users find out about a plugin’s removal?
This is the tricky part! While it is easy to tell when a plugin needs an update in the WordPress Dashboard, there is no similar mechanism for a removed plugin.
One starting point is to check the links in the Plugins section of the WordPress admin. Unfortunately, each plugin must be checked in turn.
A View details link will show the details for that plugin in a popup. This usually applies to free plugins distributed through WordPress.org.
A current, actively supported plugin will show something like this:
A View plugin site link will take you to that plugin’s website. This type of link usually means that the plugin is a commercial plugin, but it may take you to the relevant WordPress.org plugin page.
Recently WordPress.org have started changing the nature of plugin pages where the plugin no longer exists or has been removed.
This came about through the following Trac ticket Closed plugins should still have a public page.
User tellyworth raised the ticket in March 2017 as a feature to help user experience:
Currently, closed/disabled plugins show a 404 error page for regular users.
It would be better to have at least a minimal public page for historical context. Perhaps with download links etc disabled.
Now when you visit a removed plugin’s WordPress.org page you should see a “This plugin has been closed and is no longer available for download.” message. You’ll also notice that the plugin’s Download button is absent!
Checking on the 24liveblog plugin from my Dashboard led me to such a page:
Though this system is better, it’s still not perfect.
It’s not clear why this plugin was removed. (One possibility is privacy concerns about 24liveblog, highlighted in 2014.)
Also, a search on the plugin repository for 24liveblog still returns a “page not found”:
I have also seen the following when accessing a dead plugin page.
This happened when following the View plugin details for the Display Widgets plugin.
This isn’t terribly informative, and the link to the support forums is broken. This should make you immediately suspicious!
A search on WordPress.org Plugins for Display Widgets yields the following – a listing of similar plugins.
Only a Google search sheds more light on the situation:
What other sources notify you about removed plugins?
If a plugin has been removed due to a security issue it may be reported online.
WP Tavern has highlighted a few instances of plugin removal in 2017:
The removal of this plugin – with 100,000 installs – sparked some controversy. Author Scott Allen disagreed with his plugin’s removal from WordPress.org following an altercation with another plugin author. The plugin is still available from its developer, Red Sand Marketing.
Over 100,000 sites used Postman SMTP. It was removed after a vulnerability was found by a security researcher. It seems that the plugin wasn’t being maintained. The article suggests an alternative plugin to use, Post SMTP Mailer/Email Log, which was forked from the original plugin.
Display Widgets was installed on over 200,000 sites. The plugin’s problems began after it was sold by the company which developed it, Strategy11. After it was found to publish spam content, the plugin review team removed it. They later decided to keep a clean version of the plugin which was safe (version 2.7). Anyone with an older version may update to this version but no new installs are allowed. WP Tavern’s Sarah Gooding recommends a few other widget configuration plugins including WPMU Dev’s Custom Sidebars.
Simply run a scan using Wordfence. If any issues are found, click on them and you’ll see the alert.
What should you do when a plugin you use has been removed?
First, don’t panic.
Google the plugin name and see if you can find a reason for its removal.
Does it contain a security vulnerability? If so, you should strongly consider removing it in order to protect your site from being compromised.
If it’s not security-related, there may be no need to remove the plugin from your site. Weigh up how essential the plugin is for your site’s operation. Could you live without it? Or could you find another plugin that does a similar job?
Replacing a removed plugin with an alternative
If you’re not comfortable with the idea of continuing to use a removed plugin, you may want to find a similar plugin to replace it.
What issues might you run replacing a plugin?
- You use a theme that is dependent on a particular plugin.
- The plugin stores data that you don’t want to lose.
- New plugins conflict with your existing plugins.
The best way to test out alternatives is to set up a staging site. With staging enabled, if a plugin you test out as a replacement doesn’t work as expected, you won’t affect the operation of your live site.
You might be lucky enough to have a managed WordPress host that has staging enabled. Otherwise, if you use Multisite, you can create a staging site with the Cloner plugin. Or you can follow Rachel McCollin’s tutorial on setting up staging on shared hosting.
Finding and testing a replacement plugin
One instance where I wanted to find an alternative plugin was with Display Widgets. The School theme is dependent on this plugin. While I had a clean version of Display Widgets, I wanted to find a substitute.
Using this tool I was able to retain the conditional widget display.
For example, in the Header widget area of the theme there is a Revolution Slider, which should only show on the home page.
In Display Widgets the key options were showing the widget on the front page only and applying a custom class.
When I migrated to Widget Options, the widget settings were very similar.
I didn’t see any differences in the widget display on the front end. The only issue was the nag notice from the theme reminding me to turn on Display Widgets. I was happy to dismiss this and delete the plugin!
It’s not always possible for a plugin change to be as smooth as this. When looking at new plugins, follow the tips in Suzanne Scacca’s article on fake WordPress plugins. They will help you pick plugins which are coded by reliable developers who won’t go AWOL!
Most WordPress users don’t think of auditing their plugins periodically. Sites typically get built, plugins are added and people just hope for the best in the long run.
It’s smart to review your plugins periodically (say every six months or yearly) and weed out any which aren’t updated or doing their job anymore.
Keep up to date with the latest WordPress news sources – WP Tavern can now be reached through the Dashboard – and watch for stories of removed plugins.