Feature #10380

Remove blacklisted plugins

Added by Boone Gorges over 3 years ago. Updated 26 days ago.

In Progress
Priority name:
Category name:
WordPress (misc)
Target version:
Start date:
Due date:
% Done:


Estimated time:


I'd like to do a review over the next few releases of blacklisted plugins. These are plugins that are unavailable on Dashboard > Plugins, but may still be running on existing sites. For those that are running only on a small handful of sites, it may be worth removing the plugin from the codebase altogether. This data will take some time to collect.

Scott, I'm copying you in case I have questions on any of them.

deprecated-plugin-report.php (3.06 KB) deprecated-plugin-report.php Boone Gorges, 2018-09-27 11:46 AM

Related issues

Related to CUNY Academic Commons - Support #10344: Twitter Plugins that are outdatedResolved2018-09-18

Related to CUNY Academic Commons - Support #10345: Remove "Sociable" Plugin Resolved2018-09-18

Related to CUNY Academic Commons - Support #10348: Remove Outdated PluginsResolved2018-09-18

Related to CUNY Academic Commons - Bug #10564: PHP 7.2 Incompatibility ProblemsResolved2018-10-19


#1 Updated by Boone Gorges over 3 years ago

#4 Updated by Boone Gorges over 3 years ago

#5 Updated by Boone Gorges over 3 years ago

#6 Updated by Boone Gorges over 3 years ago

I've started the process of reviewing these. It takes a long time. Here's an overview of what's been done so far, with recommendations on next steps.

1. I reorganized our "disabled_plugins" blacklist into two sections, one that contains a list of plugins that are disabled for regular users because they're networkwide or main-site-only utilities (such as Social Paper), and those that are disabled because they're broken, deprecated, etc. See for the list.

2. I ran a script that crawls through Commons sites (not all of them, but a representative sample) to see which of the disabled plugins are active. I've attached the script - it's a bit of a mess, but shows you what I'm doing. This gave me an immediate sense of the plugins that are (or were) widely used on Commons sites, which IMO are the ones that should be addressed first.

3. I started reviewing these plugins, considering the following:
a. Why was the plugin disabled? Deprecated in favor of another; security issue; performance issue; doesn't fully work anymore; doesn't work at all; etc
b. What are the consequences of removing the plugin? Will existing content cease to work?

Based on this, I've got recommendations for the following subset of the disabled plugins. Scott and Ray, could you each take a look at my recommendations and see if they make sense? Obviously, I'm interested in Ray's technical opinion, and Scott, I'd like any thoughts you have regarding the way the plugin's actually used.

REMOVE FROM CODEBASE - not intended for end users, and broken. Will not affect anyone on the site.

LEAVE - behavior not easily predictable on Multisite, but used on many sites, and hasn't caused active problems. See

LEAVE - Causes performance issues (database bloat), but is a large piece of functionality for sites that use it actively

LEAVE for existing sites - Deprecated in, but as far as I know, continues to work as intended

'flickr-rss/flickrrss.php', // #10348
LEAVE Still works for existing users, so leave.

LEAVE - plugin actually works fine as long as you're using HTTPS urls for the embedded map.

LEAVE. See #7100. May be working for existing sites.

REMOVE FROM CODEBASE - Accessing the settings page causes timeout. Uses deprecated APIs for third-party services, so doesn't work. Removing shouldn't break anything not already broken.

'tantan-spam/plugin.php', // #10348
REMOVE FROM CODEBASE - Active on nearly every old site on the Commons - might once have been network activated - but superseded by our networkwide Akismet config. No front-end UI, so no danger of breaking things by removing.

'tweetable/tweetable.php', // #10344
REMOVE FROM CODEBASE - Tweetable uses deprecated Twitter API so is broken wherever currently in use

'twitter-tools/twitter-tools.php', // #10344
REMOVE FROM CODEBASE - Depends on Social plugin

'wordtube/wordtube.php', // #10348
REMOVE FROM CODEBASE - Can't be activated. Causes fatals.

REMOVE FROM CODEBASE - Broken due to HTTPS issues and other browser security stuff (iframe policies). Existing content created by this plugin doesn't work anyway.

Leave for existing sites.

If others are in agreement, with the above, I will do the following:
- Write a script that disables the plugin on all sites where it's currently running (not strictly necessary, but good practice)
- Remove from the codebase for the 1.13.11 release.

#7 Updated by Matt Gold over 3 years ago

Hi Boone -- I just want to acknowledge that you are the bomb and we are so lucky to have you. thank you.

#8 Updated by Boone Gorges over 3 years ago

  • Target version changed from 1.13.11 to 1.14

I'm in the progress of running this process for 1.13.11. For the record, the deactivate script I'm using is:


site_ids=($(seq 1 1 100))

function join_by { local IFS="$1"; shift; echo "$*"; }

site_ids_sql=($(join_by , ${site_ids[@]}))

sites=$(wp site list --field=url --format=csv --site__in=$site_ids_sql)
plugins="bp-system-report social tantan-spam tweetable twitter-tools wordtube wpng-calendar pressforward";
for site_url in $sites; do
    echo $site_url
    wp --url=$site_url plugin deactivate $plugins

I have to break the process up into batches because otherwise it'll never run on our large network. It'll take a few hours to finish this way. I'm going to hold off on the 1.13.11 release, which removes the plugins from the codebase, until the process is complete.

Here are the changesets where plugins are pulled from the codebase:

In I removed these plugins from our `disabled_plugins` list, and in I reorganized the `disabled_plugins` list to show which had been vetted.

I'm moving this ticket to the 1.14 milestone so that we can handle a handful of plugins during each release.

#9 Updated by Boone Gorges over 3 years ago

  • Target version changed from 1.14 to 1.15

#10 Updated by Boone Gorges over 3 years ago

  • Related to Bug #10564: PHP 7.2 Incompatibility Problems added

#11 Updated by Boone Gorges over 3 years ago

Update on some more plugins:

- wordpress-mobile-edition is totally non-functional and has been removed
- garees-twitter-stream still works (not sure how) and so will stay for now
- the bdprss plugins appear to be totally non-functional so I've removed them

#12 Updated by Boone Gorges about 3 years ago

  • Target version changed from 1.15 to 1.16

#13 Updated by Boone Gorges over 2 years ago

  • Target version changed from 1.16 to 1.17.0

This work is ongoing.

#14 Updated by Boone Gorges almost 2 years ago

  • Target version changed from 1.17.0 to 1.18.0

#15 Updated by Boone Gorges over 1 year ago

  • Target version changed from 1.18.0 to 1.19.0

#16 Updated by Boone Gorges 6 months ago

  • Target version changed from 1.19.0 to 2.0.0

#17 Updated by Boone Gorges 26 days ago

  • Target version changed from 2.0.0 to Future release

Also available in: Atom PDF