Project

General

Profile

Feature #10380

Remove blacklisted plugins

Added by Boone Gorges 9 months ago. Updated about 2 months ago.

Status:
In Progress
Priority name:
Normal
Assignee:
-
Category name:
WordPress (misc)
Target version:
Start date:
2018-09-25
Due date:
% Done:

0%

Estimated time:

Description

I'd like to do a review over the next few releases of blacklisted plugins. These are plugins that are unavailable on Dashboard > Plugins, but may still be running on existing sites. For those that are running only on a small handful of sites, it may be worth removing the plugin from the codebase altogether. This data will take some time to collect.

Scott, I'm copying you in case I have questions on any of them.

deprecated-plugin-report.php (3.06 KB) deprecated-plugin-report.php Boone Gorges, 2018-09-27 11:46 AM

Related issues

Related to CUNY Academic Commons - Support #10344: Twitter Plugins that are outdatedResolved2018-09-18

Related to CUNY Academic Commons - Support #10345: Remove "Sociable" Plugin Resolved2018-09-18

Related to CUNY Academic Commons - Support #10348: Remove Outdated PluginsResolved2018-09-18

Related to CUNY Academic Commons - Bug #10564: PHP 7.2 Incompatibility ProblemsResolved2018-10-19

History

#1 Updated by Boone Gorges 9 months ago

#4 Updated by Boone Gorges 9 months ago

#5 Updated by Boone Gorges 9 months ago

#6 Updated by Boone Gorges 9 months ago

I've started the process of reviewing these. It takes a long time. Here's an overview of what's been done so far, with recommendations on next steps.

1. I reorganized our "disabled_plugins" blacklist into two sections, one that contains a list of plugins that are disabled for regular users because they're networkwide or main-site-only utilities (such as Social Paper), and those that are disabled because they're broken, deprecated, etc. https://github.com/cuny-academic-commons/cac/commit/d12c75fd7310b440f36317ce7d22cf620df3d9e8 See https://github.com/cuny-academic-commons/cac/blob/1.13.x/wp-content/mu-plugins/cac-functions.php#L618 for the list.

2. I ran a script that crawls through Commons sites (not all of them, but a representative sample) to see which of the disabled plugins are active. I've attached the script - it's a bit of a mess, but shows you what I'm doing. This gave me an immediate sense of the plugins that are (or were) widely used on Commons sites, which IMO are the ones that should be addressed first.

3. I started reviewing these plugins, considering the following:
a. Why was the plugin disabled? Deprecated in favor of another; security issue; performance issue; doesn't fully work anymore; doesn't work at all; etc
b. What are the consequences of removing the plugin? Will existing content cease to work?

Based on this, I've got recommendations for the following subset of the disabled plugins. Scott and Ray, could you each take a look at my recommendations and see if they make sense? Obviously, I'm interested in Ray's technical opinion, and Scott, I'd like any thoughts you have regarding the way the plugin's actually used.

'bp-system-report/bp-system-report.php',
REMOVE FROM CODEBASE - not intended for end users, and broken. Will not affect anyone on the site.

'email-users/email-users.php',
LEAVE - behavior not easily predictable on Multisite, but used on many sites, and hasn't caused active problems. See https://redmine.gc.cuny.edu/issues/9289

'firestats/firestats-wordpress.php',
LEAVE - Causes performance issues (database bloat), but is a large piece of functionality for sites that use it actively

'fd-footnotes/fdfootnotes.php',
LEAVE for existing sites - Deprecated in https://redmine.gc.cuny.edu/issues/8116, but as far as I know, continues to work as intended

'flickr-rss/flickrrss.php', // #10348
LEAVE Still works for existing users, so leave.

'google-maps-embed/cets_EmbedGmaps.php',
LEAVE - plugin actually works fine as long as you're using HTTPS urls for the embedded map.

'share-this/sharethis.php',
LEAVE. See #7100. May be working for existing sites.

'social/social.php',
REMOVE FROM CODEBASE - Accessing the settings page causes timeout. Uses deprecated APIs for third-party services, so doesn't work. Removing shouldn't break anything not already broken.

'tantan-spam/plugin.php', // #10348
REMOVE FROM CODEBASE - Active on nearly every old site on the Commons - might once have been network activated - but superseded by our networkwide Akismet config. No front-end UI, so no danger of breaking things by removing.

'tweetable/tweetable.php', // #10344
REMOVE FROM CODEBASE - Tweetable uses deprecated Twitter API so is broken wherever currently in use

'twitter-tools/twitter-tools.php', // #10344
REMOVE FROM CODEBASE - Depends on Social plugin

'wordtube/wordtube.php', // #10348
REMOVE FROM CODEBASE - Can't be activated. Causes fatals.

'wpng-calendar/wpng-calendar.php',
REMOVE FROM CODEBASE - Broken due to HTTPS issues and other browser security stuff (iframe policies). Existing content created by this plugin doesn't work anyway.

'wysija-newsletters/index.php',
Leave for existing sites.

If others are in agreement, with the above, I will do the following:
- Write a script that disables the plugin on all sites where it's currently running (not strictly necessary, but good practice)
- Remove from the codebase for the 1.13.11 release.

#7 Updated by Matt Gold 9 months ago

Hi Boone -- I just want to acknowledge that you are the bomb and we are so lucky to have you. thank you.

#8 Updated by Boone Gorges 8 months ago

  • Target version changed from 1.13.11 to 1.14

I'm in the progress of running this process for 1.13.11. For the record, the deactivate script I'm using is:

#!/bin/bash

site_ids=($(seq 1 1 100))

function join_by { local IFS="$1"; shift; echo "$*"; }

site_ids_sql=($(join_by , ${site_ids[@]}))

sites=$(wp site list --field=url --format=csv --site__in=$site_ids_sql)
plugins="bp-system-report social tantan-spam tweetable twitter-tools wordtube wpng-calendar pressforward";
for site_url in $sites; do
    echo $site_url
    wp --url=$site_url plugin deactivate $plugins
done;

I have to break the process up into batches because otherwise it'll never run on our large network. It'll take a few hours to finish this way. I'm going to hold off on the 1.13.11 release, which removes the plugins from the codebase, until the process is complete.

Here are the changesets where plugins are pulled from the codebase:
social: https://github.com/cuny-academic-commons/cac/commit/f724ee50f55934778c854ce49ad0ea54374c9db5
tantan-spam: https://github.com/cuny-academic-commons/cac/commit/121b7c6ec79b19fff79bd4325ad4197c15472dae
tweetable: https://github.com/cuny-academic-commons/cac/commit/52b1a607ac6e1de7795105f5c070c9b3a3bec1c9
twitter-tools: https://github.com/cuny-academic-commons/cac/commit/c9b684127854c1ac96744a955ee90f47271157f0
wordtube: https://github.com/cuny-academic-commons/cac/commit/e42be1f9abf8fdfb890cb097211c8fd98c183f2f
wpng-calendar: https://github.com/cuny-academic-commons/cac/commit/f5dc28eabe5e81b996eb518ba49061061de2c385

In https://github.com/cuny-academic-commons/cac/commit/02a5b930e2d2b27179610d2db575ed40af123c8a I removed these plugins from our `disabled_plugins` list, and in https://github.com/cuny-academic-commons/cac/commit/9dc234fa27d0fdbb8878dbe4a60eb7ff07e5979f I reorganized the `disabled_plugins` list to show which had been vetted.

I'm moving this ticket to the 1.14 milestone so that we can handle a handful of plugins during each release.

#9 Updated by Boone Gorges 7 months ago

  • Target version changed from 1.14 to 1.15

#10 Updated by Boone Gorges 7 months ago

  • Related to Bug #10564: PHP 7.2 Incompatibility Problems added

#11 Updated by Boone Gorges 6 months ago

Update on some more plugins:

- wordpress-mobile-edition is totally non-functional and has been removed https://github.com/cuny-academic-commons/cac/commit/763af2b20dadde175625b6a943a00528d2b8e91b
- garees-twitter-stream still works (not sure how) and so will stay for now
- the bdprss plugins appear to be totally non-functional so I've removed them https://github.com/cuny-academic-commons/cac/commit/b15145a82d441c11ef60a8a9ad83acfb489c9a7b

#12 Updated by Boone Gorges about 2 months ago

  • Target version changed from 1.15 to 1.16

Also available in: Atom PDF