Support #23213
closedWPForms?
0%
Description
From Keeping:
I am working on the Newmark Wikimedian-in-Residence project for CUNY, and we have an Academic Commons site for the project.I created a form using the WPForms plugin. It was working fine, but it now looks like it disappeared.
The form was on this page:
Personal Wiki Support – Getting Started – CUNY Newmark Wikimedian-in-Residence
Should I be using a different plugin for forms? I no longer see WPForms as a plugin option, but it seems like it was replaced by one called “Gravity Forms.”
Updated by Marilyn Weber 4 months ago
Here's the URL - https://wircuny.commons.gc.cuny.edu/getting-stared/
Updated by Raymond Hoh 4 months ago
- Status changed from New to Reporter Feedback
I checked the WordPress page in question and it references a <!-- wp:wpforms/form-selector --> block, which is part of the WPForms plugin. I looked through our codebase and git history and it doesn't look like we ever installed WPForms on the Commons.
Can you ask the user if they were testing WPForms on a local instance of WordPress? If so, perhaps the user copy and pasted their local copy of their post to their Commons site?
We do have several form plugins on the Commons: Gravity Forms, Ninja Forms and Contact Form 7. If the user requires help with using these form plugins, let us know.
Updated by Marilyn Weber 4 months ago
Just an FYI, the user just replied
"FYI: I did find WPForms as an option on AC, and it was live for a time on our site. But then it disappeared. I believe it was public - other colleagues tested, etc. In any case, it sounds like Gravity Forms is a better bet, so I’ll try that one instead."
Updated by Raymond Hoh 4 months ago
Boone, can you double-check and see if the WPForms plugin was ever installed on the Commons? I'm quite sure it wasn't, but I might be overlooking something.
Updated by Boone Gorges 4 months ago
I looked through the git history in a few different ways and I also didn't see anything.
Updated by Raymond Hoh 4 months ago
Looks like the WPForms plugin was installed by either the basic or zerif-lite themes.
I also see two plugins not in our git history that are on production right now:- kirki - date modified is August 15th. Looks like this one was installed via the Airi theme's Customizer:
access.log.2025_08_15.87:"146.111.30.210 - - [[15/Aug/2025:20:56:06 +0000]] "GET /wp-admin/update.php?_wpnonce=98b5f793a9&action=install-plugin&plugin=kirki HTTP/2" 200 15319 "https://creatures2.commons.gc.cuny.edu/wp-admin/customize.php?theme=airi&return=https%3A%2F%2Fcreatures2.commons.gc.cuny.edu%2Fwp-admin%2Fthemes.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36" "creatures2.commons.gc.cuny.edu""
- one-time-login - date modified is January 17th. Cannot find a reference to this one in our codebase or in the access logs.
When we were still hosted at the GC, we locked down the filesystem to prevent unintended plugin installs, but it looks like Reclaim's set up allows for these types of plugin installs. Do we want to allow themes to install plugins?
Updated by Boone Gorges 4 months ago
Aha, that's it. Once or twice I have noticed these rogue plugins during a deployment, and I've deleted them.
I would prefer not to allow themes to install plugins. We could potentially set this up using restrictive file permissions, but perhaps there's also a way to do this using WP itself? Ray, can you think of a way we could short-circuit it?
Updated by Raymond Hoh 4 months ago
Here's an easy way to short-circuit installing plugins:
/**
* Do not allow installing any content if not using WP-CLI.
*/
add_filter(
'upgrader_pre_download',
function( $retval ) {
if ( defined( 'WP_CLI' ) ) {
return $retval;
}
return new WP_Error( 'no_install', 'Installing plugins is not allowed on the Commons. If you need a specific plugin, please <a href="mailto:commonshelpsite@gmail.com">contact our help desk</a> and make a request.' );
},
99
);
I've added an error message for installation screens that support displaying a message. Let me know if the message needs to be tweaked.
Updated by Raymond Hoh 3 months ago
- Category name set to WordPress Plugins
- Status changed from Reporter Feedback to Staged for Production Release
- Target version set to 2.5.15
Thanks Boone. I've added the plugin short-circuit in https://github.com/cuny-academic-commons/cac/commit/e795befcf65bbcef4a2746d8aacda31e15a58f21.
I've also removed the kirki and one-time-login plugins from production.
Updated by Boone Gorges 3 months ago
- Status changed from Staged for Production Release to Resolved