[wp-trac] [WordPress Trac] #51836: Show when updates are disabled vs not available

Fri Nov 20 17:05:39 UTC 2020

#51836: Show when updates are disabled vs not available
-----------------------------+-----------------------------
 Reporter:  paulschreiber    |      Owner:  (none)
     Type:  enhancement      |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Upgrade/Install  |    Version:
 Severity:  normal           |   Keywords:
  Focuses:                   |
-----------------------------+-----------------------------
 It would be helpful to show when updates are ''disabled'' vs ''not
 available''.

 Context:
 Yesterday, I was fixing a site and noticed some plugins weren't updating.
 No updates showed as available in the GUI, and the CLI showed "Plugin
 already updated":

 {{{
 $ wp plugin update ultimate-member
 Success: Plugin already updated.
 }}}

 I had to remove and reinstall to get it working;

 {{{
 $ wp plugin uninstall ultimate-member
 Uninstalled and deleted 'ultimate-member' plugin.
 Success: Uninstalled 1 of 1 plugins.

 $ wp plugin install ultimate-member
 Installing Ultimate Member – User Profile, User Registration, Login &
 Membership Plugin (2.1.12)
 Downloading installation package from
 https://downloads.wordpress.org/plugin/ultimate-member.2.1.12.zip...
 Using cached file '/home/u331-eccke9yc2pw5/.wp-cli/cache/plugin/ultimate-
 member-2.1.12.zip'...
 Unpacking the package...
 Installing the plugin...
 Plugin installed successfully.
 Success: Installed 1 of 1 plugins.
 }}}

 In this case, someone had disabled updates with a filter (eek!):
 {{{#!php
 <?php
 // disables auto plugin updates
 add_filter( 'auto_update_plugin', '__return_false' );

 // hide update notifications
 function remove_core_updates(){
 global $wp_version;return(object) array('last_checked'=>
 time(),'version_checked'=> $wp_version,);
 }
 add_filter('pre_site_transient_update_core','remove_core_updates'); //hide
 updates for WordPress itself
 add_filter('pre_site_transient_update_plugins','remove_core_updates');
 //hide updates for all plugins
 add_filter('pre_site_transient_update_themes','remove_core_updates');
 //hide updates for all themes*/
 ?>
 }}}

 As a result of updates being disabled, security updates were not installed
 and the site was hacked.

 It would be very helpful for both the GUI and CLI to show "updates
 disabled" instead of "already updated"/"no updates available."

 I believe we'd need core/API change here first, and then CLI could adopt
 that.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/51836>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform