[wp-testers] Plugin deactivation blocked

Dion Hulse (dd32) wordpress at dd32.id.au
Tue Mar 23 08:39:42 UTC 2010


Unfortunately, Plugins need to be written correctly to allow their  
deactivation under all circumstances.

Its possible for a plugin to prevent its own deactivation by filtering the  
active_plugins option, or re-enabling itself upon deactivation hook being  
run.

Its technically impossible to prevent this, Removing the ability for  
plugins to detect impending activation doesnt allow for good citizens to  
clean up behind them, or set things straight before the deactivation  
occurs (ie. flushing rewrite rules to restore originals, or set default  
options, etc..) - Thats different from the Uninstall hook of course.

On that, It should also be noted that even deactivated plugins can opt to  
have PHP code executed upon their Deletion.

Ultimately, If you want to run a plugin on your blog, you -need- to trust  
both the plugin, and the original writer.. Plugins can do anything they  
want, ANYTHING they want.

The only possible way to remove a untrusted plugin, is to delete the files  
directly.

Dion Hulse / dd32
Contact:
  e: contact at dd32.id.au
  Web: http://dd32.id.au/

On Mon, 22 Mar 2010 22:38:53 +1200, scribu <scribu at gmail.com> wrote:

> On Mon, Mar 22, 2010 at 5:21 AM, Stephen Rider  
> <wp-hackers at striderweb.com>wrote:
>
>> I know this is not the forum for plugin bugs, but what bothers me the  
>> most
>> here is that an apparent bug in a plugin has **prevented** the  
>> deactivation
>> of the plugin.  It simply should not be possible for a plugin to prevent
>> it's own deactivation.
>>
>
>
> I agree. The uninstallation procedure should be run in a sandbox, the  
> same
> as for plugin activation.


More information about the wp-testers mailing list