The Plugins panel for WordPress applications is located in the VIP Dashboard. The panel displays a list of plugins that are located in the /plugins directory of an environment’s wpcomvip GitHub repository branch and scanned by Codebase Manager. Codebase Manager is an automated security scanner watching for new plugin vulnerabilities that are published to WPScan.
Plugins are listed in alphabetical order by name. Depending on availability, information about each plugin will also include:
- NAME: The name of the plugin, and a relative path to the plugin’s directory in the environment’s GitHub repository branch.
- VERSION: The version of the plugin located in the environment’s GitHub repository branch. If a more recent version of the plugin is identified and available, that version will also be displayed with the label “Available”.
- SECURITY ISSUES: When applicable, linked notices stating the severity level of a known vulnerability will display for the version of the scanned plugin. The notice will link to the WPScan site where more details specific to the reported vulnerability can be reviewed.
- ACTION: If a more recent version of a scanned plugin is available and able to be automatically provided by Codebase Manager, a selectable button will be displayed that allows a user to:
- Create pull request: Create a pull request in the branch of the wpcomvip repository where the plugin is located that will update the plugin to the most recent available version.
- View pull request: View an already created pull request that is not yet merged. Only users with existing access to the application’s GitHub repository will have permission to view the pull request.
- Typically, only plugins that can be downloaded from the WordPress.org Plugin Directory can be scanned. In some cases it is possible for a plugin downloaded from a source other than the WordPress.org Plugin Directory to be scanned if the plugin has a valid license activated.
- Only plugins with a valid WordPress plugin slug are eligible for an option to create a pull request. For a plugin downloaded from a source other than the WordPress.org Plugin Directory, the slug might only be detectable if the plugin is activated, and might also require a valid license to be activated.
- Pull requests created from within the Plugins panel for plugins managed by composer will only be successful if the plugin is resourced from the
- After merging a pull request that updates the version of a plugin, the plugin’s version and related security warnings might not update on the Plugins panel for up to 15 minutes.
To access the Plugins panel:
- Navigate to the VIP Dashboard for an application.
- The Plugins panel is environment-specific (e.g., Production, Develop). Select an environment from the dropdown located at the upper left of the VIP Dashboard application view.
- Select “Codebase” from the sidebar navigation at the left of the screen.
- Select “Plugins“ from the “Codebase” panel.
By default, all plugins located within the /plugins directory of an environment’s wpcomvip repository branch that have been scanned by Codebase Manager are displayed in the Plugins panel. The list can be filtered by:
- Update Available: Only display plugins for which an updated version is available.
- Security Issues: Only display plugins for which a vulnerability has been identified.