Types Got Removed from WordPress.org

   Amir

April 2, 2013

On Sunday, Types plugin got removed from wordpress.org. It wasn’t intentional and certainly not expected, but we’re moving forward.

Types

WordPress.org uses a security scanner to detect potential security holes in themes and plugins. I think that this is awesome and a very reassuring feature of the repository.

They must have upgraded it on Sunday, because it reported a new security issue in Types, which existed from day 1. Essentially, site admin (and site admins only) could cleverly craft DFd873$M (hidden for obvious reasons) which would cause 7FHeN$#@%N^w to their own sites.

Right. So anything that happens via the GUI is a bad thing and needs to be rectified.

Just between us, if I site admin so much desires, there are far easier ways to damage your own site. We treat security reports very urgently and we don’t care if it’s a tiny issue like the one just reported, or a major issue, which we haven’t ever had (because we get our own security reviewed from an external source).

We respect the wordpress.org plugins repository and highly appreciate their efforts to provide a safe and secure environment for people to get extensions for WordPress. However, we feel that we’re a bit beyond this. Types is not a one-man project, being developed in our spare time. It’s a commercial piece of software, with 2 full time developers, support, testing, QA and everything else needed. It’s also part of Toolset, which overall has a team of over 10 people right now.

Types is available for download from Types page on our site. It might appear again on wordpress.org, but this is entirely out of our control.

BTW, we are aware of an issue with automatic plugin updates from our repository. We’re working double time to fix this.

 

Comments 11 Responses

  1. Well, Types plugin is available on the WordPress plugin repository today : I’ve found it in the recently updated plugins.

  2. Yeah, it’s back again with an incremental increase in version number.
    Changelog says “Fix security exploit”. So, did you actually “fix” something?

    Glad it’s back anyway.

    • Yes, we fixed. Now ADMINS cannot hack their own site from within Types admin screen. WordPress itself gets a number of security updates every minor release. By this standard, they should have taken down wordpress.org whenever someone reports a security bug, without it being reviewed. Very practical method…

  3. @Amir Why can’t Views demo downloader install on may websites saying The plugin does not have a valid header?

    • Usually when this happens, it means that the plugin has not been downloaded fully. Try downloading again?

      • Even when I used the recommended plugin Installer?

        This was installed directly from your repository inside my wp dashboard.

    • As far as we’ve seen, Types works fine with Thesis. What sort of problems have you seen? Can I read about them anywhere?

  4. I have an extra field in my User Profiles called Additional Capabilities, with Member as that capability. I haven’t been able to track down the source of this field aside from a support ticket on WordPress which points to it being owned by Types plugin. Can you confirm this and perhaps let me know how I might remove this? I believe I installed Types at one time and then removed it due to writing the necessary code myself. I tried reinstalling it and then deleting, but, the field remains in the User Profile~

    • Doesn’t sound like something that Types would add. You can test by creating a new blank site and checking if that field is there when you add Types. In any case, once Types is not activated, anything that it added to the GUI before will vanish.