Thank you for using our plugin @elliotvs
As an administrator ou should know of all file changes that happen on your site, even those done through a plugin changes (install, delete, update). Not all plugin changes are legit.
The different here though is that the changes through a plugin install/update/delete are grouped together. The plugin tags the file changes, advising you that the reported changes were due to a plugin install/update/deletion.
We do this so:
1) You still have the option to review the file changes (not all changes are legit).
2) It does not alarm the user with a false alarm. Many users are not technical, and they do not correlate 30 file changes with a plugin update. So the plugin makes it very clear.
Administrators, especially on big websites, are not always involved in day to day running of the websites. So from the security and management point of view, these emails are still very important, as long as the information is clearly presented.
Hope that helps. Should you require any further information, please do not hesitate to ask.
Thanks for the reply.
What I was hoping for is for the “plugin/theme/core updates” that are downloaded from the WordPress repository to be completely ignored (including new files, file changes) created by these updates. Since I was considering using this plugin on lots of client sites, which have plugin updates every week, I’d end up getting spammed with emails for every site, every week, when they are updated.
So essentially, I was hoping that we’d only get notifications if there are changes to the code outside of the regular “official plugin updates” (meaning it’s more likely to be something suspicious and should be looked into).
Hope this makes sense. Any chance this would be possible?
Much appreciated!
Hello @elliotvs
That is not a good system to have in place, especially from the security point of view. I.e. what if a customer’s website is hacked, and the attacker installs a plugin to create temp users from the repo?
That is a legit plugin from a legit source, but a malicious intent. What could be somehow good, is to add an option so the plugin does not send emails on plugin updates only. Would that work for you?
With such an option you’ll still know if someone installs a new plugin, deletes an existing one but you do not get notified when already installed plugins are updated.
Thoughts?
Hi @robertabela
Thanks for the response. Completely understand, yes what I meant was just the “updates”, not actually downloading/installing any new plugins.
What could be somehow good, is to add an option so the plugin does not send emails on plugin updates only. Would that work for you?
Yes, this sounds like it would be a great solution, so we don’t get notified for all the plugin updates, but still get notified for new installs, uninstalls, and other unusual file changes
I guess it would be handy to disable emails for core “updates” too, if possible, though they obviously don’t happen as often.
Cheers!
Thanks for the feedback @elliotvs
This is not an easy feature to come up with because it is very difficult to tell what are expected and legit file changes from non legit and malicious ones.
However, we will certainly look more into this. Please understand that we cannot promise you anything at this time.
