Plugins/Themes should show last updated date column to reduce # of abandoned/vul

Just to chime in here:

This would really help users know that they are potentially running vulnerable code and improve the security stance of WordPress.

Nope, it wouldn’t. ??

The idea that old code is vulnerable and/or insecure is wrong. Old code is not insecure. Insecure code is regardless of the age and that has nothing to do with the time it’s been in the repo.

Jan,

I agree on one level. While it is true that the age of code doesn’t necessarily mean it is vulnerable but more often than not it IS. Ever heard of Timthumb? If a plugin or theme uses an older version of timthumb and doesn’t update its plugin/theme it leaves users vulnerable. Statistically this article shows abandoned plugins to be a huge point of entry. https://www.wordfence.com/blog/2016/03/attackers-gain-access-wordpress-sites/ Fact is, vulnerabilities are coming up all the time and just because code was secure one day doesn’t mean someone will not find a way to in the future.

Additionally old/unmaintained plugins will eventually not work and this is bad for the community. Ex. PHP 7. Much is changing and if people are using unmaintained plugins they are SOL. What I’m suggesting would help people know they are in fact using something that they might want to replace.

Unmaintained code is a risk on several levels.

I agree on one level. While it is true that the age of code doesn’t necessarily mean it is vulnerable but more often than not it IS. Ever heard of Timthumb? If a plugin or theme uses an older version of timthumb and doesn’t update its plugin/theme it leaves users vulnerable.

Yes, I think I’m familiar with the concept of application security. ?? The premise is still wrong though. You can’t take a specific attack vector like timthumb and paint old code with that brush.

but more often than not it IS.

That really is not and never has been the case.

Additionally old/unmaintained plugins will eventually not work and this is bad for the community.

Now, that is something I can agree with with the provision that you remove the “security” aspect from it. It’s also why the plugin search won’t display plugins that have not been touched in 2 years.

That doesn’t mean the code or version has to be updated, it just means the author has to certify that their code works with current versions of WordPress.

Fact is, vulnerabilities are coming up all the time and just because code was secure one day doesn’t mean someone will not find a way to in the future.

By the way, you can apply this point with code that has been released on any date. That would make the last updated date information redundant for a security stance. If you want to highlight this point then better information would be to warn people that any plugin, theme or snippet of code that they download could become vulnerable at any time.