Non-Trusted Plugin is automatically updating somehow

CodeGeek · March 7, 2024, 8:42pm

We have a client site that uses MetaSlider and the MetaSlider Pro plugin. A couple of times now the Pro plugin features have broken because the Pro plugin is being updated, but the standard plugin is not. Reviewing server logs, I’ve found that it’s being updated via our MainWP site (the remote IP address matches our MainWP server). However when I review the plugin settings for MetaSlider Pro, the plugin is not listed as “Trusted”. This plugin is not configured to updated automatically via the WordPress core feature, in fact, there is no option for this specific plugin to enable or disable automatic updates in the WP > Plugins admin screen.

Is anyone else seeing something similar? Should I try removing the site from MainWP and re-adding it to possibly remove some stale data in case at some point in the past these plugins were configured to automatically update via MainWP? It’s odd that it’s only been noticed as an issue recently considering we’ve had this site connected to MainWP for 4+ years.

bojan · March 8, 2024, 12:24pm

Hey @CodeGeek

Welcome to the MainWP community.

As you said, if the plugin is not marked as Trusted, then the MainWP Dashboard should not automatically update it.
We didn’t have other reports about this.

Can you please share these server logs with us? Feel free to redact sensitive information.

CodeGeek · March 8, 2024, 3:52pm

Hi Bojan, thanks for the quick response. Here’s what I’ve discovered.

After updating the standard (free) version of MetaSlider and revisiting the WP > Plugins admin page, I found a checkbox below the MetaSlider Pro entry.
The checkbox said “You are connected to receive updates for MetaSlider Pro (login: [email protected]):” : There is also a blue “Disconnect” button, and another line of text that says “Automatically update as soon as an update becomes available (N.B. other plugins can over-ride this setting).”

So that is how the plugin was updating automatically. But it was still unclear to me what was providing this functionality, so I searched Google for “Automatically update as soon as an update becomes available (N.B. other plugins can over-ride this setting)” and found this.

Then searching the files of the MetaSlider Pro plugin I found many references to “Simba Plugin Manager”, so I expect they are the ones providing the automatic update option in this case.

And just for reference, here is the server log entry that pointed to our MainWP server IP address. Do you agree it looks like MainWP performed this update? Or is it more likely the case that this is just noting that MainWP was informed of the update?

{
  "installName": "alderdoors",
  "environment": "PROD",
  "type": "error",
  "date": "2024-03-06T07:52:59.254Z",
  "severity": null,
  "client": null,
  "message": "auditor:event=upgrader_process_complete_plugin {\"plugin\":\"ml-slider-pro/ml-slider-pro.php\",\"type\":\"plugin\",\"action\":\"update\",\"temp_backup\":{\"slug\":\"ml-slider-pro\",\"src\":\"/nas/content/live/alderdoors/wp-content/plugins\",\"dir\":\"plugins\"},\"blog_id\":1,\"event\":\"upgrader_process_complete_plugin\",\"current_user_id\":0,\"remote_addr\":\"94.23.63.224\"}",
  "uuid": "ae9619f6-5eb0-4465-afd3-034b5de3664d"
}

bojan · March 8, 2024, 6:42pm

Hey @CodeGeek

That’s an excellent investigation, and thank you for updating us.

It would appear that MainWP was simply noting the update and it wasn’t responsible for it.

The auto-update functionality of MainWP is a layer that is independent of any other auto-update mechanisms, such as the one included in this plugin.

However, MainWP could still be of use in this scenario.

Should you find a suitable code snippet that would be effective in preventing automatic updates of this plugin, you would be able to deploy that code snippet to all desired sites using our Code Snippets extension.

system · April 7, 2024, 6:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.