Does plugin uninstall always put WordPress back into original state?

wordpress.stackexchange https://wordpress.stackexchange.com/questions/390

Question

What is a plugin lifetime within a deployed instance of WordPress?

Namely:

  • do plugins modify existing files or do they only use defined extension points within WordPress?
  • are plugins allowed to modify database schema (e.g. add new columns)?
  • how does Wordpress make sure that plugin uninstall always leaves WP in original state? (Does it?)
Was it helpful?

Solution

Short answer:

  • Plugins do not modify existing files, they hook into WordPress via an exposed API.
  • Plugins can modify database schema.
  • Plugins don't have to uninstall cleanly.

Plugin Hooks

Plugins hook into WordPress at specific point exposed by the WordPress core.

http://codex.wordpress.org/Plugin_API

As an example, the function get_option() reads a site option from the database. Before any real action is taken inside this function, WordPress calls apply_filters( 'pre_option_' . $option, false ). Given an option foobar, a plugin could override this option's true value with the following code:

function override_foobar( $unused ) {
    return 'My custom value.';
}
add_filter( 'pre_option_foobar', 'override_foobar' ); // add_filter(hook, function)

See also http://adambrown.info/p/wp_hooks/.

Plugins modifying the database

Plugins have the ability to modify the database, assuming the WordPress database user still has that permission. Some of the more complex plugins add their own tables. It's possible that a plugin could modify core tables, and hopefully they would do this responsibly and in a way that doesn't break things if the plugin is removed.

This has to be examined on a plugin-by-plugin basis.

Uninstalling plugins

The deactivate_plugins() function calls the action do_action( 'deactivate_' . trim( $plugin ) ). A plugin should hook to this action if specific things need to happen when the plugin is deactivated. In my experience few plugins do a lot of deactivation cleanup, ie. putting their settings in cold storage in case they are activated again.

OTHER TIPS

Plugins in WordPress do what the code says. To answer specifically to your questions,

  1. They shouldn't, but there's nothing stopping them from modifying core files.
  2. They are allowed to fully interface with the database in any way that WordPress itself can.
  3. WordPress doesn't make sure that a plugin uninstall doesn't destroy the whole installation. If a plugin author set the uninstall function to delete everything, it would do it.

So this leaves the question, what can be done if a plugin author betrays your trust and does something malicious to your site? Having regular backups of your wp-content directory as well as your whole database is the best way to ensure you will be able to recover in the event that something happens to your site (e.g. data loss, hack attack, bad plugin, etc.).

Straight answer: NO

Plugins can do whatever you can do with PHP code..

Licensed under: CC-BY-SA with attribution
Not affiliated with wordpress.stackexchange
scroll top