Are plugins safe?


I'm new to Elgg and am a novice at coding. 

How do I know that the plugins I install won't access personal profile information from the Elgg database and other places and send it to the plugin developer or other parties for whatever use?

Are there any key things that I should look out for before installing a plugin on a live site?



  • If we receive word that a plugin is malicious, we remove it from the repository (have only had to do that once that I can recall).

    There has also been a case of a plugin that phoned homed to the developers to report Elgg version and that kind of thing to help the developer track usage. Developers should make that an opt-in process and it should be mentioned in the description.

    That said, the quality of plugins in the repository varies. You can usually tell by the comments and the number of downloads what the good plugins are. Also find the better developers and check out all their plugins.

  • Hello Cash,

    Thank you for the reassurance. It's good to know the community looks after it's neighbours.

    Hopefully, I'll be able to learn about building plugins and put something back into the community.


    All the best,


  • I'm also new to elgg and for what it is worth, as far as i can see you take your chances with the plugins. There *really* needs to be some sort of administration done on those things. eg..developer does not respond to questions or user problems, then ditch it. Developer has abandoned it? Ditch it or archive it. Developer is aware of a problem and lazily posts a patch text in reply rather than correct the actual downloadable release? Ditch it. It won't work past a certain release? Archive it. If it will not work straight out of the box (user  installation problems aside), put it in a class of it's own: eg: "buggy" or ditch it. Someone needs to do some QC on these things, because newcomers like myself are wasting a vast amount of time trying to figure out what will work and what won't and hand patching stuff that should have been fixed a year or more could easily turn people off...

  • dml you have to realize people have lives too. and keep in mind that this is an open source community, meaning free to use and modify to your needs. majority of the developers here are making plugins for free, if you want to have a plugin to fit your needs, then hire a developer. the elgg core team are using whatever free time they have to work on new releases of elgg and plugins for us to use. just be grateful bud.

  • @dml - There is no doubt that there are things that can be improved about the repository (better sorting by Elgg version for example). We're never going to have the core developers review each plugin for quality. That has to be crowdsourced meaning it is important that you click the recommend button on plugins that work well for you and if something doesn't work, put a comment on there saying as much.

  • How about a 'not-recommend' button ? ;-)

  • @cim - I take your point but just because something is "open sores" (coz it's always raw and bleeding and will never actually heal) does not mean the coder should not show pride in their work. So shoot me - I'm just an old school programmer who was taught to keep it mean and lean and if we dared release code for use with a bug in it we got our fingers broken lol.  The golden rule was and still should be; "You make it, you break it and when you can't break it any more, you send it on". Why the hurry to publish?

    @cash - actually,listing by version would be a nice. Perhaps if a plugin released for version X is still found to work for version Y it can be bumped up. I'm not sure what the rules are with regard to old or abandoned plugins (at what point is it considered abandoned? If the author is still on the forum does that negate "abandonment"? If I find one that I can fix, do i have the right to repost it as fixed if the author show no interest in fixing it him/herself? There are only 1100 plugins to check. It's not like over at Joomla where there are 10,000 :p

    All that aside..I'm enjoying elgg. Just so's ya know...

  • @dml, I agree with you on the first point. However, the debugging process isn't easy, especially after you've worked on the code for 50+ hours. One of the reasons, you publish the code somewhat raw, is to get a better insight on what bugs you are looking at. Especially now with an insulting number of various Elgg versions existing simulatenously. You can find anything from 1.3 to 1.8...