Why does this use SQL queries instead of WP functions?

  • Resolved ryvix

    (@rrhode)


    6 years, 6 months ago

    Hi there,

    I’m just curious why this plugin uses SQL queries to remove users rather than built in WP functions. Is there a specific reason for this?

    If it used the wp_delete_user function it would also cleanup and remove other data from the user as well as delete it from other plugins as well in most cases.

    You can see the code for that function here. It will delete posts, comments, links, and also due to the actions it should delete any other plugin accounts such as forums accounts, WooCommerce account, etc. which hook into them. The delete_user action before a user is deleted and the deleted_user action after it’s deleted so that other plugins can hook into it and delete their data associated with the user being deleted.

    What would be really cool is if it also could somehow lookup the username and email on a spam lookup database such as Stop Forum Spam and remove existing users known to be spammers.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author joelhardi

    (@joelhardi)

    6 years, 6 months ago

    Yes, thanks for the question. When I originally wrote the plugin, the WordPress database code was extremely primitive. For example, it didn’t use transactions with COMMIT and ROLLBACK to ensure consistency of the database.

    As far as I know that’s still more or less the case. I stopped contributing to WordPress core years ago.

    The code you linked to doesn’t appear to be ACID at all. For example it looks like it imperatively deletes posts, then links. What happens to the posts if the call to wp_delete_link fails? What happens to the rest of the program state? Keep in mind it was only recently that WordPress core stopped using the ancient PHP mysql interface. When PHP5 came out in 2004!

    Anyway … the purpose of this plugin is maintenance, not security or abuse prevention. It’s for removing/pruning orphaned or unused accounts. It doesn’t remove users who have associated posts/comments/links.

    Your idea sounds interesting, however that’s really a policy question (should I permit a user on my site if they’re on some blacklist?) that’s beyond the scope of this plugin. There are a lot of potential side effects and other security implications that would occur if a site owner decided to allow a third-party (the blacklist operator) to effectively delete users on their site — really, across a network of websites. RBLs had their day 15 years ago but nowadays there are better techniques to prevent abuse. Not something I’m personally interested in pursuing at this time but I wish you luck if you do.

    Thread Starter ryvix

    (@rrhode)

    6 years, 6 months ago

    Ahh, that makes sense. Great points and thank you for your detailed explanation!

    Do you develop for something else now? Do you still use WP for websites or is there something you prefer that’s better?

    I actually did end up writing a little plugin to do that. It doesn’t continually remove users or try to prevent them it just runs the process once to remove existing users so they don’t have accounts on the site anymore. Seems to work well. I think it’s particularly useful if there were a whole lot of user accounts created by spammers for some reason and it’s better than trying to manually weed them out.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Why does this use SQL queries instead of WP functions?’ is closed to new replies.