Skip to content

Add check for external links in WordPress admin menu #1184

New issue
New issue
Closed
#1186
Closed
Add check for external links in WordPress admin menu#1184
#1186
Labels
ChecksAudit/test of the particular part of the pluginGood First IssueIssue particularly suitable to be worked on by new contributors[Team] PluginsIssues owned by Plugins Team[Type] EnhancementA suggestion for improvement of an existing feature
@davidperezgar

Description

@davidperezgar
davidperezgar
opened on Feb 15, 2026

Description

Some plugins are adding external links directly to the main WordPress admin menu using add_menu_page() with external URLs (starting with http:// or https://). This practice disrupts the expected user experience and navigation patterns within the WordPress admin dashboard.

Why this matters

User Experience Issues:

  • Users expect menu items in the WordPress admin to navigate to pages within their WordPress installation, not to external websites
  • Taking users out of their WordPress environment without clear indication breaks user trust
  • Creates a jarring experience that violates WordPress admin UX patterns
  • Can be perceived as hijacking the admin interface

Related Guideline:
This relates to WordPress.org Plugin Directory Guideline #11: Plugins may not "hijack" the admin experience.

Examples of problematic code

// ❌ Adding external link to main menu
add_menu_page(
    'External Resource',
    'External Resource',
    'manage_options',
    'https://example.com/external-page',  // External URL
    '',
    'dashicons-admin-site',
    30
);

// ❌ Using other menu functions with external URLs
add_options_page( 'Settings', 'Settings', 'manage_options', 'https://example.com/settings' );
add_management_page( 'Tools', 'Tools', 'manage_options', 'https://example.com/tools' );

Proposed solution

Add a new check that detects when plugins use external URLs in WordPress admin menu functions.

Functions to check:

  • add_menu_page()
  • add_options_page()
  • add_management_page()
  • add_theme_page()
  • add_plugins_page()
  • add_users_page()
  • add_dashboard_page()
  • add_posts_page()
  • add_media_page()
  • add_links_page()
  • add_pages_page()
  • add_comments_page()

The 'add_submenu_page()' function will be permitted, as it can provide links to support pages or other pages of interest to users.

Detection logic:

Check if the 4th parameter (menu slug) starts with:

  • http://
  • https://
  • // (protocol-relative URLs)

Recommended alternatives for developers:

  1. Create an admin page within WordPress that contains external links with clear descriptions
  2. Add external links within the plugin's settings page or help section
  3. Use dashboard widgets or admin notices to communicate external resources

Check details

  • Check type: Static check
  • Severity: Error (blocking for directory submission)
  • Category: Plugin repo
  • Implementation: Could extend Abstract_File_Check or use a PHPCodeSniffer sniff

Additional considerations

  1. Should we also check for JavaScript-based redirects that might achieve the same goal?
  2. Are there any legitimate use cases we should allow (e.g., OAuth flows)? If so, how do we distinguish them?
  3. Should this also detect target="_blank" attributes on menu links that might lead to confusion?

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    ChecksAudit/test of the particular part of the pluginGood First IssueIssue particularly suitable to be worked on by new contributors[Team] PluginsIssues owned by Plugins Team[Type] EnhancementA suggestion for improvement of an existing feature

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions