Skip to content

Releases: TGMPA/TGM-Plugin-Activation


19 May 15:53
Choose a tag to compare


15 May 11:21
Choose a tag to compare

Since mid-February we offer a "Custom TGMPA Generator". From now on, that is the preferred way for downloading your copy of TGMPA for use in a theme or plugin.
If you download TGMPA using the Custom TGMPA Generator and indicate that it is for a theme which will be published on, you will receive a copy which will pass the Theme Check review.

You can find the Custom TGMPA Generator on the download page of the website. For more information, read the related blog post.

  • Bug fixes:
    • Fixed minor/low-impact security vulnerability. Thanks Mohamed A. Baset for reporting. If you find a security vulnerability, please disclose responsibly! #487, #505
    • Fixed a bug where action links on the WP native plugins page would not be properly filtered. #458, #459
    • Fixed a bug where TGMPA when included within a plugin would be recognized as the plugin instead of the real plugin. Thanks weavertheme and Mika Epstein for reporting. #499, #500, #558
    • Fixed an install error when trying to bulk-install an already installed plugin. Thanks Ahmad Awais for reporting. #496, #504
    • Fixed an update error when trying to bulk-update a plugin which is not installed. Thanks Gary Jones for reporting. #442, #508
    • Fixed admin notices display class. Props Ninos Ego and Primoz Cigler. #478, #495, #509
    • Fixed an issue resulting in notices about installed/updated plugins on the bulk install/update pages being displayed at the top of the page instead of inline. #510, #511
  • Enhancements:
    • The full admin notice is now only displayed to users who can install/update/activate plugins. A limited "Contact the site admin." notice is shown to select users if it pertains to required plugins. The selection of which users get to see this last message is based on the publish_posts (=Author) capability. This capability is however filterable using the new tgmpa_show_admin_notice_capability filter. Thanks Stanislav Khromov, Gary Jones, Mickey Kay, Ollie Treend for suggesting. #190, #414, #489, #507
    • The example file now shows examples of different ways for including TGMPA based on the context in which you are using it. Props Emil Uzelac for the suggestion. #469, #503
    • Force deactivated plugins will now show in the 'recently active' plugins list. #577
  • I18N improvements:
    • Improved some text strings and translator messages. Props Rami. #516

    • Added translator messages for all strings with variable replacement.#563

    • Added load_textdomain() calls. #521

    • Added translations for Brazilian Portuguese, Croatian, Czech, Dutch, French, German, Russian and Swedish #450, #574, #570, #465, #524, #528, #543, #561 with grateful thanks to Elvis Henrique Pereira, Denis Žoljom, Karolína Vyskočilová, geoclaps, Hedi Chaibi, Marciel Bartzik, Vladislav Burlak and Lewis Porter.
      Additionally translations for Australian English, Canadian English, British English, Esperanto, Spanish, Hebrew, Italian, Romanian and Serbian were added based on existing translations available in GlotPress. #564

      Altogether, this means that for the first version of TGMPA which ships with translation files, we're covering 17 locales, which is awesome!
      More translations are of course welcome, so please send the .po file(s) in as a pull request.

      Please note: If you download TGMPA using the custom generator and indicate it's for a theme to be hosted on, you will receive a version without the load_textdomain() calls or the translation files.
      Theme check rules dictate that you should only use one textdomain in your theme and the localization calls will be adjusted to use your theme's textdomain.
      As most TGMPA strings have a lot of translations available in GlotPress already, this should not cause any real issues.

  • Housekeeping:
    • Various other minor improvements and keeping things in line with WP core. #512, #513, #514, #532 - thanks Utkarsh Patel, #562, #571
    • Updated the included example plugin to comply to the latest standards. #557
    • Regenerated .pot file.


16 Jul 09:10
Choose a tag to compare
  • Hot Fix: fixes potential Fatal error: Call to protected TGM_Plugin_Activation::__construct() error and other compatibility issues when both TGMPA 2.5+ as well as TGMPA 2.3.6- would be loaded by different themes and plugins.

Take note: We do NOT support 2.3.6 anymore and highly discourage its use. Any themes and plugins still using TGMPA 2.3.6 or less should upgrade as soon as possible. All the same, the end-user should not be confronted with white screens because of it, so this hot fix should prevent just that.


14 Jul 14:20
Choose a tag to compare

Fixes potential Fatal error: Call to undefined method TGM_Utils::validate_bool() errors caused by a conflict with the Soliloquy plugin.


03 Jul 21:12
Choose a tag to compare

This is a major update which brings some interesting new features and fixes tons of bugs. This version of TGMPA is brought to you by Thomas Griffin with graceful thanks to Gary Jones and our new core-team member Juliette Reinders Folmer for the majority of the changes.

With this release the TGMPA library has moved to its own organisation on GitHub. From now on you can find it at TGMPA/TGM-Plugin-Activation.

The website has also been given some love. You can now find detailed information about the configuration options, FAQs and more at:

TGMPA will start providing localized text strings soon. If you already have translations of our standard strings available, please help us make TGMPA even better by giving us access to these translations or by sending in a pull-request with .po file(s) with the translations. A .pot file to get you started is now available in the GitHub repository.

  • Enhancement: Full support for update work-flow.

    • Updating of the registered plugins can now be done from the TGMPA screen, both on individual plugins as well as in bulk - this will take into account WP repo updates as well as updates for plugins which are bundled or come from external sources where a minimum version is set which is higher than the current version.
    • Users will be notified of available updates via the admin notice.
    • The TGMPA admin page now has four views: all, to install, update available and to activate.
    • The TGMPA admin page now has - on selected views - an extra column showing relevant plugin version information.
    • The TGMPA admin page status column will show both install/activate as well as update status (cumulative).
    • If a plugin requires a certain minimum version of a plugin and the currently installed version does not comply, activation will be blocked until the user has upgraded the plugin. If the plugin is already active, it will not be deactivated however.
      • If the required plugin version itself requires a higher WP version than the currently installed WP, upgrade to that version of the plugin will be blocked - this is of course provided TGMPA has access to that information -.
    • The plugin action links on the WP native plugins page will reflect this too - including disabling deactivation if force_activation is true for a plugin.

    #381, #192, #197 Props Zauan/Hogash Studio, Christian, Franklin Gitonga, Jason Xie, swiderski for their preliminary work on this which inspired this full-fledged implementation.

  • Enhancement: Better support for GitHub hosted plugins.

    Previously using standard GitHub packaged zips as download source would not work as, even though the plugin would be installed, it would not be recognized as such by TGMPA because of the non-standard directory name which would be created for the plugin, i.e. my-plugin-master instead of my-plugin. A work-around for this has been implemented and you can now use GitHub-packaged master branch or release zips to install plugins. Have a look at the example.php file for a working example.

    One caveat: this presumes that the plugin is based in the root of the GitHub repo and not in a /src or other subdirectory.

    #327, #280, #283 Thanks Dan Fisher and Luis Martins for reporting/requesting this enhancement.

  • Enhancement: New optional plugin parameter is_callable.

    Some plugins may have a free and a premium version using different slugs. Using the is_callable plugin parameter allows for the premium version to be recognized, even though the slug is set to the free version slug. Have a look at the example.php file for a working example.

    For more information on what is considered a callable, please refer to the Codex on callbacks.

    #205 Props Zack Katz.

  • Admin Page improvements:

    • Plugins downloaded from an arbitrary external source are now labelled "External Source". Previously they were labelled "Private Repository" which could be confusing as the download URL did not have to point to a repository, let alone be private. #372
    • Leverage the CSS styling of the Core standard WP_List_Table #227. Props Shiva Poudel.
    • Allow for moving the Admin Page to a different place in the menu. This is mainly to accommodate plugins using TGMPA as it is terribly illogical for the TGMPA page to be under the "Appearance" menu in that case. This has been now been implemented in a way that Theme Check will not choke on it. #310
  • Admin notices improvements:

    • For installs with both plugin(s) as well as theme(s) using TGMPA, notices will now be dismissable for each separately. This prevents a situation where a theme would have TGMPA included, the user has dismissed the notice about it, a plugin with TGMPA gets installed and the notice about it requiring certain other plugins is never shown. #174 Thanks Chris Howard for reporting.
    • Fixed: The reset of dismissed notices on switch_theme was only applied for the current user, not for all users. #246
    • Fixed: Admin notices would show twice under certain circumstances. #249, #237 Thanks manake for reporting.
  • Bulk Installer:

    • Fixed: If a bulk install was initiated using the bottom "Bulk Actions" dropdown, the install page would display an outdated TGMPA plugin table at the bottom of the page after the bulk installation was finished. #319
  • Theme Check compatibility:

  • Miscellaneous fixes:

    • Leaner loading: TGMPA actions will now only be hooked in and run on the back-end (is_admin() returns true). #357 Also most TGMPA actions will now only be hooked in if there's actually something to do for TGMPA. #381
    • Fixed: "Undefined index: skin_update_failed_error" #260, #240 Thanks Parhum Khoshbakht and Sandeep for reporting.
    • Made admin URLs environment aware by using self_admin_url() instead of admin_url() or network_admin_url(). #255, #171
    • Fixed: the Adminbar would be loaded twice causing conflicts (with other plugins). #208 Props John Blackbourn.
    • All TGMPA generated pages will now show the version number on the page to assist in debugging. #399, #402
  • I18N improvements:

    • Make configurable message texts singular/plural context aware. #173 Props Yakir Sitbon.
    • Language strings which are being overridden should use the including plugin/theme language domain. #217 Props Christian Foellmann.
    • Language strings are loaded a bit later now to ensure that the translations are loaded beforehand. #176, #177 Props Yakir Sitbon.
  • New action and filter hooks for TGMPA:

    • tgmpa_load - filter can be used to overrule whether TGMPA should load. Defaults to loading only when on the WP back-end when not DOING_AJAX. Typical use: add_filter( 'tgmpa_load', '__return_true' );.
    • tgmpa_admin_menu_args - filter can be used to filter the arguments passed to the function call adding the TG...


27 Apr 14:40
Choose a tag to compare
  • Fixed: Bundled/pre-packaged plugins would no longer install when using the Bulk installer. This was a regression introduced in v2.4.1. #321, #316 Props @jrfnl. Thanks @tanshcreative for reporting.
  • Fixed: Bulk installer did not honour a potentially set default_path for local prep-packaged plugins. #203, #332 Props @jrfnl. Thanks @pavot and @djcowan for reporting.
  • Removed call to screen_icon() function which was deprecated in WP 3.8. #244, #224, #234. Props @NateWr. Thanks @hamdan-mahran and @InsertCart for reporting.
  • Fixed: "PHP Fatal error: Class 'TGM_Bulk_Installer' not found" #185 Thanks @ctalkington for reporting.


23 Apr 07:28
Choose a tag to compare

Security release to improve escaping for URLs and attributes. explains how plugins were susceptible to potential XSS attacks. The announcement regards add_query_arg() and remove_query_arg() when the optional second argument is not given, resulting in a default of $_SERVER['REQUEST_URI'].

TGMPA used the second argument for most instances, most often with an admin URL. While the admin URL functions are filterable, taking advantage of the lack of escaping means being able to apply a filter (by editing a theme or plugin) to form a malicious URL, and not just sending a crafted GET request.

We did have at least one instance where the second arg was not provided, and the resulting URL was not being escaped. This has been fixed in 2.4.1.

2.4.0 (2014-03-17)

24 Aug 14:14
Choose a tag to compare
  • All textdomain strings now made to tgmpa and remove all notices dealing with textdomain and translation issues.
  • The _get_plugin_basename_from_slug method now checks for exact slug matches to prevent issues with plugins that start with the same slug.
  • Commenting style now adjusted so it is easier to comment large chunks of code if necessary.
  • Plugins from an external source now properly say Private Repository in the list table output.
  • add_submenu_page has been changed to add_theme_page for better theme check compatibility.
  • Removed the use for parent_menu_slug and parent_menu_url for $config options (see above).
  • Nag messages can now be forced on via a new dismissable config property. When set to false, nag cannot be dismissed.
  • New config dismiss_msg used in conjunction with dismissable. If dismissable is false, then if dismiss_msg is not empty, it will be output at the top of the nag message.
  • Better contextual message for activating plugins - changed to "Activate installed plugin(s)" to "Begin activating plugin(s)".
  • Added cache flushing on theme switch to prevent stale entries from remaining in the list table if coming back to a theme with TGMPA.
  • TGMPA is now a singleton to prevent extra settings overrides.
  • Fixed bug with duplicating plugins if multiple themes/plugins that used TGMPA were active at the same time.
  • Added contextual message updates depending on WordPress version.
  • Better nag message handling. If the nag has been dimissed, don't even attempt to build message (performance enhancement).
  • Ensure class can only be instantiated once (instantion moved inside the class_exists check for TGMPA).
  • Change instances of admin_url to network_admin_url to add better support for MultiSite (falls back gracefully for non-MultiSite installs).
  • Updated much of the code to match WP Coding Standards (braces, yoda conditionals, etc.).
  • Myriads of other bug fixes and enhancements

2.3.6 (2012-04-23)

24 Aug 14:13
Choose a tag to compare
  • Fixed API error when clicking on the plugin install row action link for an externally hosted plugin

2.3.5 (2012-04-16)

24 Aug 14:13
Choose a tag to compare
  • Fixed nag message not working when nag_type string was not set (props @jeffsebring)