Currently plugin enable, disable, and logout are simple logic coded in the controllers. A better practise would be to have these as API methods that the UI would call with a token_auth. Also, add a salt in the visit generator URL. Also check the dashboard layout update.
(In ) Fixes #1147 I chose to add the token in the URL rather than exporting this logic in the API, this makes more sense now