Please don’t ‘test’ submitting other people’s plugins.

tl;dr: Never test vulnerabilities on someone else’s live site without their permission.

By now, a lot of you have read the post about the so-called “WordPress Plugin Confusion” whereby a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party hosted on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ can ‘override’ a plugin not hosted here, by using the same name/permalink. Someone even made a CVE for it.

Please stop ‘testing’ this vulnerability with us.

This is not a new issue by any means. Heck, this has been something people report on now and then for years. In the past, the plugin team coordinated a release of a plugin to intentionally do that and protect users from a significantly dangerous plugin. We’ve locked out permalinks to prevent abuse and so on.

Sadly, the post conflated a couple of issues, which have to do with social engineering and a misunderstanding of why we have those permalink-checks for trademarks. Also it’s entirely incorrect with this one claim:

and the whole approval process is automated

This could not be further from the truth. All new plugins submitted go through human review. When you submit a plugin, somebody reads your plugin code, your submitted slug and name, checks on the history of the plugin, checks that the developer isn’t a returned banned user, etc. The process is by no means “automated” and while it has some automated pre-flight checks, they’re really there to weed out things that would end with a pended review, to make the process faster for everyone. While we have some tools we run, they don’t actually approve or reject anything, they’re just fancy code-sniffers, customized to look for specific patterns or known bad behavior, outside of the overall quality like PHPCSPHP Code Sniffer PHP Code Sniffer, a popular tool for analyzing code quality. The WordPress Coding Standards rely on PHPCS. (you are using that, right?). Submitting things to test out what you think is an “automated” system is wasting the time of our volunteers and reviewers.

See, that trademark ‘blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience.’ isn’t actually there to protect trademarks for the owners. We have them to make our life easier and to protect you, the developers, from making some pretty common mistakes. Just for an example, we block ‘akismet’ not because we were asked to by Automattic, but because over 50 people a year tried to submit a copy of Akismet instead of uploading it to their own site.

As the post (properly) notes, you can’t submit a plugin with a permalink that’s already in use, be it on WordPress.org or if it has a notable user-base outside of WordPress.org. Even if a name gets by those checks, the review team can see if the permalink is being used and by (roughly) how many people. That’s a large part of why we have humans checking these things. A human can look at an email and a plugin and check for proper ownership.

By the way, as a number of people have complained about, this is why we require official plugins to be owned by demonstrably official accounts (like with an email address that uses the right domain, and so on). It’s not just to prevent trademark abuse, it’s to ensure that kind of thing is less likely to happen.

Now. Do you need to test this? No. All you’re doing is making things more stressful and more likely to be missed, which doesn’t solve a problem. Do you need to add your trademark to the blocked list? Again, no. Unless it’s being actively abused, or there’s a high-risk situation that it might be, it’s just adding more work for a low (to negligible) risk in the first place.

How DO you protect your own, non-org hosted plugins, from this?

Use the UPDATE URI flag.

We check for it on .org, and won’t allow you in with it (since… why?) but for plugins we don’t host, well that’s literally why it exists 🙂 Use it. Love it. But please, remember the first step in ethical hacking is never trying out a vulnerability on someone else’s site without their permission.

#reminder, #security, #trademarks

Reminder: Trademarked Logos Cannot Be Used In Banners/Icons

tl;dr: Using someone else’s trademarked logo in your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party icons or banners is a trademark violation, and they have the right to have us remove your plugin at any time.

We’ve posted about this before, and it’s apparently time for a reminder. Logos for brands are generally trademarked. Those logos cannot be used in your plugins banners or icons unless you have their express permission.

Trademark infringement is the unauthorized use of someone else’s registered trademark. This means you are using their logos without permission. When we talk about misuse, it’s more clear to think about it in terms of physical products. Lets say you make electronic gizmos and they happen to work with MacOS. If you put Apple’s logo on your products, you would be infringing on their trademark. Basically you’re misrepresenting yourself in a way that implies or suggests that the trademark owner approves of your work when this is not true.

If you got an email from us (either a warning or a closure notice) about this sort of matter, please address it promptly. Check your banners and icons, and your display names, to make sure you aren’t in violation. Remove all trademarked logos from your plugin banners and icons (yes, even social media ones), and make sure it’s clear that your plugin is not an official plugin (unless it is, and then you don’t have to worry).

Some quick questions:

Why do trademark owners care?

Trademark owners who do not protect their trademark usage end up being unable to enforce it legally later on. So it’s in their best interests to monitor the use and prevent misuse. Also, customers often get confused about the origin of the plugins, and will complain to the wrong people if there’s an issue. Finally, you are essentially profiting from the goodwill that the trademark owner has generated.

Who actually complains to [company] about a 3rd party plugin!?

A lot of people, actually. A high number of people complain to companies and the companies come back to us and say we’re encouraging the behavior which causes confusion with users and a loss of trust in the trademark owners. After all, if your unofficial plugin breaks someone’s site, and they blame the trademark owner? Well that wasn’t fair at all.

Why are other people getting away with it?

They aren’t. They’re just living on borrowed time, as the saying goes.

We have getting close to 100k plugins. They are all monitored by humans (not automated for this one yet) and a human has to check if you had permission or not, if you’ve been warned or not, if your plugin merits a grace period or not, and if the trademark owner has officially demanded we close your plugin immediately. Plus a large number of people argue about this, which eats up time. We do things in batches to try and stay sane.

Also … we strongly recommend you never use that excuse. It makes you sound like ‘sour grapes’ or childish to argue that someone else didn’t get caught yet, so you should be allowed to keep breaking the rules. That just makes this process take longer for everyone.

I reported someone, but you didn’t do anything! Why not?

Unless it’s your trademark, we generally don’t do anything right away because, again, we have close to 100,000 plugins. The number of violations is high, and in order not to ‘play favorites’ we do them in the order we’ve got them. We don’t bump people higher (or lower) on the list just because someone complained or is our friend. That would be terribly unfair!

If it was your trademark, we probably did bump them to the top of the list. We do try to get the developers to fix things before we close (especially for larger plugins that would have a massive negative impact on the community), but this isn’t always possible.

Isn’t it fair-use to use social media logos for related plugins?

No. Besides the fact that ‘fair use’ doesn’t apply to trademarks, it’s a matter of how you’re using it. Social media companies usually give permission to use their logos on your website as a direct link to your presence on their ecosystem. So a bird links you to Twitter. However. That is not the same as using a logo for advertising which is what many of them consider banners and icons to be. Their argument is that WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ is not your site. We’ve argued about this, but some companies have slapped us with legal threats so there we are.

What about screenshots?

Some trademark owners demand we prevent that too, some don’t. I wish we had a clearer answer here, but just to grab an example, there is a certain social media company who doesn’t want to see you use the logos in screenshots. Meanwhile, there are other credit card companies who don’t mind. Keeping track of those is incredibly hard! We recommend you not use them in screenshots.

What if I redraw my own version of the logos?

Then you’re probably going to get a legal demand from the owner to stop because you broke their usage guidelines for the logo. We should note here, when you intentionally try to get around trademark law, you are effectively confessing guilt. You know what you’re supposed to be doing and you’re actively trying to get away with something? The trademark lawyers will be able to take you down in seconds.

How can I promote my plugin’s associations without violating?

First and foremost, the directory isn’t for promoting anything, it’s for listing. If you’re doing all this to basically be a big “Click Here!” method, you’re going about it the wrong way.

Now if you’re really asking “How can I improve my usage by getting people to click on my plugin?” then you start by making a great banner that is memorable.

Stop treating a banner or an icon as a billboard. You don’t need to show off what your plugin can do, you need to be memorable and noticeable. The best banners are the ones that stick in people’s minds, and the odds are not a single person remembers “Oh you’re the one with the logos in this order…”

But no, you don’t need all the examples of the possible social media uses on your plugin banner.

What about Display Names?

In general, you can use “For [Trademark]” in your display name. There are some vendors who are particular and won’t even let you do that. We do our best to try and warn you ahead of time, but sometimes vendors change things on us without notification. Most are pretty cool about working out a plan so we don’t have to close plugins, some are not. I wish I had a better answer there.

#guidelines, #trademarks

Trademark Enforcement

Many of you have received an email from us regarding pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party closures for trademark violations. These emails were absolutely not made in error.

Due to recent demands by trademark owners, we will now be more strictly enforcing trademark abuse when it comes to plugins. While it should be sufficient to tell you “Don’t abuse someone’s trademarks.” the reality is that those things are complex and confusing.

We will have altered our system to prevent the submission of those plugins that violate trademarks. This is not something we do lightly, however we have been compelled to close a great many plugins recently. It’s more efficient to prevent potential abuse than to clean it up after the fact.

How Trademarks Apply

Trademarks apply to the following aspects of your plugin:

  • The Slug – Your plugin slug may not begin with someone else’s trademarked (or commonly recognized) term
  • The URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org – You may not use someone’s trademark in your domain name
  • The Display Name – You may not begin the display name with someone else’s trademarked (or commonly recognized) term and, in many cases, you may not use the name AT ALL.
  • All Images – You may not use trademarked logos/images in your banner, screenshots, logos, etc

We do our best to take care of the first one – the slug – when you submit your plugin. Plugins approved pre 2015 with trademarks in the URL are ‘grandfathered’ in and permitted to remain. All plugins approved after 2015 are required to meet this restriction. All plugins, no matter when they were approved, must comply with trademark usage in display names and images.

We also keep our eye on similar names. There’s a concept known as brand confusion, so naming your company or plugin similar to another company (like Facerange, say) you can still be legally compelled to change the name. This is why, for example, you cannot use ‘pagespeed’ in your URL for a site optimization tool, even though Google’s only trademark is on ‘page speed’ (two words). The name is similar enough that we have been required to close plugins.

Additional Restrictions

In addition to the above, many brands have an above-and-beyond requirement. You must also avoid representing the brand in a way that:

  • Makes the brand the most distinctive or prominent feature
  • Implies partnership, sponsorship or endorsement
  • Puts the brand in a negative context as part of a script or storyline

Also many have statements like this when regarding applications specifically:

  • Don’t modify, abbreviate or translate the brand name to a different language or by using non-English characters, or use any logos to replace it.
  • Don’t combine shortened versions of the brand with your own brand.
  • Don’t use our ‘wordmark’

This is where it all gets crazy weird. But an example would be the brand Facerange. With the above restrictions, naming your plugin (which is an application) “WordRange” or “FacePress” and having it be a plugin to work with Facerange would be a violation of their terms.

It all comes back to making it painfully clear that you and your work have NO relationship to their products. Some allow you to use their product name wherever you want, and some won’t permit it at all. When in doubt, the best course of action is to assume you don’t have permission and not to use it.

Quick FAQ

Can I use ‘for BRAND’ in my plugin display name?

Sometimes. It depends on the brand. We don’t have a complete list, which makes this very complex. It’s important to pay attention to the rules for brand usage and application uses. Some brands have separate rules. In general, if they’ve trademarked their wordmark then no, you cannot use it for an application. And yes, a plugin is an application.

What’s a wordmark?

That’s the name. So Facerange’s wordmark would be “FACERANGE.”

I have permission from PayBuddy to use their wordmark/logo, is that okay?

We’d rather you not use it on your PLUGIN pages. It’s impossible for us to verify, and many agreements with brand owners are rescinded. Brand your webpage all you want, but leave their official logos and word marks off your plugin.

A brand contacted me directly and asked me to change things. Is that a real demand?

More than likely they are. They’ll usually include links and directions and contact information. Use that and comply with them, because if you don’t, they’ll come to us.

What about existing violations?

We’re handling them in batches. You don’t need to report them to us.

But if you haven’t closed them, why are you closing my plugin?

Because there are thousands of plugins and we do them in small batches for sanity. Also brand owners sometimes give us a priority list, and you just happened to be higher than someone else.

Don’t they get an SEO boost?

No. Write a better readme that uses the brands properly and contextually, and you’ll be fine.

Someone’s infringing on MY brand, what do I do?

Contact them first. Ask them to stop (nicely please). Link them to your brand documentation. If they ignore you, email us the same. We’ll close the plugin until they fix it.

We recommend you BE CLEAR about what you require. Remember, most people aren’t familiar with trademark laws and their intricacies, so it’s very easy for them to get confused.

#guidelines, #trademarks

Reminder: Respecting Trademarks Includes Icons and Banners

This is a reminder that one of our guidelines is respecting trademarks and brands.

tl;dr

Using someone else’s trademarked logo in your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party logo or banner is a trademark violation, and they have the right to have us remove your plugin at any time.

Explanation

Normally trademark situations come up when you submit a plugin like Facerange Messenger, but you don’t happen to work for Facerange. We change your slug from facerange-messenger to messenger-for-facerange (or something to that effect) and ask you to rename the plugin to “Messenger for Facerange”. Another common instance is when we have to explain bobo-facerange-messenger.com is a violation of their trademark use, and you need to rename your domain.

As of late, companies have begun enforcing logo usage as well. Originally they were just picky about the icon or banner being only their logo, but now they’ve moved on to the use at all. What this means to you is simple: Don’t use someone else’s logo in your plugin’s icon or banner. Period.

If you don’t have the legal rights to use it, don’t. If you’re not sure if you do, assume you don’t. If you lose the legal right (like no longer being a part of PayFriend’s trusted developer program), you must immediately remove their logo from your plugin’s public facing pages.

FAQ

What happens if a company complains?

You will receive a warning via email that a complaint has been filed and you are to correct the icon and/or banner immediately.

How long do I have to comply?

0-days. Technically you’re already a violation. They don’t have to let us give you a chance to come correct, so we would appreciate it being done within 48 hours.

Do I have to push a new version of my code to do this?

Nope. Just fix the images in your assets folder.

Addendum by Otto: This includes screenshots. If you have somebody else’s logos in your plugin itself, or displayed on your service, then you might want to consider getting those removed as well.

What do I do if a company asks me to change my icon/banner?

Change it. Seriously, it’s not worth it. Make your own unique and distinct logo for your plugin. It’ll make you more memorable in the long run.

Do I have to change my display name as well?

Yes, you do. Remember: Don’t start your display name with someone else’s trademark/copyright/commonly known name. If it’s not your name, it’s not a good idea.

Isn’t this contrary to the GPLGPL GPL is an acronym for GNU Public License. It is the standard license WordPress uses for Open Source licensing https://wordpress.org/about/license/. The GPL is a ‘copyleft’ license https://www.gnu.org/licenses/copyleft.en.html. This means that derivative work can only be distributed under the same license terms. This is in distinction to permissive free software licenses, of which the BSD license and the MIT License are widely used examples. and open sourceOpen Source Open Source denotes software for which the original source code is made freely available and may be redistributed and modified. Open Source **must be** delivered via a licensing model, see GPL.?

No. Licences like GPLv2 are separate entities, and in fact the GNU supports the use of copyright in code. As for open source, it’s not above the law. Check out FOSSMarks for more information and as always, contact a lawyer with your legal questions.

Addendum by Otto: Also note that Trademark and Copyright are two entirely different things. There is no “licensing” for trademarked items. The GPL and any other license will not apply. Basically, if something is trademarked, then you need to get explicit permission to use it, in writing, or you just don’t use it.

I think it’s fair use. Will you let me keep the icon while I fight them?

Alas, no. We have to consider the directory as a whole and it’s over 60k plugins. The risk for us is too high, and we will side with the legal request.

Addendum by Otto: There is no concept of “fair use” in trademark law. Don’t use other people’s trademarks. Period.

What about existing plugins that you let violate trademarks in the slugs?

That’s because we do not have the technical ability to rename a slug without breaking it for all users. They’d be abandoned. And you can’t automatically migrate users from one plugin to another, so because of that limitation, most companies have permitted us to retain plugins that violate their trademark in the slug. Some have not, and we’ve been forced to close those plugins.

Since the logo and display name can be safely changed, it’s a different matter.

Someone else is violating too! Why didn’t you shut them down?

We email people in batches. You’re welcome to report fellow plugin devs who are violating the guideline, but the odds are we’ve already been in contact with them (or will be shortly). You’re not being singled out, we just have a lot of plugins to work through and we take breaks. Keep in mind, if it’s not YOUR trademark, we generally just warn.

Someone’s using my trademark in their icon/banner, how do I get them to stop?

Contact them first and point to this post (and the 17th guideline) and just ask them NICELY to please change it. If they blow you off or don’t respond in a reasonable time (like 2 weeks), you can email us at plugins@wordpress.org and we’ll follow up.

#guidelines #trademarks

The WordPress trademark and domain names

A friendly reminder to pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party authors: Per the WordPress trademark policy, do not use “wordpress” in your domain name. We have been actively notifying developers that reference such domains in readme files or plugin headers. If you are violating the trademark, please update your plugins. Your next step should be to switch to another domain.

As our page on wordpress.org says, “We see this most frequently with spammy sites distributing plugins and themes with malware in them, which you probably don’t want to be associated with.”

#trademarks