The New Directory Is (Mostly) Live

Sorry about the post-facto notice, there were a lot of moving parts and we got some things out of order when communicating between the multiple teams.

Current Status

  • Pending plugins are imported
  • Approved (but not yet committed) plugins are being imported
  • Rejected plugins have not yet been imported (though they will be … all 23k of them)

Known Issues

Beside everything listed on Meta Trac, we are aware of the following issues:

  • Header images are pixelated
  • Plugin submissions are disabled

Plugin Submissions are Currently Closed

THERE ARE NO PLUGIN APPROVALS GOING ON AT THIS TIME

You can’t submit a new one for approval, and we won’t be approving anything until possibly tomorrow at the earliest.

I will post here (make/plugins) as soon as we reopen and start things moving along, but please don’t ask for a status update. If it’s not posted here, we don’t have one, and you’ll just make everything take longer.

Plugins Will No Longer Be Rejected After Seven Days

Before you panic, we’re not going to reject plugins after 7 days anymore. The queue will be handled differently so having old plugins with no replies is less of a problem. Also? We’ll be able to rename your plugin slug before approval, so that will take care of most things like `google-analytics-by-faro` 😁 and other obvious typos.

However. This means the onus is now even more on you to make sure you whitelist emails from `wordpress.org` in your email servers. A high volume of people never see the first email (the ‘please fix’) and only see the followup of 7-days, so now you won’t be getting that anymore.

#announcement

Clarification of Guideline 8 – Executable Code and Installs

Since Jetpack announced it installs themes, a number of people have asked if this is a violation of the 8th guideline:

The plugin may not send executable code via third-party systems.

And in specific, these two items:

  • Serving updates or otherwise installing plugins, themes, or add-ons from servers other than WordPress.org’s
  • Installing premium versions of the same plugin

The short answer is no, it’s not, and yes, you could do this too.

The longer answer involves understanding the intent of this guideline, which initially was to prevent nefarious developers from using your installs as a botnet. In addition, it’s used to disallow plugins that exist only to install products from other locations, without actually being of use themselves (ie. marketplace only plugins). Finally it’s there to prevent someone silly from making a plugin that installs a collection of ‘cool plugins’ they found from GitHub and want to make easier to install. Which actually did happen once.

Plugins are expected to do ‘something’ to your site. A plugin that exists only to check a license and install a product, while incredibly useful, is not something we currently allow as a standalone product. This is why we allow plugins to have the in-situ code for updates that is used by their add-on plugins. The plugin we host has to use WordPress.org to update itself.

In addition, we do permit valid services to perform actions of installations onto sites, and have for a very long time. ManageWP, for example, has had this ability for quite a while. It provides a valid service, letting you manage multiple sites from their dashboard, and yes, install and update plugins. Going back to the example of a plugin that hosts the update code for it’s addons, the ‘service’ is the license you bought for the add-on plugin.

The trick here, and this is what is about to sound like hair splitting, is that it’s not the plugin UI on your site that does the install. In order for Manage WP and Jetpack to work, you have to go to your panel on their sites and install the items. If you wanted to make, say, my.servicename.com and let people log in, authenticate their sites, and from that interface use a JSON API to trigger an install, you absolutely, 100%, totally can.

To hit the major talking points:

  • Is Jetpack allowed to do this? Yes.
  • Are you allowed to do this? Yes.
  • Can you have your plugin install things? No.
  • Can your service install things onto a connected site? Yes.
  • Are you allowed to have a marketplace plugin? Not at this time.

I know this is frustrating to a lot of people. The reason it never came up before is no one asked us, and it isn’t our place to run your business or invent all the cool things. The guidelines are guidelines, and not laws or rules, to allow people to interpret them, and you’re always welcome to ask us if something’s okay or not. Or warn us if you’re about to do something you think might get the masses up in a dander.

#guidelines

Beware Your Zips!

Its not you, it’s Google.

A lot of people have been mentioning that Gmail won’t send emails if they have zips. Other people have no problem. And reading the list of filetypes that are blocked, it took me a while to figure out what was going on. Not only does Gmail block bad attachments, they also check in your zips to see what files are there:

Certain file types (listed below), including their compressed form (like .gz or .bz2 files) or when found within archives (like .zip or .tgz files)

And guess what filetype Gmail just added on as a banned attachment? `.js` files. Explains perfectly why some of you had no problem and others have massive ones, right? Right.

My advice is, and has been for quite a while now, to use GitHub or Gitlab or Bitbucket or some sort of true development version control system. They all generate their own zips and you can just link us to them. Plus if it’s really complicated to explain what’s wrong, we can highlight the code for you.

I strongly recommend you NOT use free download sources like mega file and all those other ones, especially if they offer faster downloads for money. The majority come with scam popups, viruses, and x-rated ads. Of which I have seen enough. Dropbox is free and has public links. Plus you all have your own websites and can upload a zip there if needed.

#notice

Plugin Guideline Change

With the advent of the new directory being on the horizon, which allows us to easily hard-limit the number of plugin tags displayed, we have taken the time to change the guidelines.

While minor updates to the guidelines (with regard to spelling, grammar, etc) are common, major changes are rare and we are striving to be more transparent about them. Hence this post 🙂

Guideline 12 (readme links) clarified to cover spam and tags.

The guideline now reads as follows:

12. Public facing pages on WordPress.org (readmes) may not spam.

Public facing pages, including readmes and translation files, may not be used to spam. Spammy behavior includes (but is not limited to) unnecessary affiliate links, tags to competitors plugins, use of over 12 tags total, blackhat SEO, and keyword stuffing.

Links to directly required products, such as themes or other plugins required for the plugin’s use, are permitted within moderation. Similarly, related products may be used in tags but not competitors. If a plugin is a WooCommerce extension, it may use the tag ‘woocommerce.’ However if the plugin is an alternative to Akismet, it may not use that term as a tag. Repetitive use of a tag or specific term is considered to be keyword stuffing, and is not permitted.

Write your readmes for people, not bots.

In all cases, affiliate links must be disclosed and must directly link to the affiliate service, not a redirect or cloaked URL.

The previous version had the title of “… may not contain “sponsored” or “affiliate” links or third party advertisements” which was too specific and yet not direct enough as to what the intent was. We sincerely mean “Do not use your readme to spam.” Tag abuse, keyword stuffing, and blackhat SEO practices are all spamming.

While we still ask you to use no more than 12 tags, once we move to the new directory, we will simply not display the overage. You should clean that up now. The code is such that there will not be a way to grant exceptions. This is by intent. You don’t need 30 tags, folks.

Guideline 13 (formerly number of tags) now references using included libraries

Since we no longer needed a separate guideline for tags, we have completely changed this guideline to address an issue of security.

13. The plugin should make use of WordPress’ default libraries.

WordPress includes a number of useful libraries, such as jQuery, Atom Lib, SimplePie, PHPMailer, PHPass, and more. For security and stability reasons, plugins may not include those libraries in their own code, but instead must use the versions of those libraries packaged with WordPress.

For a list of all javascript libraries included in WordPress, please review Default Scripts Included and Registered by WordPress.

This issue has become incredibly important when you consider that roughly 90 plugins had to be contacted and closed regarding the use of PHPMailer. They had included the entire library and not kept it updated. I’m aware that we use a forked version of that specific library and I have raised core trac ticket #39714 to address this issue.

While we do not (yet) have a public page to list all 3rd party libraries, I’ve raised meta trac ticket #2431 to hopefully get this sanely documented.

#guidelines

Want to Close Your Plugins? Email!

Hi everyone, it’s winter at last, and there’s snow in the mountains! This is the perfect time to sit by the fire and look at your plugins and get rid of the ones you don’t want to be on the hook for any more.

Did you make a plugin for an event that happened a long time ago, like the 2008 Olympics? Did you make a featured plugin that got wrapped into core and you’re done?

Email plugins@wordpress.org with a link to the plugin and we’ll close it for you!

Doing this means you won’t get any new people complaining about how the plugin doesn’t work and disables itself in WP 4.3 and up (even though you documented it…). It’s less work for you and it’s okay to EoL plugins. We’ll close ’em for you and you’ll be done.

A lovely winter present for everyone.

(If you think the plugin has a use and life, but you don’t want to support it anymore, consider adding the tag ‘adopt me’ to your readme. Just update your readme file with that and maybe someone will come and offer a new home for your old plugin. Check out https://wordpress.org/plugins/tags/adopt-me to see the plugins out there looking for you!)

#reminder

[FIXED] Banners and Images Broken In the Old Directory?

There was a glitch the other day and anyone who updated in the hour or so window got goobered. We’re looking to see if we can automagically fix it but if you see your plugin looks sad and image-less, drop a link to it here and we’ll have someone hit it with a hammer for you.

Update! They found the 66(!!) affected plugins and are on the job!

Sorry about that 🙁 On the plus side, it works fine in the new directory!

#fixed #bug

Reminder: Make Sure Your Email Is Up To Date

I know the 4.7 ‘please test’ email went out a bit late (WordCamp US, blame Wapuu), but we did send it and just like last time, we’ve taken action the replies.

  • If you reply and ask for a plugin to be closed, we close it.
  • If your email auto-replies, we warn you once. If you were warned previously, we close your plugin(s).
  • If your email bounces we close your plugin or, if there are multiple developers involved, remove your account and notify them.

These actions are taken for security. If we have no way of getting in touch with you, or if your email is invalid, it puts your users at risk. Not to mention getting 2500 auto-replies is pretty frustrating.

Remember, it is a requirement that we be able to contact you. We don’t mind if the email is a group mail, but it should never auto-reply to anything from WordPress.org. Just whitelist us (and yes, you can do that with ZenDesk read this ticket for details) and make sure nothing from .org gets a bounce reply. This will also make our servers faster, which I know you’d like.

If you can’t do that, you’ll need to change your email to something else. Do to that, go to https://wordpress.org/support/users/YOURID/edit/ as the user in question and edit the email. Done.

On a happier note, less than 100 people had to be contacted this time around! It only took me 2 hours to sort it out, versus last time which was much higher. The majority of the issues came from new plugin developers, which is understandable, but a few of the long-standing devs had a rude awakening this morning, I’m sure.

Thank you everyone for understanding.

#notice #policy

WordCamp US/2016 Recap

First of all I suck for not getting everyone’s names. I’m lucky I remember mine…

This marks my first year as the rep of the Plugin Directory Team and we’ve made some phenomenal headway. We’ve re-written the detailed plugin guidelines to be more understandable and clear for everyone. We’ve actually written a handbook! We never had one before. And Team Apollo has been brilliant getting the new directory from a pipe dream to a beta test reality. Thank you everyone for getting us here.

At WordCamp US 2016 Contributor Day, we had over 20 people going over the brand new Handbook, which lead to the creation of the Glossary and a lot of edits! So a huge thank you to everyone who was here. I really appreciate it. We also had a few people reviewing plugins as practice for the first time. I look forward to their results. Good luck, folks!

Right now the new directory is in public beta. That means if you go check it out wordpress.org/plugins-wp/ you’ll see the brave new world for plugins, and we hope you can help us test things out. If you find bugs in search, please report them on Meta Trac #1692-meta.

The Plugin Developer Documentation has been updated to address the changes (mostly to your Plugin Assets) and the Handbook was written with this new interface in mind.

Which leads us to the eternal question… when will the directory open up to new reviewers?

I’ve said it before and I’ll say it again, the opening of the plugin team to new members will happen after the new directory is complete. This is just a technical necessity. The current system works but it has serious limitations that are just prohibitive to adding more people. That made writing a handbook for a process that doesn’t exist rather interesting. My goal is, once the directory is live, to iron out the how-to-review and then get some experienced developers in to review but not approve, to see if we can come up with a process closer to the Theme Review Team, but not fall to backlog.

This will take a lot of experimentation and patience.

Hang in there.

#contributor-day

#1692-meta

Just a quick note.. Due…

Just a quick note.. Due to the Thanksgiving Holidays followed up by the entire team being at WordCamp US in Philadelphia this weekend, plugin approvals and even emails to the team will be delayed. Don’t worry, we’ll deal with the backlog when we all return home to our comfort zones. 🙂

Reviewer Handbook

Sneaking this in just before WordCamp US, if you’ve seen the redesign of this make site, then you may have seen the link to the handbook.

This is a rough draft – it’s not perfect and it doesn’t cover all contingencies. However, yes, that is indeed our handbook. It’s built to the new directory, which we’re not fully using yet, and it has some information that may surprise you. For example, did you know we could see every IP address you’ve ever used to submit a plugin?

On Contributor Day, I’ll be asking victims– volunteers to help with it, to explain things more clearly, and to make this something that can be used to (eventually) include more reviewers.

Speaking of, before you ask for the status, here it is: Not yet.

Once the new directory is live, and once the existing reviewers have worked out the best flow, then we will bring in some existing developers to join us. But it’s not going to suddenly be a flood gate. We’re trying to avoid hitting a backlog as bad as the theme team has, and I’ve been closely watching how they handle reviews and trying to see what we can do to navigate that kind of a delay. Obviously ‘more reviewers!’ isn’t the only answer, and right now I feel that the right fix for plugins is a more streamlined system. I have a plan. I’m sure it won’t last the first day against the enemy (i.e. plugins).

See you all soon at WordCamp US!

#notice #handbook