Change to How Long Active Reviews Remain Open

tl;dr Starting in October, you will have THREE (3) months to complete your review before we reject it.

This will not affect most of you who actively read this site.

For a very long time, we’ve allowed plugins 6 months to finish a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party review. That’s more than enough time for any reasonably attentive developer to make changes (especially considering the majority are ‘please sanitize/escape’).

In January 2021, we had 596 ‘pending’ reviews, which meant there just under 600 plugins that had been reviewed and we were waiting on a reply/completion. We’re seeing over 800 in September.

That rise is out of step with the number of plugin submissions. In fact, if you look at our posts to Make/Updates, you can see we’re pretty stable around 140 plugins submitted a week, but the “pending; replied to” value is inching up.

Since the majority of those plugins that don’t reply or finish in 3 months aren’t going to any time soon, we’re changing our policy to try and be more sustainable and less work. From now on, you have THREE months to finish a review before we reject it.

What about existing plugins/reviews through September?

There’s no change to existing submissions. Which means the “Reject all reviews pending completion” logic works like this:

  • Sept 30 – 6 months (i.e. from March ’21)
  • Oct 31 – 6 months (i.e. from April ’21)
  • Nov 30 – 6 months (i.e. from May ’21)
  • Dec 31 – 6 months (i.e. from Jun ’21)
  • Jan 31 – 6 months (i.e. from Jul ’21) and 3 months (i.e. Oct ’21)
  • Feb 28 – 6 months (i.e. from Jul ’21) and 3 months (i.e. Nov ’21)
  • March 31 – 6 months (i.e. from Aug ’21) and 3 months (i.e. Dec ’21)
  • April 30 – 3 months and older (i.e. Jan ’22 and before)

Yes, it’s a little messier for us, but it’s the most fair we can be to existing reviewers. It would not be kind to pull the rug out from under them.

What happens if I take more than 3 months?

Just keep replying to the review! We’ll work through it with you and tell you to resubmit when the review is good. That also lets us fast track you since you’ve worked so hard!

Can’t I just resubmit right away?

You could, but we’d pend your review and ask you why you never finished the previous one, which means your whole review will take longer, and we’ll make a note on your account about not following directions.

What if I can’t reply because I deleted/lost the review?

We get it. Mistakes happen. We’ve all deleted the important email! Email us at plugins@wordpress.org from the account/address that submitted the plugin and we will re-send it for you.

Why did I get rejected if I never got a review?

There are two cases where this could happen:

  1. Your plugin was rejected right away. In those cases we email you with an explanation as to why, so please wait an hour. You should get a followup.
  2. Your email ate the review email. A number of services (including Gmail) can be configured in a way that might cause you to have a review misplaced through no one’s fault.

In both cases, reply to the rejection email and ask.

Is this automated?

Not yet, no, but I’d like it to be eventually.

UYes, this means every month end, someone goes through and selects all submissions from a time period and changes the status en bulk.

Why did you rejected my plugin after you emailed and said it was approved?

Human error. Or internet greebles. Probably the first. We do our best, but sometimes a mouse didn’t click when we thought it did, or a human got distracted, and mistakes happen. Those are generally our mistakes, and we are sorry when that happens.

Please email us back and tell us. We’ll get you fast tracked and sorted.

I have another question not answered!

Have a shout in the comments.

#reviews, #timeline

X-post: [Announcement] New workflow for reporting documentation issues

X-comment from +make.wordpress.org/docs: Comment on [Announcement] New workflow for reporting documentation issues

Inaccurate Stats Have Been Corrected

It gives me no joy whatsoever to have to post this.

A little over 100 plugins recently were impacted by a stats gathering change. This means those plugins had their active install stats seemingly adjusted downward.

We understand this was painful for a number of developers and we held off on announcing this as we were still doing a bit of triage and making sure it was blocked. We are sorry about that confusion.

What happened?

Recently, it was pointed out that the active install counts of several plugins appeared to be inflated artificially. When we looked at the raw data, we found that this was correct for roughly 100+ plugins; fake update data was being sent to us.

This is not unusual, it’s happened before, although people are usually much more blatant about it, which is why it took a long time to notice it. In any case, we adjusted our stats mechanisms to ignore these, and so those 100+ plugins will have seen a drop of around ~8000 installs.

As the data was being faked before, this new count is more accurate. But it doesn’t change the old counts, and we can’t redo those counts as we don’t store that raw data for more than 2 days. 

@Otto42

Will this happen again?

Probably. This specific attack won’t, as the folks with server power on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ are outstanding. However about once every other year someone tries to do stuff like this. We usually catch on to them a little faster and blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. them. Now that we know about this one, we’ll add it to the list of things to monitor and block. But yes, people love munging with stats, they’ll certainly try it again.

Why didn’t you post right away?

We were asked not to while people were still working on stopping it, and then we didn’t want to while we were investigating the root cause. Basically we didn’t want to announce it until we had all the facts.

Can you tell us exactly what happened?

No, we cannot. We’ve learned that telling people exactly how we caught what they did, or even just what they did in details, leads to them doing it again in a slightly more clever way. Right now, they have no idea how we solved it, and that’s just fine.

How many users did I lose?

The Active Install count for affected plugins would be decreased by somewhere between 1 and 8 thousand. Depends on the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party. And yes, we know that’s a galling number.

Were any of them valid users?

We can give you 100% assurance that no, they were not. The counts were inflated, so the number it shows now is much closer to the true active install count.

My plugin was impacted – am I in trouble?

No. If you were the culprit, your plugin would be already closed, your account banned, and you got a stern email from us about why you were banned for doing that, and you’re not welcome here anymore. If all of those aren’t true, we know you didn’t do it, and you have not a single thing to worry about.

Will a big drop in usage hurt my plugin popularity?

Not really, no. Please keep an eye on the big picture for a moment:

  • If you wants stats to be useful then they have to be accurate, right? Well, we fixed that.
  • The majority of end users don’t look at the charts that actually show the massive drop, they just look at the full usage count. And no, they don’t remember what you had yesterday.
  • You can point people here to explain “Someone else was a right prat and messed up stats for a lot of us.”

In the long run, this will even out and no one will notice. If you’re worried about your popularity, make sure you have a good readme that explains why someone wants the plugin and how to use it. That will help you much more than numbers or charts.

Did this impact historical data?

You mean from last month? Yes. Sadly. It’s been going on a while, like for most of the year. We don’t keep old stats like that in a manner that allows us to clean this up, so that’s why it looks like you had a big drop. At best we could force edit everyone impacted and drop them by X amount going back to when we think this started, but that doesn’t really change much, it just moves the weird needle back so it looks like a month or whatever ago, you had a massive drop.

There’s also the fact that the climb was a slow creep. We know the end volume of fake usage only because we saw the drop like you did. We could guess at how much it grew a month that was fake, but you run a higher risk of looking worse, like you were loosing 100s of users a month for a year.

Finally … asking us to manually edit your stats is a pretty terrible precedent. We don’t do that. We should never do that.

Why don’t you keep old data?

Two reasons: Privacy and size. We delete tracking data for your privacy, but also because with millions of sites out there, it’s heckin’ huge! Like “What comes after Petabytes?” huge. (Answer: exabyte, now you know.)

Can you undo this?

According to what I’ve been told, no. By blocking the fake data source, the stats automatically adjusted. The only way anyone would possibly be able to revert it would be to restore the fake data. We feel that is a terrible suggestion, as that would be intentionally lying to your users.

Who did this?

We are not about to disclose that. It’s being handled, and we are not in the business of dog-shaming people, nor encouraging mob-mentality to attack them.

If I didn’t do it, why am I being punished?

You’re not. Your plugin stats changed when we blocked the cause for the inaccurate counts. No one on WordPress.org has manually adjusted numbers. Basically we said “data like this is invalid” and when the counter recounted, which happens every day, those plugins were impacted.

This isn’t fair!

It’s equitable. Everyone who had their stats incorrectly inflated were corrected when we removed the data source.

I have some suggestions and ideas about how to fix this, where can I post those?

I am so glad you asked! The best way is to join us to be part of the ongoing solutions! And the easiest way to do that would be to come on over to help the META team. See, plugin reviews is just plugin reviews. But MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress.? They do the heavy lifting of making the WordPress.org experience better for everyone. And, perhaps not shockingly at all, it’s mostly PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php. and JS. Yes, that’s right, WordPress.org runs on WordPress!

Meta has a meeting every other week in #meta on Slack. You can keep tabs on all meetings via https://make.wordpress.org/meetings/

Also if you have a fully formed idea, that you think is a good proposal, head over to https://meta.trac.wordpress.org/ and make a ticket. If you have detailed screenshots and example code, all the better.

#statistics

X-post: Gallery Block Refactor Dev Note

X-comment from +make.wordpress.org/core: Comment on Gallery Block Refactor Dev Note

X-post: Experiment: A Public Channel for All Team Reps

X-comment from +make.wordpress.org/updates: Comment on Experiment: A Public Channel for All Team Reps

X-post: Why hosters should install the PHP-intl extension

X-post from +make.wordpress.org/hosting: Why hosters should install the PHP-intl extension

X-post: Automatically Catching Bugs in Plugins

X-post from +make.wordpress.org/meta: Automatically Catching Bugs in Plugins

X-post: Proposal: A WordPress Project Contributor Handbook

X-comment from +make.wordpress.org/updates: Comment on Proposal: A WordPress Project Contributor Handbook

Trunk vs Tags? Which is Better? (Answer: Tags)

tl;dr – We strongly recommend you use tagged folders for your releases of your plugins. Future you will thank you.

While we have always advocated for people to use a tag folder with their plugins instead of trunk, it persists that a number of developers like using the “Stable TagTag Tag is one of the pre-defined taxonomies in WordPress. Users can add tags to their WordPress posts along with categories. However, while a category may cover a broad range of topics, tags are smaller in scope and focused to specific topics. Think of them as keywords used for topics discussed in a particular post.” of trunk. There are logical reasons for this. Having your stable tag be trunk feels like it’s one less thing to keep in mind when you update your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party for a new release.

The problem with that setup is that you suddenly made it harder for everyone else to keep tabs on your plugin, to make sure they downloaded the correct version, and worst of all … you made it nearly impossible to roll back to a previous release. And with the advent of automated plugin updates, that last one is going to be damaging to you in the long run.

In fact, here’s what you’re making worse:

  • No easy way to download older versions to debug compatibility issues
  • Translators cannot work in ‘advance’ of a release, meaning as soon as you push your code, the translations are out of date until volunteers can work on it
  • You increase your risk of an accidental release
  • No way to allow people to download the ‘pre-release’ version from official WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ sources
  • No ability to ‘roll back’ versions

So what’s the right way?

  1. Make sure your readme.txt has the stable tag to your stable version in the main plugin file (those need to match)
  2. Put everything into your trunk folder on your local checkout (use svn add and so on as needed)
  3. Run svn cp trunk tags/1.2.3 — this will copy from trunk to the tag folder
  4. Run svn ci -m "Releasing new version" — this will push both trunk and tag

That’s it. You’re done. Now you can upload and edit trunk all you want, for a dev version, and as long as the readme points to the proper stable tag, your users won’t get any updates.

Okay, but what if you want to have a trunk version for testing? Do not edit the stable tag in the trunk readme! It’s that value that tells WordPress which version is ‘stable’ and if you’re working on 1.2.3, keep stable as 1.2.2 in trunk and no one will get the new code until you’re ready.

#release, #svn, #tags

Reminder: Trademarked Logos Cannot Be Used In Banners/Icons

tl;dr: Using someone else’s trademarked logo in your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party icons or banners is a trademark violation, and they have the right to have us remove your plugin at any time.

We’ve posted about this before, and it’s apparently time for a reminder. Logos for brands are generally trademarked. Those logos cannot be used in your plugins banners or icons unless you have their express permission.

Trademark infringement is the unauthorized use of someone else’s registered trademark. This means you are using their logos without permission. When we talk about misuse, it’s more clear to think about it in terms of physical products. Lets say you make electronic gizmos and they happen to work with MacOS. If you put Apple’s logo on your products, you would be infringing on their trademark. Basically you’re misrepresenting yourself in a way that implies or suggests that the trademark owner approves of your work when this is not true.

If you got an email from us (either a warning or a closure notice) about this sort of matter, please address it promptly. Check your banners and icons, and your display names, to make sure you aren’t in violation. Remove all trademarked logos from your plugin banners and icons (yes, even social media ones), and make sure it’s clear that your plugin is not an official plugin (unless it is, and then you don’t have to worry).

Some quick questions:

Why do trademark owners care?

Trademark owners who do not protect their trademark usage end up being unable to enforce it legally later on. So it’s in their best interests to monitor the use and prevent misuse. Also, customers often get confused about the origin of the plugins, and will complain to the wrong people if there’s an issue. Finally, you are essentially profiting from the goodwill that the trademark owner has generated.

Who actually complains to [company] about a 3rd party plugin!?

A lot of people, actually. A high number of people complain to companies and the companies come back to us and say we’re encouraging the behavior which causes confusion with users and a loss of trust in the trademark owners. After all, if your unofficial plugin breaks someone’s site, and they blame the trademark owner? Well that wasn’t fair at all.

Why are other people getting away with it?

They aren’t. They’re just living on borrowed time, as the saying goes.

We have getting close to 100k plugins. They are all monitored by humans (not automated for this one yet) and a human has to check if you had permission or not, if you’ve been warned or not, if your plugin merits a grace period or not, and if the trademark owner has officially demanded we close your plugin immediately. Plus a large number of people argue about this, which eats up time. We do things in batches to try and stay sane.

Also … we strongly recommend you never use that excuse. It makes you sound like ‘sour grapes’ or childish to argue that someone else didn’t get caught yet, so you should be allowed to keep breaking the rules. That just makes this process take longer for everyone.

I reported someone, but you didn’t do anything! Why not?

Unless it’s your trademark, we generally don’t do anything right away because, again, we have close to 100,000 plugins. The number of violations is high, and in order not to ‘play favorites’ we do them in the order we’ve got them. We don’t bump people higher (or lower) on the list just because someone complained or is our friend. That would be terribly unfair!

If it was your trademark, we probably did bump them to the top of the list. We do try to get the developers to fix things before we close (especially for larger plugins that would have a massive negative impact on the community), but this isn’t always possible.

Isn’t it fair-use to use social media logos for related plugins?

No. Besides the fact that ‘fair use’ doesn’t apply to trademarks, it’s a matter of how you’re using it. Social media companies usually give permission to use their logos on your website as a direct link to your presence on their ecosystem. So a bird links you to Twitter. However. That is not the same as using a logo for advertising which is what many of them consider banners and icons to be. Their argument is that WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ is not your site. We’ve argued about this, but some companies have slapped us with legal threats so there we are.

What about screenshots?

Some trademark owners demand we prevent that too, some don’t. I wish we had a clearer answer here, but just to grab an example, there is a certain social media company who doesn’t want to see you use the logos in screenshots. Meanwhile, there are other credit card companies who don’t mind. Keeping track of those is incredibly hard! We recommend you not use them in screenshots.

What if I redraw my own version of the logos?

Then you’re probably going to get a legal demand from the owner to stop because you broke their usage guidelines for the logo. We should note here, when you intentionally try to get around trademark law, you are effectively confessing guilt. You know what you’re supposed to be doing and you’re actively trying to get away with something? The trademark lawyers will be able to take you down in seconds.

How can I promote my plugin’s associations without violating?

First and foremost, the directory isn’t for promoting anything, it’s for listing. If you’re doing all this to basically be a big “Click Here!” method, you’re going about it the wrong way.

Now if you’re really asking “How can I improve my usage by getting people to click on my plugin?” then you start by making a great banner that is memorable.

Stop treating a banner or an icon as a billboard. You don’t need to show off what your plugin can do, you need to be memorable and noticeable. The best banners are the ones that stick in people’s minds, and the odds are not a single person remembers “Oh you’re the one with the logos in this order…”

But no, you don’t need all the examples of the possible social media uses on your plugin banner.

What about Display Names?

In general, you can use “For [Trademark]” in your display name. There are some vendors who are particular and won’t even let you do that. We do our best to try and warn you ahead of time, but sometimes vendors change things on us without notification. Most are pretty cool about working out a plan so we don’t have to close plugins, some are not. I wish I had a better answer there.

#guidelines, #trademarks