Welcome to the official blog for the Plugins Team.
The team acts as gate-keepers and fresh eyes on newly submitted plugins, as well as reviewing any reported security or guideline violations.
Quick Links
The Plugin Check Plugin now creates automatic security reports after each plugin update
As an important part of the internet, the WordPress community, actively thinks about the security of the ecosystem. Community members, developers, specialized companies, and independent researchers all play a role in maintaining the security of the environment.
In the Plugins Team, we’re passionate not only with improving the tools we already work with, but also with making them public so the community can use them when developing and building plugins.
That’s why the Plugins Team, Performance Team, and MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. Team launched the Plugin Check plugin, a tool that runs checks on your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party and generates a report so developers can apply proper security measures and improve the plugin overall.
On September 17th of 2024, we introduced automatic detection of issues for new plugins that fail to meet the minimum required checks. This feature provides developers with guidance on how to resolve these issues before the Plugins Team conducts a manual review.
This has helped improve the quality of plugin submissions before they even reach a human reviewer. Thanks to AI support during manual reviews using our Internal Scanner, plus the team’s effort to complete more reviews, the queue hasn’t grown despite receiving more than double the number of plugins compared to last year.
We are now running Plugin Check for ALL plugins updates, new and already approved.
Since Monday, October 27th, thanks to the Meta team, we’ve implemented automatic detection on wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ for issues related to security, compatibility and compliance.
Right now, this information is available internally for the team, who will evaluate it and send reports to authors as needed. During this phase, we will observe how PCPs behave during updates and we will improve as we see fit.
Once we’ve evaluated the performance of PCP with plugin updates, the goal is to deliver via email a security report to authors right after they update their plugin. Our aim is to promote and maintain good development practices across the entire WordPress ecosystem.
To wrap up: this week marks a small but meaningful step forward in improving the security of plugins hosted on wordpress.org. We look forward to the community taking this opportunity to double-check their plugins when sending an update – or even before.
This post was written by David Perez and reviewed by Francisco Torres.