One At A Time

As of last week, plugin uploads are restricted to one at a time.

That means if you have a plugin in the queue, be it submitted for review, in review, or pending your reply, you may not submit a second plugin. You have to finish your first one (or ask us to reject it) before you can move on.

This is not for the same reason that Themes does it. To whit, you’re not restricted to keep the queue low (ours is usually only a 3 to 7 day backlog anyway). You’re all being restricted because people aren’t finishing reviews, and it’s become a drain on resources.

We have over 700 reviews waiting on the developer to get back to us.

Now some of those are cases where people lost the email, or missed it somehow. Other people get the email and don’t know what to do or decide it’s too much work to fix all the things. And worse, some people decided that they’d get the review and never use the directory. In order to prevent this sort of abuse, and the disrespect to everyone else who actually finishes a review and uses the hosting we provide, everyone’s being restricted.

This should not be onerous. We have a tiny backlog. To the point that some people get rather rude when they don’t get a reply in 36 hours. And yes, that’s exactly as annoying as you think it is.

One review at a time. One plugin at a time. Please give us at least 5 business days to reply to emails.

By the way. If you’ve submitted a plugin within the last 7 days and haven’t gotten a reply, check your spam because I promise, we ended Friday with an empty queue.

Concept: A Developer Dashboard

One of the ideas that came from WCEU was a centralized dashboard for plugin developers. A place they could go to see all their plugins, and the current status on these plugins. What follows is concept art of what that kind of dashboard may look like.

This is something I dreamed up in Nacin’s talk about the government. This idea has no code backing behind it.

So why am I posting it? I’d like to hear people’s thoughts on this. What do you think would work or won’t work? Too much automation or not enough? Do you actually already HAVE this code written and want to share? Here is a zip of the Balsamiq Mockup: WP-Developer-Dashboard.bmpr_.zip – You know the drill. Edits welcome!

Concept Art

Goals

  • Make a centralized location for developers to manage their plugins

That’s really it. Making this public means a question of moving the ‘advanced’ tab to this page, and would it be duplicating data unnecessarily? In a way, it would move the developer page here as well, leaving only that which is controlled by the readme left on the readme. But then again, jumping between urls could be a mess. I don’t know. That’s why it’s a concept.

Also it should be easier for a developer to contact the plugin team when they have issues. And yes, the communication would be public, unless a comment is flagged as ‘security.’ Again, no code at all exists to make this a reality.

What’s Missing

There’s no contact form for a closed plugin. There should be. But this is really just concept art and starting to get an idea of what may work.

There’s also a dearth of data on the main dashboard page. That could lift from plugins like WP Dev Dashboard or WP Developers Homepage to fill in data. That’s the same general concept of what we’d want on the Support page (which you’ll notice is also left missing).

Misc. Thoughts

One of the stated goals we have is to allow everyone to leave a review on a plugin, with regards to the reviews before approval. In doing so, those reviews and all discussions about a plugin would need to be public. This is not necessarily a bad thing, though it will lead to some developers thinking long and hard about how they address issues in public. My concerns are that people who continually make the same error or neglect to fix something will be publicly embarrassed, but also that a free-for-all with reviews would lead to developers not wanting to host code here due to public backlash.

However, it’s been pointed out to me that coddling developers as much as we do may be causing them more harm in the long run. We do spend an inordinate amount of time hand-holding people who don’t want to take the time to read and think through a debugging process. Certainly we don’t mind helping out people who are brand new, or who aren’t native English speakers. But they’re vastly the minority of people who act the goat in our emails. And generally, they’re very respectful and nice.

Right now, my gut feeling is that there should still be a private way to talk about security issues.

But behavioural ones? They can be handled in public. It may stop people from some of the name-calling.

Reminder: Research Before You Sell Out

Are you thinking of selling your plugin? Did someone offer you money to put a link to their sites in your readme or wp-admin settings page?

STOP. THINK. BE CAUTIOUS.

I’m sure most of you are aware of the recent bad behaviour that’s gone on with regards to unscrupulous people purchasing plugins and using them to leverage malware, spam, and backdoors. While we would never tell you that it’s wrong to sell the plugins (they’re yours after all), we do want to help you recognize the warning signs of a bad-faith purchase.

Above all, if anything in the process makes you nervous and feel like something is wrong, call the deal off. You can email us at plugins@wordpress.org and we can help vet the buyer for you.

But remember this: The primary reason people want to buy ‘popular’ plugins is to use it to spam.

Signs To Watch Out For

Here are some basic red-flags:

  • You get an unsolicited email that reads like a generic form
  • The offer includes different prices based on how many people use the plugin (i.e. $500 for every 1000 users)
  • The amount offered seems to be rather high ($50,000 USD for a plugin)
  • The offer comes from a company who claims to be purchasing a ‘suite’ or ‘collection’ of plugins
  • They want you to sign an NDA, and not talk about the purchase
  • They don’t offer to show you an improvement of the code right away
  • They have (or plan to have) a special domain and user account just for this plugin
  • They have a brand new (less than a year old) account on WordPress.org with no other plugins
  • They have no visible, active participation in the WordPress community (forums, plugins, themes, WordCamps, etc)

Do Your Homework

When people come to us asking to adopt plugins, we vet them. We look at the code first. If there’s no new version of the code, with fixes, we don’t even consider it. If the prospective buyer of your plugin can’t show you how they’ll update it, don’t do it. Period.

No matter what you must do the work to vet these people. Ask them serious questions. How do they plan to handle support and reviews? How familiar are they with the directory guidelines? Do they already know how to use SVN? How will they take care of your existing users?

Review their code. Sit down and look over every single line of code and make sure it’s safe and well written. If you see base64 and it’s not for images, tell them no. If you see them phoning home, tell them no. If you see them doing things in an insecure way, tell them no.

At the end of the day, what they do is going to reflect on YOU, and your reputation could suffer.

Many times, good developers find their names dragged through the mud when a plugin they own is purchased by people who do horrible things with their code. Make absolutely certain, beyond shadow of a doubt, that they understand what owning the plugin means, and that they must abide by all the plugin and forum guidelines.

Worst Case Scenario

If we find out you sold your plugin to someone who does evil with it, the odds are you won’t get that plugin back. Among other reasons, you sold it. To have you take someone’s money for the access, and then give it back to you, would be tantamount to theft. At the very least, it would be a bad-faith action on our part. Once you sell a plugin, accept the money, and your access is removed, that’s it. You’ve indicated you’re done with it, and we will enforce that.

This means if evil is done and we need to fix the plugin, we’ll roll it back to a safe version, remove everyone’s access, and disable the plugin permanently. That will it will push a final update, but no one new can install it. We feel that once a plugin has been sold and used like that, it’s near impossible to recover any reputation, and it’s better for the community to walk away.

Should You Sell Your Plugins?

The directory was never intended to be a sales marketplace, and it’s unlikely it will ever be one. If your deepest wish is to make a super popular plugin and sell it for gobs of money, this is probably not the place for you. Selling your plugin is a chancy business, and it’s hard to make money legitimately on a free plugin. After all, they can legally just fork it and make a new one.

You certainly can sell your plugins, but sell it smartly. At the end of the day, it may be better to retire a plugin than sell it or give it away to someone you’re not sure will do good.

#notice, #warning

Is your filter going to break the layout?

If you’re not clear about the difference between WordPress actions and filters, you may end up breaking the page layout of WordPress – maybe days, months, or even years after you’ve written and implemented a new filter hook.

The difference can be difficult for new developers to grasp – after all, hooking an action or filter runs your code, either way, right? Well, yes, it does, but filters can be executed several times, in different locations as the webpage is being built (header, body, footer, etc.), and even in the admin back-end. More importantly, filters do not send anything to the webpage! Filter hooks receive their data / text as an argument, and then “return” the modified (or original) data / text at the end. They do not use “echo”, “print”, “printf”, etc. – they should not send anything to the webpage. If you need to output something directly to the webpage, use an action – that’s what they’re for.

Continue reading

#action, #doingitwrong, #filter, #hook, #output

Minimum PHP Version Requirement

Not all plugins can work on PHP 5.2, like WordPress core currently does. Not all plugin developers want to support PHP 5.2, like core does. As a project, WordPress would like to move forward and encourage people to use more recent PHP versions.

As one of the first steps to reach that goal, plugin authors can now specify a minimum required PHP version for their plugin in readme.txt file with a new Requires PHP header:


=== Plugin Name ===
Contributors: (this should be a list of wordpress.org userid's)
Donate link: http://example.com/
Tags: comments, spam
Requires at least: 4.6
Tested up to: 4.8
Requires PHP: 5.6
Stable tag: 4.3
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Users will see this displayed in the plugin directory, like this:

Screenshot of the Requires PHP Version line on plugin page

As a next step, the WordPress core team is going look into showing users a notice that they cannot install a certain plugin or theme because their install does not meet the required criteria, with some user-oriented and host-specific instructions on how to switch their site to a newer PHP version.

If you have any feedback on the subject, please leave a comment or join the next PHP meeting in #core-php channel on Slack.

Plugin Support Reps

Some of the larger plugin shops have a support team to help out on the forums. It would be useful to be able to give those people a special “support rep” role on the forums so they could be recognized as such.

Support representatives can mark forum topics as resolved or sticky (same as plugin authors and contributors), but don’t have commit access to the plugin.

The UI for managing plugin support reps can be found in Advanced View on the plugin page, next to managing committers:

Screenshot of the UI for managing support reps

Once someone is added as a support rep, they will get a Plugin Support badge when replying to the plugin support topics or reviews:

Screenshot of Plugin Support badge on the forums

Hello everyone, some of you…

Hello everyone, some of you will have the following email in your inbox:

Your password on WordPress.org has been deactivated, and you need to reset it to log in again.

We recently discovered your login credentials in a list of compromised emails and passwords published by a group of security researchers. This list was not generated as the result of any exploit on WordPress.org, but rather someone gaining access to the email & password combination you also used on another service.

To reset your password and get access to your account, please follow these steps:
1. Go to login.wordpress.org
2. Click on the link “Lost your password?”
3. Enter your WordPress.org username:
4. Click the “Get New Password” button

It is very important that your password be unique. Using the same password on different web sites increases the risk of your account being hacked.

If you have any further questions or trouble resetting your password, please reply to this message to get help from our support team. We will never ask you to supply your account password via email.

At this point we don’t have a reason to believe any accounts have been compromised, but out of an abundance of caution passwords are proactively disabled just to make sure.

If you have any questions don’t hesitate to post them in the comments.

[EDIT]: Updated the list typo to now go in order.

[EDIT]: Comments are closed. Reply to the email folks.

Please do not submit frameworks

Note: We are aware that some frameworks are current in the repository. We are asking you not submit any NEW at this time.

This isn’t a new ‘rule.’ It’s not a secret one either. It’s not listed in the guidelines specifically because any attempt to lay down each and every reason a plugin shouldn’t be in the repository just ends in people rule-lawyering. Should we have to tell people “Don’t ask users to write to your plugin files”? No. That should be self-evident. A plugin gets replaced when it’s upgraded, so writing to plugin files means the changes get destroyed. And in many ways, that’s our problem here.

The issue is as follows: Having a framework as a plugin is a poor experience for the user. Not the developer. The user. The user understands “I have an add-on for WooCommerce, I probably need Woo.” They do not always understand “I have plugin Slider Joe. Why do I need Advanced Custom Fields?” In addition, by having a library as a plugin, the onus of version compatibility is now on the person least likely to understand it: the user.

The plugin repository is not, currently, a library or framework repository. It’s not meant like the NPM package manager, or even Composer as a way to define what a plugin ‘needs’ in the same ways for a developer to build a project. The plugin repository is, plain and simple, meant for plugins that users will find useful. Plugins that add functionality to WordPress in a directly inter-actable way.

We don’t allow people to add javascript or fonts on their own to the repository and, I suspect, most of you would nod and say “Well of course not. A font and javascript should be included in the plugin or theme!” We feel the same way about most full blown library and framework plugins too. The user doesn’t need to know or care about the libraries. They shouldn’t be expected to be responsible for it.

At this time, we are not accepting frameworks as we don’t feel frameworks, boilerplates, and libraries are appropriate for the Plugins Directory. We require that plugins be useful in and of themselves (even if only being a portal to an external service). And while there are many benefits to frameworks and libraries, without plugin dependency support in core or the directory, it becomes another level of hassle for users.

The parade of likely support issues:

  • Not recognizing the framework plugin, and thus deleting it (causing the plugin(s) to break)
  • Not recognizing the framework plugin and thinking they’ve been hacked
  • Debugging drama, when we tell them to disable all their plugins and they find its a library problem
  • Updating the framework plugin separately from the dependent plugins, possibly leading to breakage
  • Updating a dependent plugin without updating the framework, possibly leading to breakage
  • Plugins not keeping up with library changes to the point that they break
  • Different plugins requiring different versions of the framework

And bearing in mind that the framework and plugin developers are different people, that’s another level of coordination/compatibility issues. A developer is (in theory) clever enough to write their plugin in a way that it includes the version of the library they need in a way that will not break everyone else. Of course, you developers know that’s a goal and not an absolute.

Frameworks and libraries should be packaged with each plugin (hopefully in a way that doesn’t conflict with other plugins using the framework or libraries). At least until core supports plugin dependencies.

Making this messier is the fact that once a library is in the repository, you shouldn’t put it in your plugin anymore. Why not? Well what happens if they install a library as a plugin, while having the library inside a plugin already? Which one takes precedent? What happens when they’re out of sync and so on? See the goal up above that isn’t an absolute. It gets even messier.

A library is a library, and should be in the plugin, not separate.

Maybe one day we’ll have proper plugin dependencies, but we simply are not there yet.

#directory, #reminder, #repository

2017 Community Summit Notes

The Plugin team is small but mighty. We had a very productive summit and contributor day this year, pushing forward some of the changes we’ve been working on for a while. The following notes are the product of the sessions as well as some hallway chats over red wine, gin, and cheese.

Notes:

  • Security issues in the new directory have to be corrected before new users can be added
  • We intend to open reviews by everyone (yes, everyone) with a .org account
  • Plugin Closures will be documented and then reported on
  • Plugin Check code revisited – What can we catch as a ‘before a human reviews’
  • Similar but not identical plugins will continue to be accepted
  • We need to allow frameworks in, but we have to do so safely to protect developers from hate-reviews when someone deletes a required framework

To Do:

  • Design a ‘dashboard’ for people to check the status of their plugins (and themes)
  • Add more stats to the plugin page (or possibly move to the future dashboard…)
  • Replace SupportPress (our email client) with something that works (possibly Support Flow?)
  • Code out a way to publicly track why a plugin was closed (see Meta 2860 and 2627)
  • Determine if we want to backfill why 6500-ish plugins are currently closed (owwwww)
  • Determine the best way to track ‘dependancies’ (in lieu of 22316 ever getting traction …) so frameworks and add-on plugins can be clearly indicated and reduce errors
  • Incorporate theme review features such as a11y and i18n ready flags
  • Make sure the VVV repo for the meta environment is sufficient for more people to contribute (see Meta Env)
  • Hold ‘open office’ hours to discuss topics like developer tools, what stats are needed, frameworks etc

Most of that to-do is on me to at least get the tickets started, but if these are things you’re interested in, then I encourage you to come to the open office hours! I’m hoping to have the first in August, as I have July Vacations 🙂 Sorry, family first!

I’ll post more about what I plan to do with the open office hours soon, including topics and schedules.

#community-summit, #contributor-day

Reporting Plugin Issues

Note: I’ll be using Hello Dolly as my example ‘bad’ plugin for this post. It’s fine and not (to my knowledge) vulnerable.

There are a few reasons people report plugins but the main two are as follows:

  • Guideline violations
  • Security vulnerabilities

If you report a plugin, you can make everyone’s life easier if you do the following:

Verify that it’s still applicable

Before you do anything, check if the exploit is on the latest version of the code or not. If it’s not, we may not do anything about it, depending on how popular the plugin is.

Use a good subject line

“Plugin Vulnerability” is actually not good at all. “Plugin Vulnerability in Hello Dolly – 0 Day” is great.

Send it in plain text

SupportPress is a simple creature. It doesn’t like your fancy fonts and inline images. Attachments are fine, but we cannot read your ‘Replies in-line in red’ so just keep it simple.

Link to the plugin

https://wordpress.org/plugins/hello-dolly/

Yes, it’s that easy. Put the URL on it’s own line, no punctuation around it, for maximum compatibility. With over 35k plugins, and a lot with similar names, don’t assume, link.

If the plugin is not hosted on WordPress.org, I’m sorry, but there’s nothing we can do, so please don’t bother reporting it to us. We have no power there.

Explain the problem succinctly

Keep it simple.

“Hello Dolly has an XSS vulnerability” or “The Author of Hello Dolly is calling people names in the forums” or “Hello Dolly puts a link back to casino sites in your footer.”

Think of your intro like a tweet. Boil it down to the absolutely basic ‘this is what’s wrong.’

Keep the details clear

If someone’s acting up in the forums, link to the forum threads.

If you know that on line 53, the plugin has a vulnerability (or a link back to that casino site), then you can actually link right to that line: https://plugins.trac.wordpress.org/browser/hello-dolly/tags/1.6/hello.php#L53

We love that. If you don’t have that line, it’s okay. Tell us exactly what you see. “When I activate the plugin using theme X, I see a link to a casino site by my ‘powered by WordPress’ link.” Perfect. Now we know where to look when we test.

Show us how to exploit it

Don’t ask us ‘Can I send you an exploit?’ Just send us all the information. If the exploit’s already up online, like on Secunia, link us to it.

If you know exactly how to exploit it, tell us with a walk through. If the walkthrough involves a lot of weird code, you may want to consider using a PDF.

We’re going to take that information and, often, pass it on directly to the developers.

Tell us if you want them to have your contact info

We default to not passing it on, out of privacy, so “If the developer needs more help, I can be reached at…” is nice. Even “You can give the developer my information so they can credit me…”

We’re probably not going to follow up with you

We love the report, we review them, but we’re not going to loop you back in and tell you everything that’s going on for one very simple reason. We don’t have the time. If you told us to give the dev your contact info, then we did, but we don’t have any way to promise they will, and we don’t have the time to play middle management.

Emailing us over and over asking for status gets your emails deleted. It’s not personal, it’s seriously a time issue. We’re nothing more than gatekeepers, we are not a security company and we’re not equipped for keeping everyone up to date. We don’t have an administrative assistant to handle that. We work with the developer to fix the issue and we work with the .org team to see if we need to force update the plugin, and that takes a lot of time.

We don’t do bounties

This is a little interesting but basically we’re not going to pay you. A lot of people ask for ‘credit’ so they can ‘earn’ a bounty, and that’s cool, but we’re not going to report that for you. Generally if you say you want a bounty, we give your info to the plugin dev, though, so they do know you’re interested.

How do you report?

You can report plugins by emailing plugins@wordpress.org

That’s it 🙂 Thanks!

#repository, #security