Update: Turning the Tide

Currently there are 1,241 plugins awaiting review.

We are painstakingly aware of this. We check that number every day and realise how this delay is affecting pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party authors. We are sharing an update to let you know what we are doing, not just to fix the current situation, but also to prevent a similar scenario in the future.

New Team Members

We have three new people in the team: Gustavo Bordoni, Gagan Deep Singh & Rob Rawley (thank you!) and we are still reviewing submissions. The experience we have gained onboarding two rounds of new team members, added to the fact that we now have a system in place, means that it will be a lot easier to repeat this process in the future.

Since we have 40+ submissions at this point, we are planning to close the “Apply to join the team” form at the end of September. If you are planning to apply to join the team, please do so before Oct 1st. We would like to extend our gratitude to all those how have taken a step forward and volunteered to join the team.

Self-reviews

We have also started emailing plugin authors whose plugins are currently in the queue and asked them to self-check their plugins to ensure they meet basic security standards. We find ourselves correcting the same three or four errors on +95% of plugins and this is not a good use of our time. Once authors confirm that their plugins meet these basic requirements, we will proceed with the review.

We want to thank those of you who are receiving these emails for your collaboration, as it will allow us to tackle the current backlog a lot faster.

Plugin Check plugin

In the same vein, we are just about to release have just released a Plugin Check plugin (PCP) to the WP.org as a regular plugin. This plugin will allow authors to self-review their plugins automatically and will provide them with feedback and links to fix common errors.

Once the PCP is merged with this other plugin that the Performance team has been working on, it will provide checks for a lot of other things. When this is completed, we will be in a better spot to take in feedback and make improvements.

In the short term, we are going to ask authors to test their plugins using the PCP before submitting them, but our goal is to integrate the plugin as part of the submission process and run automated checks.

The Plugin Check plugin is about to be released has been released as a regular repo plugin. Running it will become requirement soon, please take a look now.

Security Reports

We have made significant progress with the security reports backlog, and we are hoping to clear that queue in a matter of days. This will mean more hands available to focus on new plugin reviews and other tasks. We have also made some progress regarding the methods and formats in which researchers submit their reports which, in turns reduces the amount of time required to process these reports.

Bailing Water Vs Fixing the Leak

If you indulge me to share a sailing metaphor: When your boat has a leak, it is more effective to prioritize fixing the source of the leak rather than solely focusing on bailing out water, even though to external observers, it might appear as if no progress is being made. Bailing water can provide temporary relief and may give the appearance of actively addressing the issue, but it is essentially a band-aid solution that requires continuous effort.

During the last 6 months, the Plugin review team has worked on documenting its processes, training new members and improving its tools. Now, thanks to your patience and support, the tide is about to turn.

#update

Tackling team challenges together

TLDR: New team reps selected; strategies for working through the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party backlog; solid show of interest in joining the team.

The last few months since Mika announced she was stepping down from the team have been very exciting (and busy!) for all the new team members (@davidperez, @eherman24, @frantorres, @lukecarbis, @martatorre and @pacomarchante), and we wanted to share an update with you. 

The first couple of weeks were a bit nerve-wracking. We were daunted by the complexity of the task, the responsibility it entails, and the sheer volume of plugins that needed to be reviewed. But over time, we’ve become more comfortable with the processes and routines of plugin review.  We are very grateful we got all the support we needed from Mika, @otto42, @dd32, @zoonini, @mrfoxtalbot, and other contributors during this period. 

We’re also pleased to announce that after some discussion, Francisco Torres & Paco Marchante will be the new team reps. 

The challenges

When you start working on plugin reviews it suddenly strikes you how tremendously efficient Mika was at doing this. In the last year alone, She reviewed 5297 new plugins (that’s around 100 plugins per week). You have to take into account that most of the plugins the team receives require a back-and-forth of several emails before the plugin can be approved.

Fortunately, the team is quickly picking up its pace at reviewing plugins. At first, it would take us 2 hours to review each plugin, then 1 hour, and now we are down to 10-20 minutes for an initial review. It is important to remember that reviewing plugins is not just looking at the code, we also need to check for other things such as trademark violations and other guidelines regarding compliance.

Aside from plugin reviews, the team takes care of several other tasks: we review reports of guideline violations, reply to requests about closing or reassigning ownership of plugins, respond to questions in the #pluginreview SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. channel, work with the security team to address vulnerabilities, and send out (and monitor) pre-release emails to ensure all plugin authors are still reachable at their regular email address. We have spent a lot of time documenting and streamlining these tasks.

Solving these challenges

The first challenge we found during our onboarding was the fact that a lot of processes were not clearly documented. We asked A LOT of questions during this process and ensured that all the answers Mika shared with us were added to the team’s internal docs. This effort should make it a lot easier for new contributors to join the team down the road.

We have also improved our internal tools to catch the most common coding mistakes and have built our predefined responses into the output provided by this tool. We still review this content manually before sending out replies, but by merging the two tasks into one (reviewing the code and drafting the message) we have been able to cut down review time considerably.

Another thing we decided to do was speed up our first reviews. As it turns out, about half of all plugin authors don’t reply to the initial review email with feedback on what they need to fix. In order to tackle the backlog faster, we’re now spending less time on initial reviews. We begin checking issues that take us less time, and then as soon as we spot one or two issues with the plugin that would prevent it from being approved, we email the plugin author to ask them to fix the initial issues. If the author gets back to us with those first fixes, then we proceed with an in-depth review.

20+ Submissions

When the team was announced, an application form was created for those considering joining the team. We are excited to announce that we have received more than 20 submissions from generous contributors wanting to help. We are currently reviewing them and our goal is to expand the team in the near future.


To recap, we are making our best effort to reduce the current backlog by improving our tools and expanding the team. Our goal is to lower the waiting period significantly over the next few months. We sincerely want to thank you all for your patience and understanding during this transition period. 

#update

Plugin Review Team Update: The next phase begins

tl;dr My time on the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review team is ending. Meet the new members, and check out the application to join the team.

The time has come. As outlined in several other posts over the last few months (March, May), I’m stepping down from the Plugin Review team. It’s been a fun and wild ride for the last decade as the rep, and before that as someone who annoyed Otto until he made me learn how to properly review.

After several months of onboarding, I’m excited to welcome six new and enthusiastic team members: David Pérez, Evan Herman, Francisco Torres, Luke Carbis, Marta Torre, and Paco Marchante. These sponsored volunteers – a group of experienced WordPress developers from around the globe – are contributing over 50 hours a week to the project. 

Plugin Review across the WordPress project is a big task. We know we hit a pretty rough backlog, and even as the new team members start to catch up and shorten the queue, more folks are needed to help. If you have at least five hours a week to devote to the team and would like to join in the Plugin Review effort, you’re welcome to submit an application

Given the nature of the work the team does, joining this team is a little different than some of the others: each new member will go through a vetting process by current team members before being selected. Some of the things the team is looking for are: a solid track record as a plugin developer; the ability to communicate clearly, kindly and constructively – both with other developers and users; interest in improving tools and processes; and excellent collaborative and conflict-management skills. 

If you think this describes you, check out the submission form.

Stay tuned for more team news soon, including the announcement of the new team repTeam Rep A Team Rep is a person who represents the Make WordPress team to the rest of the project, make sure issues are raised and addressed as needed, and coordinates cross-team efforts..

@zoonini contributed to this post.

#onboarding, #update

Plugin Review Team Update

tl;dr An update on the team which is a lot of onboarding, making tools work for multiple people at once, and more documentation than you can shake a stick at.

As much of the WordPress community knows by now, I will be stepping down soon, after over a dozen years (wow) of being part of the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review Team, including ten years as team repTeam Rep A Team Rep is a person who represents the Make WordPress team to the rest of the project, make sure issues are raised and addressed as needed, and coordinates cross-team efforts..

During this transitional period, the Plugin Review team has been working on onboarding new members – and at the same time, on documenting the onboarding process itself. 

New team members

Given the need for the new team members to get up and running relatively quickly, the plugin review team invited contributors who have experience with plugins and code to join the team, thanks to recommendations from many community members. These contributors were vetted for good standing in the WordPress project, confirmed that they had the required skill set to review plugins and would respect the required level of security and confidentiality needed, and agreed to help refine the onboarding process to the Plugin Review team. 

There are now five new plugin team members at various stages of the onboarding process. Since the team is still in transition, we wanted to give people a chance to finish their onboarding and decide if the Plugin Review team is a good fit for them. This will avoid putting volunteers in the spotlight before they commit to this important and challenging role. 

Once plugin team members are fully onboarded, their names will be shared in the Plugin Review handbook.  

Documentation and onboarding 

The current team, alongside new members, has been collaboratively reviewing all existing public and private plugin documentation, making sure everything is clear, filling in any gaps that exist, and adding information about undocumented tools and processes.

At the same time, the team compiled an onboarding checklist, which is being used to help new members get up and running. While the first new team members go through the onboarding process and start handling initial tasks – such as looking at the bounced emails queue and reviewing their first plugins – they will also help to improve  the onboarding checklist and process documentation. Their experience will be very valuable in paving the path for future team members, making it easier to expand the team and delegate tasks more efficiently.

Tooling 

In addition to training new members, documenting processes, and developing a sustainable onboarding plan, folks from the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. team have been working on tooling enhancements to help make plugin reviews more efficient and “portable.” For example, the home-grown scanner script that’s been used by me until now is being converted to a flexible web-based version, which will be simpler to maintain for multiple reviewers.

Other enhancements include:

Next steps

The Plugin Review team is focused on making the onboarding process smooth, documenting its workflows, improving its collaboration tools, and helping new members get familiar with all the necessary tasks.

We hope that all these improvements in tools and workflows will make it easier to recruit more people and scale up the team. This should in turn reduce the time plugin authors need to wait to have their plugins reviewed and approved.

So, what’s next?

Once the team is ready, we’ll make another post to announce the new members, propose a plan for vetting and onboarding additional members in the future, and open applications to join the team.

Massive thanks to the following people, who helped write this post: @angelasjin, @mrfoxtalbot, @sereedmedia, and @zoonini.

#notice, #onboarding, #update

Advance Notice of Retirement

tl;dr: I will be stepping down from pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party reviews by 1 July, 2023.

I will be stepping down from plugin reviews this year. I have been a part of this team for over a decade (and the rep for the majority of the time) and recognize a departure like this can be confusing, and could cause people jump to a whole lot of assumptions about the why.

This is a personal decision and has nothing to do with my passion for WordPress. It is a 100% personal, non-WordPress related, decision I made long ago (I told the team in July ’22). Suffice to say there is life ‘stuff’ going on and I cannot devote the time I once could to plugin reviews.

Many people have noticed and complained, with varying degrees of empathy, about the sudden uptick in delays with reviews (be they new plugins or security related). Those delays are directly related to that ‘stuff’ going on. I simply am not available as much as I was, and out of fairness to myself and the community, it’s time for me to retire from plugins.

We’re trying to figure out an onboarding doc, some demo plugins to help people test, getting people in a place where they can fill in the gaps. But this is not a fast process. We’ve actually never had real onboarding (I was thrown into the fire when I stepped in), and it’s going to be a challenge get a team to the place where they have as much weird plugin knowledge and gotchas as I have from my 10 years of experience.

There will absolutely be a learning curve for the people who step in after me. Things will be missed, things will be confusing, and mistakes will happen. I ask everyone be kind and patient.

I understand it became a one-woman show and I apologize for not asking for help and stepping down sooner before it became a crisis. At that point, it was impossible to set up a flag for help without causing these kinds of delays. But things like this happen out of your control, even when you plan. None of us expected the world to spiral like it did in 2019/20.

What’s next for me and WordPress? Writing and managing my plugins, developing code, and being around for some questions. I won’t vanish in the night, but after a decade? I think it will be good for us all to have someone fresh in there.

Some quick answers:

  • I’m not sick or dying.
  • We don’t have an announcement of the new rep.
  • We are still working on onboarding and figuring that out.
  • We have reached out to people and they are actively being onboarded right now.

So again, I ask we all please be patient with all the changes coming. Once we sort out onboarding, we hope to be able to invite even more people, just like you, to the team!

#announcement, #team-reps

Use of Code Generators Must Remain GPL Compatible

tl;dr – If you use a tool to generate code (be that a website that generates settings pages, or something complex like an AI to build the whole pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party), remember that YOU are responsible for licensing.

All code hosted on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ has to be GPLGPL GPL is an acronym for GNU Public License. It is the standard license WordPress uses for Open Source licensing https://wordpress.org/about/license/. The GPL is a ‘copyleft’ license https://www.gnu.org/licenses/copyleft.en.html. This means that derivative work can only be distributed under the same license terms. This is in distinction to permissive free software licenses, of which the BSD license and the MIT License are widely used examples. Compatible. This is not in doubt. More and more people are using tools to build code for them, based on bare-bones input. With the advent of ChatGPT, this has become more popular.

To be clear here: There is no guideline AGAINST using generated code.

You’re welcome to use whatever tool you want to build plugins. That said, you are 100% responsible for that code if you chose to host it here. This is not a change to any guideline, merely a reminder that if you claim it’s your code, you are responsible for it.

But the important bit here is that if means if ChatGPT, for example, built your plugin, you have to verify that all the code used is GPL compatible. Just like you are expected to validate licenses on libraries and code-snippets, everything in your plugin has to be GPL compatible. Should we determine that your code is a copy of someone else’s or includes code from non-GPL plugins, your submission will be rejected and any live plugins will be closed.

Sadly this has already become a small issue, as people asked an AI to build a ‘scroll to top’ plugin and it literally copied code from another, existing, plugin hosted on WordPress.org. Actually five times. And they were all rejected since it was pretty obvious.

Now before someone asks, yes it’s fine to fork code. You have to credit them, however, and that’s something those AIs have been pretty bad at doing. Also remember that the AI can tell you how to submit a plugin and be wrong. And by wrong I mean totally, 100%, that was really some bad advice someone got wrong. Make sure you double check. Robots won’t take our jobs yet.

If you submit code, it’s your responsibility. Nothing’s changed.

#guidelines, #reminder

Twitter API Changes

tl;dr: Twitter will begin charging for APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. access, possibly as early as the 9th of February. If your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party integrates with the API (be it v1.1 or v2), PLEASE make sure you look into the changes and how they might impact you!

Yesterday Twitter announced it will be charging for access to the API.

Estimated cost is ~$100/month, with a requirement of a valid ID, however there is no information yet as to how much traffic that entails. Since information is not going to be provided until next week (giving everyone a whopping max 3 days to figure this out), I wanted to make sure everyone was as notified as can be.

This will likely impact:

  • Auto-posting
  • Login with Twitter
  • Analytics
  • Management Tools
  • Scripted Interactions (auto-blocking etc)

Access to search is already a pay-only service.

If your plugin (or the related service) does any of those, you will have to investigate if this change impacts you. If you are impacted, you will need to update (or close) your plugin accordingly. I know a lot of free plugins will have some hard choices to make here.

For plugin users, if a plugin suddenly breaks on/around the 9th, please be generous and kind to the developers. They really got blindsided by this, and it’s a lot to sort out in a short amount of time.

#api, #twitter

Looking for your (intentionally) wrong plugins

tl;dr: Do you have demo plugins that are dangerous on purpose? We want to see them!

One of the behind-the-scenes steps going on right now is figuring out HOW to onboard and make sure people are good at looking through plugins, finding the security/guideline issues, and can explain what they are and why they’re bad. While most of the explanation we have covered in pre-defined replies, you should know why something is wrong 🙂

In order to do this, we need some intentionally busted plugins so people can get experience in looking for ‘wrong’ in a safe situation.

By ‘wrong’ I mean…

  • Plugins that don’t sanitize/escape
  • Shortcodes not checking for validity/security
  • SQL prepare() issues
  • Using script tags instead of wp_enqueue()
  • Using curl/file_remote_get instead of the HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways.
  • Trademarks (Starting your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party name with “Microsoft” for example)

This is an incomplete list. I doubt anyone can make a plugin with 100% of all the things we look for since that changes nearly every day as people come up with new and inventive ways to be dangerous. Of course if you can, I’d love to see that too!

While we certainly can use some submitted/closed plugins for this, it would be nice to have a set of “These are some busted plugins to practice on”

I know some of you are clever folks and have things like that for fun, and right now, we want to see them! Email them (either zip or link to your repo) to plugins@wordpress.org with the subject “Demo Plugin for Reviewers” (we make heavy use of email filtering, so that subject is important!).

#community-support

Plugins/themes categorization

After State of the WordState of the Word This is the annual report given by Matt Mullenweg, founder of WordPress at WordCamp US. It looks at what we’ve done, what we’re doing, and the future of WordPress. https://wordpress.tv/tag/state-of-the-word/., you may have noticed a couple new things for plugins and themes.

Community plugin display example
Commercial plugin display example

This is the start of a broader categorization of plugins and themes. The eventual goal of which is to help users to better find plugins or themes that fit their needs.

Categories

So we started looking at basic categories for plugins and themes, and how we would integrate that into wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/.

One thing we noticed immediately was that there are a lot of commercial plugins and themes. They’re not the majority, but there are a lot of them that have a lot of users.

The other thing we noticed was there were a lot of community based plugins and themes, which are open sourceOpen Source Open Source denotes software for which the original source code is made freely available and may be redistributed and modified. Open Source **must be** delivered via a licensing model, see GPL. on GithubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ or some other repository system.

In both cases, it became very clear that we didn’t have any easy way to link back to those systems. We have support forums for all of the plugins, but we often get questions about the commercial version of a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party. Similarly, we don’t have any obvious way to link back to a github, for example, to provide users a way to contribute to that community.

So we introduced a new taxonomyTaxonomy A taxonomy is a way to group things together. In WordPress, some common taxonomies are category, link, tag, or post format. https://codex.wordpress.org/Taxonomies#Default_Taxonomies. to our systems, and now plugins and theme authors can opt into it, if they want.

How to opt-in

To opt in a plugin or theme, email plugins@wordpress.org, or themes@wordpress.org, and simply ask to opt into it. This is a manual process for now. In the future, we will be adding a method for plugins and themes to do it themselves.

Once your plugin or theme is added, you will get a new feature (on the advanced tab for plugins, or at the bottom of the listing page for themes). For both cases, it’s a simple URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org entry.

Example of the commercial URL setting on plugin pages.

For commercial, this will show up as a support link. For community, this will show up as a contribute link.

More to come…

And, of course, this is in no way final. We plan to use this and other categories in the future to improve the overall directory system as a whole. In what ways, we don’t exactly know just yet. We value your input, and look forward to seeing what ideas the community has. 🙂

#plugins, #themes

Reminder about Final Notices

tl;dr? If you get a final notice from the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party team, please take it seriously. That really is you reaching your final chance with us.

There has been some confusion about what a ‘final notice’ means with regards to plugins or what it means to be banned.

The Plugin Team does not capriciously ban anyone. Actually we hate banning people. It’s a lot of work, it’s frustrating, it comes with anger no matter how we do it, and people always get hurt, especially users. That’s why we’ve established a warning system and do our best to ensure all developers are aware of infractions and allowed to course-correct.

What is a final warning?

A final warning, like it sounds, is an email with a rather stern content telling you that you’re on your very last chance.

The plugin directory emails out final warnings to developers/companies/groups who have either demonstrated a repeatable, constant, habit of violating guidelines, or who have committed an incredibly egregious violation. Those emails contain a reminder (usually in the form of a list of all existing problems) and a notice that if the plugins team has to contact them for any reason other than security related, the developer/company will be banned and all plugins closed.

If you keep making the same mistakes, and you keep violating forum, plugin, theme, WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more., or any other official guideline of WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/, we will cease to host your plugins here anymore. You would have repeatedly proven that you aren’t able (or willing) to follow the guidelines, and we feel it’s unfair to put the burden of monitoring you on the volunteers, as well as subject your users to that kind of behavior.

What happens after a final warning?

In general, people are quite responsive to those emails. They recognize the issue, modify their behavior, and it doesn’t come up ever again.

The warnings are a wake-up call as to the risks involved, as well as our expectations, and while they can scare people, it’s somewhat of a needed scare. By the time someone gets to that point, we have usually sent multiple warnings about various issues (be they fake reviews, asking for admin access, spamming users, or sharing developer accounts) prior to the final-notice, in the hopes that people will change their behavior before we have to get to the final notice.

Sadly, there are always people who don’t take those emails seriously, or think that if enough time has passed, the finality has faded and it’s okay to make the same mistakes and we will forget about it and forgive everything.

Why do people get banned after a final warning?

Given the size and scale of WordPress, it’s impractical to have to keep reminding people over and over that they actually do have to comply with the guidelines they agreed to, and it takes away time from frankly more important matters, like security.

Do people get warned first?

Most of the time, yes. The rare exception is if something is so terrible, we have to pull the plug right away. Usually that means someone snuck back in after being banned, or made a death threat.

But the majority of users get an email with the subject [WordPress.org Plugin Directory] Notice: (your plugin name) and that contains a warning of a specific behavior.

I got a warning about something. Is that a final warning?

Unless the email said “This is your final warning” then no.

We regularly warn people about issues, from trademark abuse to fake reviews. Those are just warnings. As long as they don’t repeat, we don’t have any issues. People make mistakes and it’s okay, as long as you learn from them and stop making them.

I’ve been mod-watched in the forums. Is that a warning?

No, not a plugin one. That just means the forum moderation are concerned about your actions and want to keep tabs on you. That could be anything from asking to admin access to swearing or jumping on other people’s topics all the times.

That said, if the forum team flags you like that, and you keep making the same mistakes, they may come to the plugin team for backup.

What kind of events cause a final warning?

Usually it’s not a single event, but a demonstrable pattern of violations. By that we mean the person(s) involved have broken many guidelines, over and over, for a sustained period of time.

Just for an example, let’s think about asking someone for admin access. That is prohibited in the forum guidelines for safety. Asking once is a mistake, and we know mistakes happens, so the person will get a warning from the forum mods. If they happen to ignore (or miss) the warning and do it again, their account gets put into a ‘moderated’ status, and all posts have to be approved by a moderator. That moderation flag is not a punishment. It’s there to make sure the mistakes stop, and to help protect the developer from harming themselves. After that, though, if it keeps happening, the plugin team is asked to step in and issue a warning.

But even so, our first warning is not a final notice! It’s a first warning.

From them on, if the person keeps violating the guideline, that is when that they will get that dreaded ‘final warning’ from plugins.

Why did I get a final warning without previous notifications?

That means you did something really bad, but not quite ban-worthy yet.

Sometimes it happens when someone gets a warning (like ‘don’t ask for admin access’) and replies “I cannot be held responsible for what my staff does.” That gets a final warning right away and a reminder that you absolutely will be held responsible for the people who represent you and your product. If you cannot trust your people, don’t let them represent you.

Other times, it’s a mistake so large, and so fraught with danger or concern, we feel that the only proper recourse is to jump directly to the final notice. Those are incredibly rare, and I’ll explain a little more about that later in this post.

How do I avoid a final warning?

Besides ‘never violate the guidelines,’ the easiest way would be to acknowledge and rectify any issue that a moderator or plugin rep brings up. If someone tells you not to ask for admin access? Stop asking for admin access. If they tell you not to call users vulgar names? Stop calling people names.

Basically listen to the warnings, take them all seriously, learn from them, and change your behavior as needed.

We know that everyone makes mistakes, and we will forgive a lot. But at the same time, that kind of forgiveness requires you to make changes. If you apologize and just do it again, we’re not going to be able to trust you, and that’s how you end up with a final warning.

I keep getting warnings because of my support staff, what do I do?

If that happens, it means you’ve somehow failed to impart on your support staff the reality that they have to follow the guidelines too. They are your responsibility, and if you cannot ensure they follow the guidelines, we simply won’t allow them to use the forums at all anymore, and you will be told why.

As for how to fix it? You need to address the issue on your end. Why are you staff not aware they have to follow the guidelines? Why are they not listening to the warnings issued? Why are they continuing to have this kind of problem?

Make sure everyone who represents you (in the forums, on social media, wherever) knows that their actions reflect on your whole company, and they have to follow the guidelines too. After all, if your intern violates Twitter’s guidelines using the company account, it’s your company account that gets suspended.

Other people are making the same mistake I am! Why aren’t they getting banned/warned?

They probably are, actually.

We respect everyone’s privacy and we don’t blast anyone on socials, so all conversations are in confidence as much as can be. After all, if you make mistakes and change your ways, you wouldn’t want the whole world knowing how much you messed up, right? It would be terrible embarrassing! Instead, we treat you like an adult, take you to the side, and talk to you privately.

Most people actually listen to the first warnings. If a forum mod tells them to please stop doing a thing, they apologize and stop. The plugins team never gets involved, and honestly that’s the best way.

I made similar mistakes. Why did I never get warned?

Luck? Or maybe we saw you made it once, and never again.

Mistakes happen. Most mistakes, as long as they aren’t repeated, are recoverable. Don’t panic if you made one mistake. As long as you keep learning, adjust as needed, and don’t do it again, you’re going to be fine.

Why did I get a second final notice?

Most of the time, that means we changed the guidelines since the first one, and felt it would be inhumane to not warn you about them. We will do this even if your violations are unrelated to the changes to the guidelines.

The other time would be if we think you really did change enough since the last notice, but you’re running down another wrong path. Basically? We think you are capable of change based on your historical behavior, and we want to give you another chance.

Why did I get banned without a final warning?

Normally we warn but yes, in some specific cases, we won’t. They include, but are not limited to:

  • physical altercatoions at official WordPress events
  • banned users attempting to circumvent their ban
  • intentional security violations (ex. making a backdoor in your plugin on purpose)
  • cyberstalking/harassing anyone from wordpress.org
  • doxxing anyone
  • all plugins/themes are non-credited forks or wholesale copies
  • outright vulgarity/hostility/threats towards any member of the community

In those cases, we will always email and tell you exactly why you were banned.

The people who get those insta-bans are often ones who got a plugin review and replied with vulgarities or suggestions of sexual activities involving a cactus. Not a joke. It was in response to being told to not include their own jQuery, to boot. We do get that people have bad days, and we try to help them get back from it, but that kind of abuse is untenable. If you’re willing to talk to us like that, we shudder to think how you’d behave to users!

What can I do after I got banned after a final warning?

Honestly? Not a whole lot. It’s incredibly hard to make anyone trust you after you reached that point.

If you got the final warning and kept violating guidelines, then you just squandered your last chance. The whole reason you got that warning, and not an instant ban, was that we were trying really hard to get you to correct your behavior. When you don’t listen to those warnings, we believe you are who you act like, and we ban you.

Now of course there are always exceptions. They are incredibly rare, and come with a lot of provisions and caveats. If you really think you should be given a second final-chance, reply to the email and explain why. Just be aware that the odds are against you, since you have already demonstrated you cannot (or will not) follow guidelines.

Why don’t you publicly declare why someone was banned?

Historically because we don’t want to keep hurting them.

Angry people lash out see, and while we’re ‘fine’ with taking it on the chin when people lash at us because we don’t explain the details about a ban (except in very rare cases), if we made things public that mob would go after the banned dev.

See, if everyone knew that a person or even a company was banned after we argued with them every few months for three years about not asking people for admin access on the forums, or not tracking users in their plugins, they would have a very different view of the developers.

If everyone knew a company was banned for telling the plugin team they could perform sexual acts on their parents (wish I was joking), then what? Making that public in a place where they cannot refute means they have no ability to make amends. And yes, sometimes people do come back and apologize sincerely for that behavior.

We don’t disclose because of a kindness, and a desire not to destroy someone’s reputation (or livelihood). Perhaps we’re now at the point where that policy needs to change, in order to minimize the false narratives running around, but I’m really divided about that one, personally.

Someone says they were banned. Should I stop using their plugins?

I can’t answer that for you.

Personally, I would take their explanations with a grain of salt. Everyone (and this includes the Plugin Team) tends to tell a story to paint themselves in a better light. If someone is arguing they did no wrong and were banned, they’re probably leaving some information out. Then again, there are developers who tell people they messed up and got banned and deserved it.

Questions?

I know this is a lot to think about, and some of it sounds incredibly petty.

No one on the plugin team wants to close plugins, especially the well-known ones. It’s harmful to the community as well as the developers. At the same time, there is a practical limit as to how much the volunteers on WordPress.org are willing to put up with someone’s misbehavior. That’s why we have taken to formally warning people that they are on their last chance.

It’s our fervent hope that with the information in the final warning, people will correct their behavior and stop violating guidelines.

#final-notice, #reminder