Clarification of Guideline 8 – Executable Code and Installs

Since Jetpack announced it installs themes, a number of people have asked if this is a violation of the 8th guideline:

The plugin may not send executable code via third-party systems.

And in specific, these two items:

  • Serving updates or otherwise installing plugins, themes, or add-ons from servers other than WordPress.org’s
  • Installing premium versions of the same plugin

The short answer is no, it’s not, and yes, you could do this too.

The longer answer involves understanding the intent of this guideline, which initially was to prevent nefarious developers from using your installs as a botnet. In addition, it’s used to disallow plugins that exist only to install products from other locations, without actually being of use themselves (ie. marketplace only plugins). Finally it’s there to prevent someone silly from making a plugin that installs a collection of ‘cool plugins’ they found from GitHub and want to make easier to install. Which actually did happen once.

Plugins are expected to do ‘something’ to your site. A plugin that exists only to check a license and install a product, while incredibly useful, is not something we currently allow as a standalone product. This is why we allow plugins to have the in-situ code for updates that is used by their add-on plugins. The plugin we host has to use WordPress.org to update itself.

In addition, we do permit valid services to perform actions of installations onto sites, and have for a very long time. ManageWP, for example, has had this ability for quite a while. It provides a valid service, letting you manage multiple sites from their dashboard, and yes, install and update plugins. Going back to the example of a plugin that hosts the update code for it’s addons, the ‘service’ is the license you bought for the add-on plugin.

The trick here, and this is what is about to sound like hair splitting, is that it’s not the plugin UI on your site that does the install. In order for Manage WP and Jetpack to work, you have to go to your panel on their sites and install the items. If you wanted to make, say, my.servicename.com and let people log in, authenticate their sites, and from that interface use a JSON API to trigger an install, you absolutely, 100%, totally can.

To hit the major talking points:

  • Is Jetpack allowed to do this? Yes.
  • Are you allowed to do this? Yes.
  • Can you have your plugin install things? No.
  • Can your service install things onto a connected site? Yes.
  • Are you allowed to have a marketplace plugin? Not at this time.

I know this is frustrating to a lot of people. The reason it never came up before is no one asked us, and it isn’t our place to run your business or invent all the cool things. The guidelines are guidelines, and not laws or rules, to allow people to interpret them, and you’re always welcome to ask us if something’s okay or not. Or warn us if you’re about to do something you think might get the masses up in a dander.

#guidelines

Beware Your Zips!

Its not you, it’s Google.

A lot of people have been mentioning that Gmail won’t send emails if they have zips. Other people have no problem. And reading the list of filetypes that are blocked, it took me a while to figure out what was going on. Not only does Gmail block bad attachments, they also check in your zips to see what files are there:

Certain file types (listed below), including their compressed form (like .gz or .bz2 files) or when found within archives (like .zip or .tgz files)

And guess what filetype Gmail just added on as a banned attachment? `.js` files. Explains perfectly why some of you had no problem and others have massive ones, right? Right.

My advice is, and has been for quite a while now, to use GitHub or Gitlab or Bitbucket or some sort of true development version control system. They all generate their own zips and you can just link us to them. Plus if it’s really complicated to explain what’s wrong, we can highlight the code for you.

I strongly recommend you NOT use free download sources like mega file and all those other ones, especially if they offer faster downloads for money. The majority come with scam popups, viruses, and x-rated ads. Of which I have seen enough. Dropbox is free and has public links. Plus you all have your own websites and can upload a zip there if needed.

#notice

Plugin Guideline Change

With the advent of the new directory being on the horizon, which allows us to easily hard-limit the number of plugin tags displayed, we have taken the time to change the guidelines.

While minor updates to the guidelines (with regard to spelling, grammar, etc) are common, major changes are rare and we are striving to be more transparent about them. Hence this post 🙂

Guideline 12 (readme links) clarified to cover spam and tags.

The guideline now reads as follows:

12. Public facing pages on WordPress.org (readmes) may not spam.

Public facing pages, including readmes and translation files, may not be used to spam. Spammy behavior includes (but is not limited to) unnecessary affiliate links, tags to competitors plugins, use of over 12 tags total, blackhat SEO, and keyword stuffing.

Links to directly required products, such as themes or other plugins required for the plugin’s use, are permitted within moderation. Similarly, related products may be used in tags but not competitors. If a plugin is a WooCommerce extension, it may use the tag ‘woocommerce.’ However if the plugin is an alternative to Akismet, it may not use that term as a tag. Repetitive use of a tag or specific term is considered to be keyword stuffing, and is not permitted.

Write your readmes for people, not bots.

In all cases, affiliate links must be disclosed and must directly link to the affiliate service, not a redirect or cloaked URL.

The previous version had the title of “… may not contain “sponsored” or “affiliate” links or third party advertisements” which was too specific and yet not direct enough as to what the intent was. We sincerely mean “Do not use your readme to spam.” Tag abuse, keyword stuffing, and blackhat SEO practices are all spamming.

While we still ask you to use no more than 12 tags, once we move to the new directory, we will simply not display the overage. You should clean that up now. The code is such that there will not be a way to grant exceptions. This is by intent. You don’t need 30 tags, folks.

Guideline 13 (formerly number of tags) now references using included libraries

Since we no longer needed a separate guideline for tags, we have completely changed this guideline to address an issue of security.

13. The plugin should make use of WordPress’ default libraries.

WordPress includes a number of useful libraries, such as jQuery, Atom Lib, SimplePie, PHPMailer, PHPass, and more. For security and stability reasons, plugins may not include those libraries in their own code, but instead must use the versions of those libraries packaged with WordPress.

For a list of all javascript libraries included in WordPress, please review Default Scripts Included and Registered by WordPress.

This issue has become incredibly important when you consider that roughly 90 plugins had to be contacted and closed regarding the use of PHPMailer. They had included the entire library and not kept it updated. I’m aware that we use a forked version of that specific library and I have raised core trac ticket #39714 to address this issue.

While we do not (yet) have a public page to list all 3rd party libraries, I’ve raised meta trac ticket #2431 to hopefully get this sanely documented.

#guidelines

Want to Close Your Plugins? Email!

Hi everyone, it’s winter at last, and there’s snow in the mountains! This is the perfect time to sit by the fire and look at your plugins and get rid of the ones you don’t want to be on the hook for any more.

Did you make a plugin for an event that happened a long time ago, like the 2008 Olympics? Did you make a featured plugin that got wrapped into core and you’re done?

Email plugins@wordpress.org with a link to the plugin and we’ll close it for you!

Doing this means you won’t get any new people complaining about how the plugin doesn’t work and disables itself in WP 4.3 and up (even though you documented it…). It’s less work for you and it’s okay to EoL plugins. We’ll close ’em for you and you’ll be done.

A lovely winter present for everyone.

(If you think the plugin has a use and life, but you don’t want to support it anymore, consider adding the tag ‘adopt me’ to your readme. Just update your readme file with that and maybe someone will come and offer a new home for your old plugin. Check out https://wordpress.org/plugins/tags/adopt-me to see the plugins out there looking for you!)

#reminder

[FIXED] Banners and Images Broken In the Old Directory?

There was a glitch the other day and anyone who updated in the hour or so window got goobered. We’re looking to see if we can automagically fix it but if you see your plugin looks sad and image-less, drop a link to it here and we’ll have someone hit it with a hammer for you.

Update! They found the 66(!!) affected plugins and are on the job!

Sorry about that 🙁 On the plus side, it works fine in the new directory!

#fixed #bug

Reminder: Make Sure Your Email Is Up To Date

I know the 4.7 ‘please test’ email went out a bit late (WordCamp US, blame Wapuu), but we did send it and just like last time, we’ve taken action the replies.

  • If you reply and ask for a plugin to be closed, we close it.
  • If your email auto-replies, we warn you once. If you were warned previously, we close your plugin(s).
  • If your email bounces we close your plugin or, if there are multiple developers involved, remove your account and notify them.

These actions are taken for security. If we have no way of getting in touch with you, or if your email is invalid, it puts your users at risk. Not to mention getting 2500 auto-replies is pretty frustrating.

Remember, it is a requirement that we be able to contact you. We don’t mind if the email is a group mail, but it should never auto-reply to anything from WordPress.org. Just whitelist us (and yes, you can do that with ZenDesk read this ticket for details) and make sure nothing from .org gets a bounce reply. This will also make our servers faster, which I know you’d like.

If you can’t do that, you’ll need to change your email to something else. Do to that, go to https://wordpress.org/support/users/YOURID/edit/ as the user in question and edit the email. Done.

On a happier note, less than 100 people had to be contacted this time around! It only took me 2 hours to sort it out, versus last time which was much higher. The majority of the issues came from new plugin developers, which is understandable, but a few of the long-standing devs had a rude awakening this morning, I’m sure.

Thank you everyone for understanding.

#notice #policy

WordCamp US/2016 Recap

First of all I suck for not getting everyone’s names. I’m lucky I remember mine…

This marks my first year as the rep of the Plugin Directory Team and we’ve made some phenomenal headway. We’ve re-written the detailed plugin guidelines to be more understandable and clear for everyone. We’ve actually written a handbook! We never had one before. And Team Apollo has been brilliant getting the new directory from a pipe dream to a beta test reality. Thank you everyone for getting us here.

At WordCamp US 2016 Contributor Day, we had over 20 people going over the brand new Handbook, which lead to the creation of the Glossary and a lot of edits! So a huge thank you to everyone who was here. I really appreciate it. We also had a few people reviewing plugins as practice for the first time. I look forward to their results. Good luck, folks!

Right now the new directory is in public beta. That means if you go check it out wordpress.org/plugins-wp/ you’ll see the brave new world for plugins, and we hope you can help us test things out. If you find bugs in search, please report them on Meta Trac #1692-meta.

The Plugin Developer Documentation has been updated to address the changes (mostly to your Plugin Assets) and the Handbook was written with this new interface in mind.

Which leads us to the eternal question… when will the directory open up to new reviewers?

I’ve said it before and I’ll say it again, the opening of the plugin team to new members will happen after the new directory is complete. This is just a technical necessity. The current system works but it has serious limitations that are just prohibitive to adding more people. That made writing a handbook for a process that doesn’t exist rather interesting. My goal is, once the directory is live, to iron out the how-to-review and then get some experienced developers in to review but not approve, to see if we can come up with a process closer to the Theme Review Team, but not fall to backlog.

This will take a lot of experimentation and patience.

Hang in there.

#contributor-day

#1692-meta

Reviewer Handbook

Sneaking this in just before WordCamp US, if you’ve seen the redesign of this make site, then you may have seen the link to the handbook.

This is a rough draft – it’s not perfect and it doesn’t cover all contingencies. However, yes, that is indeed our handbook. It’s built to the new directory, which we’re not fully using yet, and it has some information that may surprise you. For example, did you know we could see every IP address you’ve ever used to submit a plugin?

On Contributor Day, I’ll be asking victims– volunteers to help with it, to explain things more clearly, and to make this something that can be used to (eventually) include more reviewers.

Speaking of, before you ask for the status, here it is: Not yet.

Once the new directory is live, and once the existing reviewers have worked out the best flow, then we will bring in some existing developers to join us. But it’s not going to suddenly be a flood gate. We’re trying to avoid hitting a backlog as bad as the theme team has, and I’ve been closely watching how they handle reviews and trying to see what we can do to navigate that kind of a delay. Obviously ‘more reviewers!’ isn’t the only answer, and right now I feel that the right fix for plugins is a more streamlined system. I have a plan. I’m sure it won’t last the first day against the enemy (i.e. plugins).

See you all soon at WordCamp US!

#notice #handbook

User Testing the Directory Revamp

Does the directory currently have a kind of ‘meh’ UX? Yes. Yes it does. We know it. We know search is chancy at best, and people (especially developers) get grumbly when they can’t find what they want.

Well. Here’s your chance to step up and help us fix it.

Plugin Directory User Testing – Round 1

The tl;dr here is @mapk had some tasks for he asked people to run through to try and report on. Using that information, we’ll figure out what has to be changed, what’s going to have to be lived with, and what can and cannot be improved.

But it won’t get better without YOUR help.

So if you care about the usability of the Plugin Directory, please help. Speak up and try the tests yourself. Figure out what’s broken and speak up on it. We need to know.

Revised Guidelines Are Live

We soft-launched them on the 20th, just to make sure we didn’t mess anything up. Those last few spelling and grammar edits are killer. However yes, the guidelines, reviewed and revised by the community are now the official Plugin Developer Guidelines.

While I can hope they’re easily understood by all, I know that’s a fond wish. I’m leaving the repository on Github open for the time being, in order to allow people who spot late breaking issues to report them. If you do spot problems, please open an issue on the GitHub Repo or email plugins@wordpress.org and let us know.

In addition to just rewriting the guidelines, we took the time to codify the expectations of developers and cost of not abiding by the guidelines, as well as a reminder that we do remove plugins for security issues. We are doing our best to be transparent of what we expect from you and, in return, what you can expect from us.

Finally, THANK YOU. Everyone who helped write this, edit it, and who was patient understanding I was chasing down people to get their sign-off on what might be construed as massive changes, I greatly appreciate the time you spent on this project. It’s a massive undertaking to re-write guidelines in the public eye, in a way that won’t pull the rug out from anyone. Our goal was to clarify, not totally change, but also to address the needs of an ever changing technology.

Our goal, as always, remains to provide a safe place for all WordPress users – from the non-technical to the developer – to download plugins that are consistent with the goals of the WordPress project.

Please take the time to read the Detailed Plugin Guidelines.

#guidelines