Directory Maintenance Edit

Maintaining the directory can be a full-time job. To achieve this, we rely on multiple tools to constantly scan, review, and monitor check-ins. There are some filters on SVNSVN Short for "SubVersioN", it's the code management system used to maintain the plugins hosted on It's similar to git. that prevent dangerous code from being committed to the repositories, the rest of the work is done by scanning.

Removing Plugins

Plugins are removed for reasons other than security; however, that is the most recognized reason.

Any time a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the Plugin Directory or can be cost-based plugin from a third-party is closed, the developers must be contacted, and the action must be logged on the private P2P2 P2 or O2 is the term people use to refer to the Make WordPress blog. It can be found at If a daily post exists, add a comment with the plugin link and why it was closed. Otherwise, create a new one.

Top ↑

Immediate Closure

Plugins are closed immediately for the following situations:

  • Security issues
  • GPLGPL GPL is an acronym for GNU Public License. It is the standard license WordPress uses for Open Source licensing The GPL is a ‘copyleft’ license This means that derivative work can only be distributed under the same license terms. This is in distinction to permissive free software licenses, of which the BSD license and the MIT License are widely used examples. violations
  • Flagrant abuse of other community members
  • Users being banned from the repository (all plugins are closed when this happens)
  • Intentionally disguising themselves to get around previous blocks/bans

Except in extreme cases, make sure the developer(s) has received at least one warning before closing plugins.

Reasons to warn first:

  • Sockpuppets (delete all suspect reviews first)
  • Self promotion in related plugin support threads or reviews
  • TagTag Tag is one of the pre-defined taxonomies in WordPress. Users can add tags to their WordPress posts along with categories. However, while a category may cover a broad range of topics, tags are smaller in scope and focused to specific topics. Think of them as keywords used for topics discussed in a particular post. abuse
  • README scamming
  • Frequent commits to game the ‘recently updated’ list

If a warning has been sent with no response, send a second warning or “FINAL WARNING” and explain the behavior must stop. Provide them with a realistic due date. For example, if a plugin has been warned multiple times to stop making needless commits and tag abuse, allow them 4-5 business days to comply.

Top ↑

By Request

Verify the request came from either a developer with commit access or someone who works for the company. If so, reply with the Predefined email “Reply: Removal Request Completed”.

Otherwise, use “Reply: Removal Request – From email doesn’t match that of the plugin owner”.

Top ↑

Scanning the Repository

This requires a local copy of the entire plugin directory, which can be downloaded with the Plugin Directory Slurper. Alternatively, you can use the unofficial WordPress Directory Search.

You can use grep, ack, or ag to scan the plugins repository. grep is available by default on Linux and OS X, but isn’t as advanced as ack / ag. ag is a drop-in replacement for ack; it doesn’t have all of ack‘s advanced features, but is 5-10x faster.

Top ↑


The following examples assume that you have a copy of all the plugins checked out into a folder called “plugins” and you wish to save your scans in a folder called “scans”.

Looking for global $tag in all PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. files

ack "global[^;]+\$tag" --php ./plugins/ > scans/global-tag.txt

Find everyone using HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. in an enqueue

find ./plugins -type f -exec grep "wp_enqueue_\(style\|script\)\s*(.*[\"']<a href="http://">http://</a>" {} > scans/http-enq.txt

On OS X, add \; after the {} to avoid the “no terminating…” error.

Find all instances of a specific file:

find ./plugins -type f -name "*datepicker-*.js" > scans/datepicker.txt

Parsing the output can be difficult, since the output often looks like this.

.plugins/appmaker-woocommerce-mobile-app-manager/lib/appmaker-wp/endpoints/appmaker/class-appmaker-wc-rest-backend-posts-controller.php:705: $date_data = rest_get_date_with_gmt( $request['date'] );

To make life less insane, there’s a summarize script.

./summarize-scan.php scans/rest\_get\_date\_with\_gmt.txt
5 matching plugins
Matches Plugin Active installs
======= ====== ===============
4 rest-api 40,000+
4 wptoandroid 30+
5 custom-contact-forms 60,000+
2 appmaker-wp-mobile-app-manager 50+
4 appmaker-woocommerce-mobile-app-manager 200+

This will not clean up false positives, so before you assume that’s your answer, do review the raw output to make sure you don’t have incorrect data.

Top ↑

Tools and Resources

Last updated: