b. Review Checklist

Reviewer Workflow Reviewer Workflow

  • Verify the submitted name and subject matter are acceptable
  • Download the zip
  • Check all files for guideline violations
  • Ensure the readme is clear (only a requirement for services)
  • Test in a secure environment
  • Detail any issues found and email the developer from SupportPressSupportPress The ticket management interface for the plugin emails. Restricted to plugin administrator access only.
  • If no issues are found, approve the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party

Top ↑

Required Required

All plugins and developers are required to comply with all Plugin Directory Guidelines as well as the Forum Guidelines and WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. Code of Conducts (when applicable).

  • 100% adherence to the Detailed Plugin Guidelines
  • Full support of the current version of WordPress and (if technically possible) one version back.
  • The plugin cannot be a 100% copy of another plugin. Forks are permitted, however they must show improvements or changes to the original.
  • The plugin must be the developer’s own work. Submission of another person’s plugin is not permitted.
  • The plugin headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. image and logos must be family friendly and not be offensive.
  • “WordPress” must be spelled correctly: all one word, with both an uppercase W and P.

Licensing Licensing

  • Be 100% GPLv2 or later and/or 100% GPLGPL GPL is an acronym for GNU Public License. It is the standard license WordPress uses for Open Source licensing https://wordpress.org/about/license/. The GPL is a ‘copyleft’ license https://www.gnu.org/licenses/copyleft.en.html. This means that derivative work can only be distributed under the same license terms. This is in distinction to permissive free software licenses, of which the BSD license and the MIT License are widely used examples.-compatible licensed
  • Copyright and licenses must be explicitly declared using the license and license uri header slugs in the readme
  • Licenses of any resources included such as fonts or images must be declared in the plugin header
  • Code and design should be original or legally permitted for use
  • Forks must be appropriately credited; no copyright information may be removed

Top ↑

Readme Readme

  • Information on how to configure the plugin is recommended
  • If 3rd party services are used, they must be disclosed
  • If registration to a service is required, a link to the service (and preferably their terms of use) must be included
  • If no support is provided, the readme must indicate such in clear terms

Top ↑

Code Code

  • No PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php. or JS errors
  • No errors when run with WP_DEBUG set to true
  • Validation, sanitization, and escaping of all processed or saved data
  • Use of a unique prefix for everything the plugin defines in the public namespace (ex. options, functions, global variables, constants, post metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress., etc.)
  • Valid readmes
  • No saving content locally to the plugin folder, as it is deleted on upgrades

Top ↑

CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. Functionality and Features Core Functionality and Features

  • Using WordPress functionality and features first
  • Using WordPress content directory functions to determine locations of folders and files
  • Avoiding hard coding to modify content (using function parameters, filters and action hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same. where appropriate)
  • Avoiding duplication of existing WordPress core features (i.e. embedding YouTube)
  • Tags and descriptions matching what the plugin does and what it connects with
  • Requirement checks fail gracefully when not present

Top ↑

Documentation Documentation

  • Custom features, options or any limitations (for example menu restrictions), should be explained contextually and within the readme
  • Any remote calls (such as serviceware calling it’s own servers to process spam) must be disclosed in the readme
  • Any external requirements such as registration with a service must be documented in the readme and the settings page

Top ↑

Themes and other Plugins Themes and other Plugins

  • Don’t include any themes. A theme can be required but not included or auto-installed
  • Don’t include other plugins wholesale. A plugin can be required but not included or auto-installed
  • Don’t do things in a plugin considered theme territory (exception: mobile plugin may include mobile themes)
  • Do not require other themes or plugins be edited for use as those changes would be erased on updates

Top ↑

Security and Privacy Security and Privacy

  • Don’t phone home without informed user consent
  • Collection of user data must be “opt-in” only and have the relevant option set to disabled by default
  • Validate and sanitize untrusted data before processing (See: Data Validation)
  • Escape all data before output (See: Data Validation)
  • Do not use URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org shorteners
  • Use prepare() and $wpdb for SQL calls

Top ↑

  • Upselling is permitted from plugin settings screen or a link on their entry on the plugin list page
  • Forward facing links (including credit links, powered by, and ads) must be optional and not active by default
  • Sponsored links are permitted within reason
  • Third Party Ads are not permitted due to tracking
  • Affiliate links should be avoided wherever possible, and unhidden when used — use the real link to the affiliate, not a custom shortened URL
  • UTM links to a developer’s site are allowed anywhere links are permitted

Top ↑

Stylesheets and Scripts Stylesheets and Scripts

  • No hard coding of scripts or styles; use wp_enqueue_*
  • No analytics or tracking by third parties
  • No minification of scripts or files unless the original files are also provided
  • No minification of scripts that prevents them from being human readable (example: do not use p,a,c,k,e,r)
  • Use core-bundled scripts (example: jQuery)
  • Include all scripts and resources locally (exception: fonts are permitted to be remote loaded, services may also remote load on a case by case basis)

Top ↑

Subject Matter Subject Matter

The following plugin types are generally not permitted however exceptions can and will be made (for example, plugins that are a part of a featured project for core, such as the Rest APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/.):

  • Black or grey hat SEO (including plugins that auto post content and content spinners)
  • Plugins that state to ‘help you earn thousands of dollars’ or other improbable claims
  • Frameworks, boilerplates, and libraries plugins
  • Plugins that require themes or plugins to be edited for use
  • Marketplace or storefront only plugins
  • Plugins that reproduce core WordPress functions or features without perceivable improvements (example: a plugin that allows embedding youtube videos)

Please note: All existing plugins in the directory are considered grandfathered in, and will not be deleted unless there are extreme circumstances.

Top ↑

  • AccessibilityAccessibility Accessibility (commonly shortened to a11y) refers to the design of products, devices, services, or environments for people with disabilities. The concept of accessible design ensures both “direct access” (i.e. unassisted) and “indirect access” meaning compatibility with a person’s assistive technology (for example, computer screen readers). (https://en.wikipedia.org/wiki/Accessibility) – Plugins should follow the Accessibility Handbook
  • Code should be written to support internationalization and automatic translations via translate.wordpress.org
  • Support of PHP 5.2.4 and up, or graceful failure if newer versions are required
  • Proper alerts and errors if any required plugin or theme is not installed and active

Top ↑

Serviceware Requirements Serviceware Requirements

If a plugin connects to a service, the following additional requirements apply:

  • Data transmission is secure and sanitized
  • Readme description (and FAQ) detail usage and registration
  • Connectivity to the service is not performed via an iframeiframe iFrame is an acronym for an inline frame. An iFrame is used inside a webpage to load another HTML document and render it. This HTML document may also contain JavaScript and/or CSS which is loaded at the time when iframe tag is parsed by the user’s browser. in the dashboard (APIs are recommended)

Top ↑

Not Permitted Not Permitted

The following items are not permitted in any new plugin. While we have existing plugins in violation, we handle them on a case-by-case basis.

  • Calling wp-load directly to gain access to core functions
  • Trademark and/or Copyright violations
  • Remote loading data when not absolutely necessary
  • Terms of Use violations for 3rd party services (such as Yahoo’s APIs and most finance related ones)
  • Tracking usage without explicit opt-in consent
  • Using PHP Shorttags (ex. <?=OPTION_NAME?> )
  • Non-GPLv2 (or later) compatible code

Last updated: