Review Checklist Edit

Reviewer Workflow

  • Verify the submitted name and subject matter are acceptable.
  • Download the ZIP.
  • Check all files for guideline violations.
  • Ensure the readme is clear (only a requirement for services).
  • Test in a secure environment.
  • Detail any issues found and email the developer from HelpScoutHelp Scout A 3rd party service we use to process emails for plugin reviews..
  • If no issues are found, approve the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the Plugin Directory or can be cost-based plugin from a third-party.

Top ↑


All plugins and developers are required to comply with all Plugin Directory Guidelines as well as the Forum Guidelines and WordCamp Code of Conducts (when applicable).

  • 100% adherence to the Detailed Plugin Guidelines.
  • Full support of the current version of WordPress.
  • The plugin cannot be a 100% copy of another plugin. Forks are permitted, however they must show significant improvements or changes to the original.
  • The plugin must be the developer’s own work. Submission of another person’s plugin is not permitted.
  • If included in the review, the plugin headerHeader The header of your site is typically the first thing people will experience. The masthead or header art located across the top of your page is part of the look and feel of your website. It can influence a visitor’s opinion about your content and you/ your organization’s brand. It may also look different on different screen sizes. image and logos must be family friendly and not be offensive.

Top ↑

Subject Matter

The following plugin types are generally not permitted however exceptions can and will be made (for example, plugins that are a part of a featured project for coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress., such as the Rest APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”)

  • Black or grey hat SEO (including plugins that auto-post content and content spinners).
  • Plugins that state to ‘help you earn thousands of dollars’ or other improbable claims.
  • Frameworks, boilerplates, and libraries plugins.
  • Plugins that require themes or plugins to be edited for use.
  • Marketplace or storefront only plugins.
  • Plugins that reproduce core WordPress functions or features without perceivable improvements (for example, a plugin that allows embedding YouTube videos).
  • Plugins that allow users to paste in raw JS/CSSCSS CSS is an acronym for cascading style sheets. This is what controls the design or look and feel of a site./HTMLHTML HTML is an acronym for Hyper Text Markup Language. It is a markup language that is used in the development of web pages and websites./PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. without sanitization or security.

Please note: All existing plugins in the directory are permitted to remain, and will not be deleted unless there are extreme circumstances.

Top ↑


  • Be 100% GPLv2 or later and/or 100% GPLGPL GPL is an acronym for GNU Public License. It is the standard license WordPress uses for Open Source licensing The GPL is a ‘copyleft’ license This means that derivative work can only be distributed under the same license terms. This is in distinction to permissive free software licenses, of which the BSD license and the MIT License are widely used examples.-compatible licensed.
  • Copyright and licenses must be explicitly declared using the license and License URI header slugs in the readme.
  • Licenses of any resources included such as fonts or images must be declared in the plugin header.
  • Code and design should be original or legally permitted for use.
  • Forks must be appropriately credited; no copyright information may be removed.

Top ↑


  • Information on how to configure the plugin is recommended.
  • If 3rd party services are used, the readme must
    • Clearly disclose as to what is used, when, and why.
    • Include links to the service’s terms of use and/or privacy policy.
  • If no support is provided, the readme must indicate such in clear terms.

Top ↑


  • No PHP or JS errors.
  • No errors when run with WP_DEBUG set to true.
  • Validation, sanitization, and escaping of all processed or saved data.
  • Use of a unique prefix for everything the plugin defines in the public namespace (options, functions, global variables, constants, post metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress., etc.).
  • Valid readme.
  • No saving content locally to the plugin folder, as it is deleted on upgrades.

Top ↑

Core Functionality and Features

  • Using WordPress functionality and features first.
  • Using WordPress content directory functions to determine locations of folders and files.
  • Avoiding hard coding to modify content (using function parameters, filters and action hooksHooks In WordPress theme and development, hooks are functions that can be applied to an action or a Filter in WordPress. Actions are functions performed when a certain event occurs in WordPress. Filters allow you to modify certain functions. Arguments used to hook both filters and actions look the same. where appropriate).
  • Avoiding duplication of existing WordPress core features (for example, embedding YouTube).
  • Tags and descriptions matching what the plugin does and what it connects with.
  • Requirement checks fail gracefully when not present.

Top ↑


  • Custom features, options or any limitations (for example, menu restrictions), should be explained contextually and within the readme.
  • Any remote calls (such as serviceware calling it’s own servers to process spam) must be disclosed in the readme.
  • Any external requirements such as registration with a service must be documented in the readme and the Settings page.

Top ↑

Themes and other Plugins

  • Don’t include any themes. A theme can be required but not included or auto-installed.
  • Don’t include other plugins wholesale. A plugin can be required but not included or auto-installed.
  • Don’t do things in a plugin considered theme territory (exception: mobile plugins may include mobile themes).
  • Do not require other themes or plugins be edited for use as those changes would be erased on updates.

Top ↑

Security and Privacy

  • Don’t phone homePhone home A plugin that “phones home” sends back tracking information to the plugin developer once it’s installed on a site. This may include IP addresses, usernames, or other data. without informed user consent.
  • Collection of user data must be “opt-in” only and have the relevant option set to disabled by default.
  • Validate and sanitize untrusted data before processing (See: Data Validation).
  • Escape all data before output (See: Data Validation).
  • Do not use URLURL A specific web address of a website or web page on the Internet, such as a website’s URL shorteners.
  • Use prepare() and $wpdb for SQL calls.

Top ↑

  • Upselling is permitted from plugin settings screen or a link on their entry on the plugin list page.
  • Forward facing links (including credit links, powered by, and ads) must be optional and not active by default.
  • Sponsored links are permitted within reason.
  • Third Party Ads are not permitted due to tracking.
  • Affiliate links should be avoided wherever possible, and unhidden when used — use the real link to the affiliate, not a custom shortened URL.
  • UTM links to a developer’s site are allowed anywhere links are permitted.

Top ↑

Stylesheets and Scripts

  • No hard coding of scripts or styles; use wp_enqueue_*().
  • No analytics or tracking by third parties.
  • No minification of scripts or files unless the original files are also provided.
  • No minification of scripts that prevents them from being human readable (for example, do not use p,a,c,k,e,r).
  • Use core-bundled scripts (for example: jQuery).
  • Include all scripts and resources locally (Exception: fonts are permitted to be remote loaded, services may also remote load on a case by case basis).

Top ↑

  • Plugins should follow the Accessibility Handbook.
  • Code should be written to support internationalization and automatic translations via
  • Support of PHP 7.0.0 and up, or graceful failure if newer versions are required.
  • Proper alerts and errors if any required plugin or theme is not installed and active.

Top ↑

Serviceware Requirements

If a plugin connects to a service, the following additional requirements apply:

  • Data transmission is secure and sanitized.
  • Readme description (and FAQ) detail usage and registration.
  • Connectivity to the service is not performed via an iframeiframe iFrame is an acronym for an inline frame. An iFrame is used inside a webpage to load another HTML document and render it. This HTML document may also contain JavaScript and/or CSS which is loaded at the time when iframe tag is parsed by the user’s browser. in the dashboard (APIs are recommended).

Top ↑

Not Permitted

The following items are not permitted in any new plugin. While we have existing plugins in violation, we handle them on a case-by-case basis.

  • Calling wp-load directly to gain access to core functions.
  • Trademark and/or Copyright violations. (There are certain exceptions for the owners of registered trademarks, some of which are listed here).
  • Remote loading data when not absolutely necessary.
  • Terms of Use violations for 3rd party services (such as Yahoo’s APIs and most finance related ones).
  • Tracking usage without explicit opt-in consent.
  • Using PHP Shorttags (for example, <?=OPTION_NAME?>).
  • Non-GPLv2 (or later) compatible code.

Last updated: