Welcome to the official blog for the PluginPluginA plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review Team.
The review team acts as gate-keepers and fresh eyes on newly submitted plugins, as well as reviewing any reported security or guideline violations.
We can be reached by email at plugins＠wordpress.orgWordPress.orgThe community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/, or via the #pluginreview channel on Slack.
We are currently adding new team members as invite only. Please stay tuned!
Users, security firms, and developers all send in security reports. Each one must be read, reviewed, and replied to without exception. The goal is to ensure accuracy in reporting and communicate clearly to the developers what must be corrected and why.
While all plugins in the WordPress.orgWordPress.orgThe community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/PluginPluginA plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Directory are required to be compatible with the GPLv2 or later, the same is not true of code hosted outside WordPress.org, which can lead to confusion when someone reports that a plugin hosted elsewhere is violating guidelines. If you are at all confused as to which plugin they mean, just ask for a link to the plugin page.
All reports must be checked by a human being to ensure they are valid. If someone reports a vulnerability it must be tested. If someone reports behavior in the forums, and you don’t have forum admin access to see what people have been doing, speak with a senior reviewer.
As of 2016, we no longer permit plugins to use someone else’s trademark/product name as their plugin slug, or the first term(s) of their plugin. The summary can be as simple as “If you don’t work for Burt’s Bees, you cannot use burts-bees-in-stock or burts-bees as your plugin slug.”
That said, all plugins submitted prior to 2015 are ‘grandfathered’ in, and we will not close them unless there is a pressing need to do so. All non-official plugins with names that no longer are approved should state in their name and/or description that they are not the official plugin.
Every attempt is made to ensure only the authorized user of a name can use a name. If a mistake is made and it is critical enough, plugins may be closed.
Everyone who officially represents a plugin is required to abide by the guidelines. If someone working for a plugin’s company makes sock puppets, report it to the plugin owner with a stern warning. Their actions reflect on those of the developer, and if they are severe enough, the plugin will be removed. If, following a warning, a developer escalates the behavior, all their plugins will be closed. Abusing moderators and reviewers is not permitted.
In general, the review of a sockpuppetSockpuppetA false online identity, typically created by a person or group in order to promote their own opinions or views. Generally used to promote or down-vote plugins en masse. complaint will be to read the suspected posts and verify the proof from the forum administrator. Very rarely do the forum admins get those wrong, however always double check in case you know that the developer asked people at a meetupMeetupAll local/regional gatherings that are officially a part of the WordPress world but are not WordCamps are organized through https://www.meetup.com/. A meetup is typically a chance for local WordPress users to get together and share new ideas and seek help from one another. Searching for ‘WordPress’ on meetup.com will help you find options in your area. to please review. Under no circumstances should you divulge exactly how the fake accounts were spotted. If the developer is insistent, please get a senior reviewer to help, but we do not disclose our methods as they would then be abused.
Rewarded users for leaving reviews is not permitted. Period. Developers cannot pay, offer discounts, or otherwise ‘give back’ to users who leave reviews. Any time a developer does this, all reviews from the time the offer was made until it was removed will be archived in the WordPress forums. They will not be restored as there is no way for us to be sure that they were innocent or not. The legal term for this is “Fruit from the poisoned tree.” By offering compensation, the developer has put all reviews made in that time period in jeopardy.
We currently use a standard reply to inform reporters that the email has been read by a human and will be followed up on. Always send this. If the email came into supportpressSupportPressThe ticket management interface for the plugin emails. Restricted to plugin administrator access only. without a reply address, try to find their email (and let them know we had an issue, and ask them to check their email client).
No matter what, if the review is valid or not, you must reply to their email. They need to know humans are here, reading emails, and validating reports.
With few exceptions, plugins are closed immediately when a security issue is confirmed. We have no system to allow a plugin to be flagged as ‘update and fix issues in 7 days or it will be automatically closed.’ Furthermore, such a system would require a large amount of manual monitoring, and people would still be able to download the plugin. Therefore the plugin is closed and the onus is on the developer to fix the plugin.
The other reason we close plugins is to prevent new users from making themselves more at risk. This means we must weigh the reality of the usage of the plugin, the responsiveness of the developers, and the risk of the vulnerability before we close a plugin. If it would cause more users to be at risk (and create FUDFUDFear, uncertainty and doubt, usually evoked intentionally in order to put a competitor at a disadvantage.) to close a plugin, do NOT close the plugin. If the plugin developer has notably argued and been reluctant to fix issues, DO close the plugin.
Examples of plugins that should not be closed without due consideration are: Jetpack, Akismet, NetGen Gallery, Yoast SEO.
Those plugins have all proven, over years, that they are responsive to fixes. In addition, closing them would send up a signal that there’s a major security issue on tens of thousands of sites, putting the majority of WordPress sites at risk.
Please check with a Plugin Review Admin if you’re unsure. In general, most plugins will be closed.
Disabling a plugin allows it to still push updates while closed. Closed plugins push no updates. Most of the time, plugins should be CLOSED and not DISABLED. The use of DISABLED is for when a plugin is being retired, but information needs to be sent to existing users. It should be very rare, and reserved for things like Feature Plugins or extreme security related situations.
Email the developer through SupportPress. We have a standard reply for most guideline issues that explains why their plugin was closed and has sections for you to add in a link to the plugin and the description of the issue. If the submitted issue wasn’t clear, make it clear. Link the developer to places where they can learn more about the issues.