Make WordPress Plugins

Updates from January, 2016 Toggle Comment Threads | Keyboard Shortcuts

  • Ipstenu (Mika Epstein) 4:31 pm on January 11, 2016 Permalink |  

    [RESOLVED] Jan 11 – Issues committing to SVN 

    0100 UTC

    This problem should be fixed now. Let us know if you have any continuing issues. -Otto

    2339 UTC

    We’ve ruled out a couple things. The access table seems okay. But right now we don’t have an ETA πŸ™ I’m sorry.

    2141 UTC

    Just an update to let you know we’re still looking into it. You don’t need to tell us your plugin names. Pretty much everyone who was approved this weekend and on has this issue.

    1631 UTC

    We’re aware of this and looking into it. Please keep an eye on this post. We will update as soon as we have any information.

  • Ipstenu (Mika Epstein) 5:31 pm on June 5, 2015 Permalink |
    Tags: ,   

    ‘Policy’ on PHP Versions 

    The official stance of WordPress.org is that WordPress is supported on PHP 5.2.4 or greater.

    The official stance of the Plugin Team regarding what version of PHP your plugins can use is .. not that.

    We don’t have an official stance. We’ve never needed one. We do (often) test complex plugins on multiple versions of PHP (and sometimes HHVM) to make sure there’s proper degradation and support, but at the same time, we do not have an official requirement that you must support version X or Y.

    This is not an official requirement post.

    This is a reminder post.

    Use whatever version of PHP works best with the code you’re writing. If you’re using, for example, Amazon S3’s library, you must use PHP 5.3 and up because otherwise the libraries won’t work. From that standpoint, your plugin should require PHP 5.3 and up. That’s a decision prompted by circumstances outside of WordPress.

    For everyone who just wants to know what to do if your plugin must be on PHP 5.3 or 5.4, the answer is this:

    Make sure your plugin checks for any and all requirements on activation and, if they’re not found, it should gracefully fail and alert the user as to why.

    This includes things like required software (if your plugin is an add-on to WooCommerce, yes, check that WooCommerce is installed and active), but also PHP versions and (if needed) SQL versions. That’s your responsibility. We’re not going to force you to do it at this time, but understand that your plugin’s reviews and ratings will be directly impacted by how you handle those things.

    Fail gracefully. Degrade gently. Error politely. Consider your users. Remember: WordPress can be used on anything.

    This can be complicated or not, depending on your requirements. The main thing to think of here is that if you don’t support PHP 5.2, then your main plugin still needs to work in PHP 5.2.

    Practical Examples

    Let’s say you use a function that only works in PHP 5.3 and up. A simple function_exists check will do the job:

    if ( !function_exists( 'some_function' ) ) {
        add_action( 'admin_notices', create_function( '', "echo '<div class=\"error\"><p>".__('Plugin Name requires PHP 5.3 to function properly. Please upgrade PHP or deactivate Plugin Name.', 'plugin-name') ."</p></div>';" ) );

    Note the use of create_function here, because anonymous functions (aka closures) don’t work in PHP 5.2.

    The use of return prevents the rest of the plugin from executing here, preventing that function call later from causing a syntax error.

    Sometimes though, you need more complicated checks. Let’s say your plugin uses PHP namespaces. Those are not supported in PHP 5.2, and will cause a syntax error just from having them in the file, before any of your code runs.

    So, your main plugin file needs to not have namespaces and basically only be a shiv to load the rest of the plugin from another file if the requirements are met:

    if ( version_compare( PHP_VERSION, '5.3', '<' ) ) {
        add_action( 'admin_notices', create_function( '', "echo '<div class=\"error\"><p>".__('Plugin Name requires PHP 5.3 to function properly. Please upgrade PHP or deactivate Plugin Name.', 'plugin-name') ."</p></div>';" ) );
    } else {
        include 'rest-of-plugin.php';

    Here, the plugin does not load the files that can cause errors unless the requirements are met.

    Maybe you need to check against the WordPress version. Plugins load in the global context, so the $wp_version variable is available to you to check:

    if ( version_compare( $wp_version, '4.0', '<' ) ) {
        add_action( 'admin_notices', create_function( '', "echo '<div class=\"error\"><p>".__('Plugin Name requires WordPress 4.0 to function properly. Please upgrade WordPress or deactivate Plugin Name.', 'plugin-name') ."</p></div>';" ) );

    Although, if you’re requiring a specific WordPress version, then you’re more likely to be requiring a specific function instead, in which you should check for that specific function as in the first example.

    If you want to be complicated about it, you can indeed do so. Here’s code for a plugin which will deactivate itself if the PHP version requirement is not met:

    if ( version_compare( PHP_VERSION, '5.4', '<' ) ) {
        add_action( 'admin_notices', create_function( '', "
            echo '<div class=\"error\"><p>".__('Plugin Name requires PHP 5.4 to function properly. Please upgrade PHP. The Plugin has been auto-deactivated.', 'plugin-name') ."</p></div>'; 
            if ( isset( $_GET['activate'] ) ) 
                unset( $_GET['activate'] );
            " ) );
        add_action( 'admin_init', 'pluginname_deactivate_self' );
        function pluginname_deactivate_self() {
            deactivate_plugins( plugin_basename( __FILE__ ) );
    } else {
        include 'rest-of-plugin.php';

    The reason for the unset of $_GET[‘activate’] here is so that the normal plugin activation process will not show the normal activation message, showing the plugin’s message only.

    These are not the only ways to perform a check like this, however they should be enough to get you started. Remember: Make things obvious to your users what the problem is, so they can understand the situation and take action.

  • Ipstenu (Mika Epstein) 7:25 pm on February 27, 2015 Permalink |
    Tags: , ratings, , reviews   

    Ratings Rebuilt 

    Did your ratings suddenly change dramatically? Hopefully not, but if they did, it’s because the ratings for all plugins were recently reset and rebuilt earlier this week. All ratings now correspond exactly with existing, non-deleted, reviews.

    As Otto put it:

    Back when we launched the review system 2.5 years ago, we tied ratings to reviews. However, up until that point, we had existing ratings in the system. At the time, some argued that the ratings should be wiped and everybody start fresh. I argued for the opposite, that we should leave the existing ratings in place until such time as we had enough reviews in the system to build up a good body of ratings.

    That time has finally come. What you see now is the ratings that correspond to your reviews. The data comes directly from the reviews themselves, and is accurate. Any ratings previously left over from the pre-review world are no longer available.

    Additionally, the ratings now will accurately reflect the actions of the moderation team. If a review is deleted for whatever reason, then the associated rating for it will not be reflected in the results.

    Please keep in mind, this means that all of the people who thought making sockpuppets to spam the reviews with 5-stars on their own plugins (or 1-stars on their competitors) have had the biggest swings. It should go without saying that you should never leave multiple reviews on your own product (we’re pretty sure you like it πŸ˜‰ ) and you should never attempt to hide behind proxies and fake accounts to leave reviews. Be honest. It works out better.

    • Drew Jaynes 11:11 pm on February 27, 2015 Permalink | Log in to Reply

      Awesome! Thanks for the update @ipstenu πŸ™‚

    • jeangalea 3:27 am on February 28, 2015 Permalink | Log in to Reply

      These changes are very welcome, thanks! I also notice that there is now an estimate of the number of installs on the main page of every plugin, rather than the amount of times it has been downloaded. How is that figure being calculated? I’d like to know how accurate it is.

    • Varun Sridharan 8:07 am on February 28, 2015 Permalink | Log in to Reply

      Awesome!.. thanks for good update .. @ipstenu

    • WPSecureOps 11:40 am on February 28, 2015 Permalink | Log in to Reply

      Oops, we’ve some weird error on our plugin’s stats page:
      “Cannot read property ‘title’ of undefinedΓ—”

      Any ideas what can be causing that?

      • WPSecureOps 11:41 am on February 28, 2015 Permalink | Log in to Reply

        In case that this is helpful: Chrome Version 40.0.2214.111 (64-bit) (OSX)

      • Samuel Wood (Otto) 5:31 pm on February 28, 2015 Permalink | Log in to Reply

        This has nothing to do with the ratings, as the stats are a separate change still being worked on. However, the people in the know about that have been notified of the issue and will look at it soon. πŸ™‚

        • WPSecureOps 5:30 pm on March 1, 2015 Permalink | Log in to Reply

          At least, i’m happy that I was able to help to report another problem then πŸ™‚

          Good luck with the new stats, they look awesome, especially this new version specific bar!

    • Varun Sridharan 1:58 am on March 1, 2015 Permalink | Log in to Reply

      Can i please know how do you calculate `Active Installs: Less than 10`. because
      https://wordpress.org/plugins/wpsecureops-easy-firewall/ = is used by more that 10 live sites. but in that status its only less than 10 ??

      • Ipstenu (Mika Epstein) 2:23 am on March 1, 2015 Permalink | Log in to Reply

        That code isn’t complete yet, which Otto said in the post above. Obviously there’s an issue, since the graph isn’t even showing. Don’t spend your time worrying about this yet, we’ll post and explain it when it’s done.

        Now if you have a question about the RATINGS, please let us know. That’s done and that’s why we posted here πŸ™‚

      • WPSecureOps 5:33 pm on March 1, 2015 Permalink | Log in to Reply

        You are using our plugin on more than 10 live sites?!

        WOW! We are really happy to hear that !!!!

        If you have any feedback/suggestions/need of help or simply want to say “Hi!”, don’t hesitate to ping us at support@wpsecureops.com πŸ™‚

        PS: Sorry for going a bit off topic, but …. πŸ™‚

    • Joachim Jensen (Intox Studio) 5:09 pm on March 1, 2015 Permalink | Log in to Reply

      I wondered why the total number went down for Content Aware Sidebars, but the average rating didn’t change. This “cleanup” is appreciated very much!
      I’ve noticed a few plugins with very questionable reviews though, and those have not been removed? I won’t call out anyone, but I’ll be glad to give the info to @ipstenu so you can check it out?

    • Chad Butler 10:15 pm on March 2, 2015 Permalink | Log in to Reply

      Thanks for the update Mika. I am really glad to see this change implemented as it will improve the usefulness of the rating system.

    • Ajay 12:43 pm on March 6, 2015 Permalink | Log in to Reply

      Mika, this cleanup is definitely a good one. Helped improve ratings on most of my plugins. However, there remains one issue that might be worth considering. Some plugins have very few reviews. Shouldn’t there be a threshold post which you start displaying ratings? e.g. maybe 10 reviews/ratings?

  • Ipstenu (Mika Epstein) 5:31 pm on December 20, 2012 Permalink |
    Tags: ,   

    GPL and the Repository 

    All plugins hosted in the WordPress.org repository must be compatible with GPLv2 or later. That means all code that is on our servers, from images to CSS to JS to the PHP code, has to meet that requirement. This is an extra requirement than just the standard one of derivative code, but we strongly feel that proprietary content has no need to be in our repository. If your code needs to be split licensed, or you have to included proprietary code for any reason, we can’t host you on .org, but that has no bearing on how neat and cool your code might be.

    For a list of various licenses, and their compatibility with GPLv2 please read this: http://www.gnu.org/licenses/license-list.html – We know not all of you are lawyers, and thankfully that list makes it easy to check what licenses do and don’t mesh. If something doesn’t have a license, ask the author please, and don’t assume.

    The following code bases are popular (which is to say we see submissions with them pretty regularly), but at the time of this post, are not licensed GPL-compatible. None of this means you can’t or shouldn’t use this code on your sites or plugins, just that we can’t host it here if you do.

    If there are plugins you find using these (or any non-GPL-Compatible) code bases in their plugin, please email plugins AT wordpress.org and we’ll get in touch with the developer. If you’re the author of one of those code bases, please consider re-releasing your code under a GPLv2 Compatible license! We’d love to be able to host your work here.

    • Mike Schinkel 5:44 pm on December 20, 2012 Permalink | Log in to Reply

      Great points @ipstenu.

      It would be helpful if you could explicitly clarify something though. In some cases the required functionality is really only available via commercially licensed software; I’m working on just such a plugin right now. I assume that it’s acceptable to publish a GPLv2+ licensed plugin that requires the commercially licensed software as a library but that puts the onus on the user to acquire a copy of said commercially licensed software? Thanks in advance.


      • Ipstenu (Mika Epstein) 6:17 pm on December 20, 2012 Permalink | Log in to Reply

        Mike – That’s a real sticky situation, and we try to judge each one individually. If the entire purpose of the plugin requires you to download non GPL software, we probably won’t approve it. But if some additional functionality requires it (like Viper’s Video Quicktags says you have to download FLV if you want to use that), it’s okay.

        • Mike Schinkel 8:04 pm on December 20, 2012 Permalink | Log in to Reply

          Really? Not what I expected to hear.

          I have an Export Post Content to MS Word plugin I’m working on for a client and it requires PHPDOCX and I have been thinking it would be nice to package it up and put in the plugin repository for those who need MS Word export.

          P.S. Of course I guess I could limit the functionality significantly and bundle their LGPLversion but that’s take recoding work and I might not get to it anytime soon.

          • Ipstenu (Mika Epstein) 8:20 pm on December 20, 2012 Permalink | Log in to Reply

            I did say probably. It’s a lot of case-by-case, but we’re trying to avoid situations where you download plugins that outright don’t work, because you have to install other stuff. (Obvious exceptions would be bridge software, that connects WP to other apps.)

            • Jane Wells 1:27 pm on December 24, 2012 Permalink

              we’re trying to avoid situations where you download plugins that outright don’t work


            • pflammer 4:58 pm on June 23, 2015 Permalink

              Hi Mika, if I wanted to make a bridge plugin on WordPress that would download and install a database management system (it has non-GPL components, would not be hosted on wordpress.org, and does not directly interact with WordPress), then from your comment on bridge software, it sounds like this would be acceptible to host the installer on wordpress.org, as long as the installer was GPL. Is that correct or at least the general rule?

            • Ipstenu (Mika Epstein) 8:15 am on June 24, 2015 Permalink

              @pflammer – No, the plugin would not be permitted because it’s downloading non GPL code. The bridge connector is fine. The part where it downloads and installs is not. That’s not a bridge, that’s an installer.

            • pflammer 1:40 pm on June 24, 2015 Permalink

              @Ipstenu, I think I see. So bridge plugin would only be software that somehow links other apps to WordPress, but the user must install the other software independent of WordPress. Is that correct? Do you know of any example bridge plugins that are acceptible on WordPress.org? That might give me a better idea of what we might do. Thanks!

            • Ipstenu (Mika Epstein) 8:07 am on June 25, 2015 Permalink

              @pflammer I mean like https://wordpress.org/plugins/bridgedd/

              You can google for more examples, but basically it’s a plugin that allows single sign on between the two and/or data to be sent back and first. Pretty much any plugin that has an API to connect to other services is a type of bridge.

          • imranpak 1:50 pm on March 6, 2013 Permalink | Log in to Reply

            Hello Mike,

            Please share that plugin with me.



    • Charleston Software Associates 5:46 pm on December 20, 2012 Permalink | Log in to Reply

      jQuery Lightbox? There are a ton of plugins I’ve used for client sites that include that script.

      Does this mean if a plugin sources the script from another source, like Google Code for example, it still is not GPL compliant? For example, the files bundled with the plugin do not contain the actual jQuery Lightbox code but simply a for example?

      I don’t think any of my plugins are doing this but good to know what the nuances are. Especially since I’m planning a WordPress driven streaming radio plugin + companion client plugin and considered some of the very items you have on this list!

      • Charleston Software Associates 5:48 pm on December 20, 2012 Permalink | Log in to Reply

        Keep forgetting my code block on comments!

        • but simply use an a href = “..otherURL/jqlightbox.js” for example
      • Ipstenu (Mika Epstein) 6:19 pm on December 20, 2012 Permalink | Log in to Reply

        Read the URL we linked to. Says pretty clearly

        “This work is licensed under a Creative Commons Attribution-Share Alike 2.5 Brazil License.”

        That’s not compatible. However remember this rule is only to be hosted on .org. We’re not talking about using for clients, just in plugins we host for you πŸ™‚ Does that make sense?

        Edit: As long as the code ins’t included in the plugin we have on .org, it’s okay. We do discourage telling people to download it from external sources (see Mike’s comment above you), but we take them case-by-case.

        • Charleston Software Associates 7:11 pm on December 20, 2012 Permalink | Log in to Reply

          @Ipsentnu – Thanks Mika, I get it. I meant that I’m using plugins found on the .org directory that contain jQuery Lightbox scripts IN the trunk svn repo hosted on the .org site. Many of those (see related comments) are carrying along scripts that specifically cite licenses that are NOT GPLv2 compatible, like the jQuery Lightbox script you reference in the original post.

          Now that those client sites are deployed I’m not so interested in that SPECIFIC issue. However my media streaming system will require pieces that are not readily available in GPLv2 format. I guess, based on your response to Mike, that I’ll have to find a way to marginalize those pieces and keep them out of the repo.

          Is it OK to say “if you want to use feature X” you will need to download “Y”? In my case I’d need a creative way to get the FLV player installed for the client listener. Thinking out loud here… Maybe hooks + filters that look for a “ride along” plugin that simply extends the feature set with “FLV fallback for non-HTML5 browsers”.

          Sorry for all the posts. I’m working on a big project and was planning on using WordPress as a key piece for the backend & front-end UI elements. Fully understanding this is kind of important before development starts in earnest next month.

          • Lance
          • Ipstenu (Mika Epstein) 7:41 pm on December 20, 2012 Permalink | Log in to Reply

            The answer is ‘maybe.’

            If the entire use of your plugin hinges on non GPL code, then probably not. If it’s just an extra feature, then probably yes.

            And like I said, if you see plugins in the .org repo that are using those specific versions of the code (check the links, lots of people use the same names), then please email us πŸ™‚

      • Charleston Software Associates 6:53 pm on December 20, 2012 Permalink | Log in to Reply

        Lets try some examples just so I am really clear on this. I’d hate to put a lot of time into a plugin and have it not listed here after months of work because of a license conflict.

        This plugin (a fairly popular one) has a modified port of jQuery Lightbox:

        The modified port is itself questionable because it does not retain the original license but instead says “BSD license for details refer to license.txt” (license.txt is missing, BTW which is ANOTHER subtle but important point about software licenses, I’ll leave that discussion for later). The Gnu link provided makes it sound like Original BSD is NOT compatible with GPL only “Modified BSD” or “3-Clause BSD” is compatible.

        This can/will get confusing in a hurry. Maybe WordPress should host a list of known licenses that will not be accepted and post it somewhere near the plugin authors/submission page. The Gnu list is a great start but could be made easier to follow for non-legalish people like myself.

        • Lance
        • Samuel Wood (Otto) 7:11 pm on December 20, 2012 Permalink | Log in to Reply

          There is more than one project named “jQuery Lightbox”, because “Lightbox” itself was quite popular and spawned more than one imitator. Some of these imitators are compatible, some are not. The one you linked to is compatible. The one Mika linked to is not.

          Regarding “BSD”: nobody uses the “original BSD” license, pretty much ever. When somebody says “BSD-licensed”, it’s an almost 100% certain bet that they are referring to the modified BSD license. I have *never* seen a use of the original BSD license, ever.

          WordPress has no plans to make any sort of list of which licenses are acceptable or not, because we don’t have to. That list on gnu.org is fairly extensive and covers the vast majority of licenses out there. Any others we can evaluate on a case by case basis.

      • Charleston Software Associates 7:00 pm on December 20, 2012 Permalink | Log in to Reply

        Here is another one… as noted, this gets confusing in a hurry…


        This plugin clearly cites AGPL version 3.

        AGPL v3 *is* GPL compatible, but here is the catch, it is specifically NOT GPLv2 compatible, thus the entire plugin is considering “not GPLv2” compatible.

        Am I understanding this correctly?

        • Ipstenu (Mika Epstein) 7:45 pm on December 20, 2012 Permalink | Log in to Reply

          Do me a huge favor. Take a deep breath πŸ™‚ You sound like you’re panicking here, and there’s no need to. We’re not making cancer fighting tools here, just code. All this can be fixed and sorted out, if we all stay calm and take our time.

          AGPL is messy. We’ll have to look into that one closely. I don’t have an answer for you right now.

          And note: GPLv2 or later. GPLv3 is okay.

          Edit: Actually he can just upgrade to the MIT version of the code – https://github.com/balupton/jquery-lightbox – I’ll email him.

          • Charleston Software Associates 8:36 pm on December 20, 2012 Permalink | Log in to Reply

            Thanks Mika. Not panicked, just trying to get clarification with some examples for reference.

            Another company I worked with had plugin listings pulled from .org for non-compliance. Related premium add-on sales went from $250/day to $0 instantaneously. Before I put months of effort into my new project I want to make sure I do all I can to maintain a good relationship with .org.

            It is 100% clear now. There may be some gray area that will be evaluated on a case-by-case basis. In over-simplified terms, don’t use the directory as a “free advert” for non-GPLv2 stuff.

    • toscho 2:47 am on December 21, 2012 Permalink | Log in to Reply

      Please close the last link. πŸ™‚

    • Fabien 11:44 am on December 21, 2012 Permalink | Log in to Reply

      Many thanks to you for what you are doing for the free software community ! Long live the GPL !

    • takien 4:02 pm on February 8, 2013 Permalink | Log in to Reply

      Hello, I’m writing ClipArt plugin (submitted to .org and currently being reviewed).

      What plugin does:

      • Search clipart images from openclipart.org, (Images is licensed as Creative Common).
      • Save image into user’s WordPress, and insert into post if they wish.

      Will this cause a problem? While images are not hosted here (wordpress.org).

      Thank you.

      • Ipstenu (Mika Epstein) 7:56 pm on February 8, 2013 Permalink | Log in to Reply

        The images are different.

        We care if the code and images in the plugin itself are GPL compatible. If the stuff you install to your site later via image uploads isn’t, well that’s on you πŸ™‚ That should be fine. (FYI, we’re backlogged on reviews by a couple days)

    • chassett 5:47 pm on October 3, 2013 Permalink | Log in to Reply

      I read all of the existing comments, and want to outline another case and see if it is OK. I am writing a plug-in that will “iframe” content delivered from our web servers. The parent code that hosts the iframe will reside on wordpress.org and all of its code is GPL compatible. However, the iframe it serves up from our web servers contains Highchart charting software. The code served up in the iframe is not included in our plugin and is not hosted at wordpress.org. Is this OK? BTW, thanks for this thread, obviously very important.

      • Ipstenu (Mika Epstein) 8:33 pm on October 3, 2013 Permalink | Log in to Reply

        Yes and no, but it’s less an issue of the GPL and more one of the iframe. If you consider how YouTube is embedded, it’s in a frame, btu it’s called via an api, so there’s not exactly iframe IN the code to be abused (we don’t like iframes much for that reason)

        Please email plugins@wordpress.org if you need more information about that.

        In so far as GPL goes, you SHOULD be okay πŸ™‚

    • paoltaia 2:15 pm on April 17, 2014 Permalink | Log in to Reply

      Quick question, if I release a plugin on wordpress.org 100% GPL and sell extensions for this plugin on my website with a Split GPL (excluding css, js and images) are we infringing wordpress licence?
      If the answer is yes, will the main plugin be taken down from wordpress repository?

    • gioni 9:32 am on October 12, 2015 Permalink | Log in to Reply

      It would be helpful if you could explicitly clarify something about using assets from sites like Creativemarket or Photodune. Can I bundle assets, which I bought, with my plugin? They does not have GPL-like license: https://creativemarket.com/licenses/simple

      • Ipstenu (Mika Epstein) 4:09 pm on October 13, 2015 Permalink | Log in to Reply

        We can’t give you a one-answer-fits-all because there is no such thing. We can look at each case and try to help you understand if it can be used.

        Looking at the linked license, I would say the added restrictions about how you can’t sell products using their stuff makes it flat out NOT GPL.

        the item cannot be resold or redistributed on its own, or used in a product offered for sale where the item contributes to the core value of the product being sold.

        That would be putting an extra restriction on the usage, which is against the GPL, so no. Can’t use ’em.

        Now they did say this:

        Portions of some products may be covered by an open source software license such as the GPL (GNU General Public License). In these cases, any portions of the product not covered by an open source license will be covered by this license.

        Those portions you can use. But otherwise, unless it explicitly says it’s GPL, you cannot use their stuff in your plugins here.

compose new post
next post/next comment
previous post/previous comment
show/hide comments
go to top
go to login
show/hide help
shift + esc
Skip to toolbar