The Perils of Partnership

If you’ve ever received an email offering to partner with you or to join an affiliate network or to help you earn money for your plugin, it’s probably a scam.

In the last three months, we’ve seen a serious uptick in emails like “please join our affiliate network” or “I can help you earn money” or “increase your plugin’s SEO” sent to plugin developers. On review, every last one that looked iffy has turned out to be by a nefarious or malicious group of people, who want to either install backdoors into plugins or black hat SEO links.

These deals should sound too good to be true, and they are. They can irreparably harm you, your reputation, and your standing on WordPress.org. Our reaction, when we see it, is to remove the plugin and revoke all SVN access from the developers involved. We don’t always restore access, especially if we feel you may fall for such a scam again or your online behavior is inherently insecure.

I know some of you are reading this thinking “Who falls for stupid stuff like that!” and the reality is anyone. All it takes is one mistake, one moment where you’re not thinking all the way through, and you’ve shot yourself in the foot.

There are some simple tips you can take to protect yourself.

  • Never let anyone else use your SVN account. If you work with a team, everyone should use their own account. This will help you track changes too.
  • Look up the people. Check that they seem legit. Are they using wordpress in their domain name (which you know is not permitted)? Do they already have any plugins? Are they active in the community?
  • What other kinds of plugins do they own? If the plugins are all over the place, ask yourself: Why would they want MY plugin? Companies that make a grab for a lot of different plugins are often trying to find ones with a high user count in order to spam.
  • Preview the code. Never add anything you’re not 100% sure is safe. If the code that gets added has links that look like http://api.wp' . '-example.com/api/upd' . 'ate or 'ht'.'tp://wpcdn.example.com/api/update/ then it’s not trustworthy (those aren’t the real URLs).
  • Does the email look like a form letter? WordPress is such a small community that people generally reach out like human beings. If someone’s spam-blasting a form, it’s sketchy.
  • Check spelling and grammar. If it’s `Wordpress` with a lower case P, or `JetPack` with an uppercase one, it might just be an innocent mistake, but it might not. Businesses should care about these things. After all, you do.

Above all, if you see something, say something. If you get an email like that, forward it on to plugins@wordpress.org with as much information as possible. We would love to see some code samples, for example, as we can add it to our scan routines.

#reminder, #security

When emailing zips please make sure your email…

When emailing zips, please make sure your email client and email service provider allow this.

Increasingly, we have seen people testifying that they emailed us a file with a zip, but we never receive it. In doing some research, we’ve found that mail providers are now silent-killing large emails! While the settings can be overwritten, please keep this in mind when you email people your zips.

If you have the ability to check your mail logs, you may be rudely surprised. I know I was.

#email, #notice

Plugin Directory Chat on Oct 5th

I know, it got quiet. There were things.

Plugin directory chat on 2016-10-05

They’ll be picking back up next month though! Come with your thinking hats on. Can’t make it? Leave comments on the above post 😁

#plugin-directory, #reminder

Forums Status Update (Sept 12)

Subscriptions should be working again.

Feeds have _moved_ and I’m really sorry about that. Hopefully we’ll get an nginx redirect in there sooner rather than later but basically it’s this: https://wordpress.org/support/plugin/akismet/feed/

We’re using WordPress now, so any time you see a view you want to follow in RSS, slap `/feed/` on the end and it will probably work.

There’s also this URL: https://wordpress.org/support/plugin/akismet/active however, as you will notice, there is no ‘feed’ for it. Those are custom (non default WP) views and are all support threads with Closed and Resolvedt filtered out, then sorted by last reply. We’re working on feeds for those and the old plugin committer feeds. I want that back too. Right now, I suggest you use the per-plugin feed to get a list of your new bugs etc, and then subscribe to the post (or add it to favorites).

Sadly, ‘cost overruns’ have been the story of this migration. We had hoped to be done with everything by the 5th, but that proved a gross underestimate.

We know there are a lot of ‘smaller’ features everyone loves and have gotten used to making their lives easier that we’re now doing without. It sucks. Trust me here, the mods have ‘lost’ more tools than anyone else. This upgrade had to happen, though.

Also the reason I’m closing these posts to comments when I make them is I have no additional information to provide. Historically, if I leave them open people will posts complaints and rants (which I can do nothing about save sympathize), bug report (which we either already know about, or should have been posted elsewhere), or ‘thanks’ (which we all appreciate, but get spammy). And pinging me on Slack won’t get you any answers more than I’ve posted. This is what I know as I know it.

All I have for you now is a plea to be patient. This is a massive undertaking that for a long time was deemed impossible. But slowly, as we clean up the mess, things will get better and the pros of the move will reveal themselves. Like having Akismet actually catch spam for a change.

Please check Support Forums: Meta Trac before filing a bug report/complaint. And if you have suggestions for fixes, jump in and let us know! The bonus of being on bbPress now is that if there are plugins that can do what we need, we can actually use them!

Thanks.

#forums, #support

WP_Hook: Next Generation Actions and Filters

WordPress 4.7 will contain a significant re-architecture of how hooks work. Please read the post on make/core for the full details, and test your plugins!

WP_Hook: Next Generation Actions and Filters

#testing

Forums Status Update (Sept 7)

Happy 4.6.1 day.

  • Reviews are back.
  • Plugin authors and contributors are listed as authors and contributors
  • RSS feeds for individual plugin forums are working
  • Topic subscriptions should be working. Existing subs are still being imported.

The direct urls to your reviews will be https://wordpress.org/support/plugin/akismet/reviews/#new-post — I don’t know if that’s forever.

The amount of data being imported is causing everything to take longer than expected, in order to do this without crashing the servers. Which would be bad. That’s also why some posts are showing out of order. This is the biggest bbPress install ever, I suspect…

ETA on everything? We don’t know. It’s all taking longer than we hoped.

Akismet has also been acting a prat and spamming people so if that happens, swing by the #forums slack and ask if they can have a look for you 🙂 Please ask nicely and offer coffee.

Forum Update Status (Sept 5)

Summary: A great many things have been improved. Paramount was getting the data over (done!), syncing review stars with their new post IDs (done), and making the forums run faster (in progress).

Support Forums Upgrade Status (2016/09/05):

Please note: There was no way to actually test this properly before moving over, so while this is frustrating for everyone, the moderators have had to be quite aggressive in deleting repetitive reports of what’s broken. If you’ve found something that isn’t on the bugs and broken things list, please leave a reply there. Otherwise the answer is “As soon as we can get it done, it’ll be done.”

If you want to be super helpful, please make sure your fellow developers read the posts 🙂

#forums

Plugin Reviews Disabled (And More about the Support Forums)

Reviews will be broken until about September 5.

This is directly related to the support forum maintenance.

Per @jmdodd:

We’ll do our best to keep this window short, but for now the choice was between closing reviews for 4 days or closing all of the support forums for 24 to 48 hours.

The Meta team felt (and I personally agree) that it is far more important to have support forums than the reviews. And the support forums were unsustainable. So while this is a wrench in your plugins, it’s far far better than no forums at all for Labor Day Weekend.

Updated Sept 2 0233

From @otto42

Consider this an announcement: all plugin/theme connections to the forums are currently considered broken. We expected that. It will take a few days to restore this, and that’s considered acceptable losses, for now. We will be working to fix these issues over the next few days, and it will be corrected as we get to it. In other words, we are aware of the issues and working to fix them.

Updated Sept 2 1628

You may have noticed you can’t do some things in the forums anymore. This is known. Please read Forum Bugs and Broken Things before you complain. Here’s a list of what you’re probably trying to figure out. ALL of these are being working on. Don’t fret. Enjoy your weekend.

  • Plugin authors can’t sticky
  • Plugin committer/author support views don’t work
  • Plugin authors can’t resolve threads
  • Pinned topics are unpinned in plugin forums
  • Plugin Authors aren’t labelled as Plugin Authors
  • Cannot subscribe to plugin forums

#forums, #reviews

Reviewing the Revamped Guidelines

Thank you everyone for being patient about this.

This summer was spent re-writing and editing and tweaking the guidelines. I ripped them down, sat and spelled out what they meant, then I rewrote them to be more clear. Then I got the plugin review team to review the changes. Then I had a group of people at WCNYC Contributor Day review them.

Finally, I moved it all to a GitHub repo and started to ask smaller groups to review it. Then we had a quick rebranding and that all brings us here.

I would like everyone in the community to read these proposed updates to the Plugin Directory Guidelines.

WordPress.org Plugin Guidelines

At the risk of sounding trite, pull requests and issues are welcome.

If you feel a guideline’s explanation is unclear, please create an issue or a pull request with what you feel should be changed and why. All grammar/spelling corrections are greatly welcome. We’re trying to write these for all levels of developers, as well as people who may not speak English proficiently. Using words like ‘obsequious’ should be avoided (nb: That’s mostly to me who uses those words regularly).

All feedback should be opened as issues in the tracker.

Let the games begin!

#directory, #guidelines

COMPLETED! Upcoming Maintenance Window for Plugins SVN

Hello plugin authors!

We will have a maintenance window for the plugins SVN repository from August 31, 20:30 UTC through September 01, 00:30 UTC (four hours total). During this time, plugin authors will not be able to commit to the SVN repository.

This post on the WordPress.org status page will be updated when the maintenance window is complete.

Edit: Maintenance has been completed, and the plugins SVN is available for commit once again.

#maintenance, #svn