I know the 4.7 ‘please test’ email went out a bit late (WordCamp US, blame Wapuu), but we did send it and just like last time, we’ve taken action the replies.
- If you reply and ask for a plugin to be closed, we close it.
- If your email auto-replies, we warn you once. If you were warned previously, we close your plugin(s).
- If your email bounces we close your plugin or, if there are multiple developers involved, remove your account and notify them.
These actions are taken for security. If we have no way of getting in touch with you, or if your email is invalid, it puts your users at risk. Not to mention getting 2500 auto-replies is pretty frustrating.
Remember, it is a requirement that we be able to contact you. We don’t mind if the email is a group mail, but it should never auto-reply to anything from WordPress.org. Just whitelist us (and yes, you can do that with ZenDesk read this ticket for details) and make sure nothing from .org gets a bounce reply. This will also make our servers faster, which I know you’d like.
If you can’t do that, you’ll need to change your email to something else. Do to that, go to
https://wordpress.org/support/users/YOURID/edit/ as the user in question and edit the email. Done.
On a happier note, less than 100 people had to be contacted this time around! It only took me 2 hours to sort it out, versus last time which was much higher. The majority of the issues came from new plugin developers, which is understandable, but a few of the long-standing devs had a rude awakening this morning, I’m sure.
Thank you everyone for understanding.
First of all I suck for not getting everyone’s names. I’m lucky I remember mine…
This marks my first year as the rep of the Plugin Directory Team and we’ve made some phenomenal headway. We’ve re-written the detailed plugin guidelines to be more understandable and clear for everyone. We’ve actually written a handbook! We never had one before. And Team Apollo has been brilliant getting the new directory from a pipe dream to a beta test reality. Thank you everyone for getting us here.
At WordCamp US 2016 Contributor Day, we had over 20 people going over the brand new Handbook, which lead to the creation of the Glossary and a lot of edits! So a huge thank you to everyone who was here. I really appreciate it. We also had a few people reviewing plugins as practice for the first time. I look forward to their results. Good luck, folks!
Right now the new directory is in public beta. That means if you go check it out wordpress.org/plugins-wp/ you’ll see the brave new world for plugins, and we hope you can help us test things out. If you find bugs in search, please report them on Meta Trac #1692-meta.
The Plugin Developer Documentation has been updated to address the changes (mostly to your Plugin Assets) and the Handbook was written with this new interface in mind.
Which leads us to the eternal question… when will the directory open up to new reviewers?
I’ve said it before and I’ll say it again, the opening of the plugin team to new members will happen after the new directory is complete. This is just a technical necessity. The current system works but it has serious limitations that are just prohibitive to adding more people. That made writing a handbook for a process that doesn’t exist rather interesting. My goal is, once the directory is live, to iron out the how-to-review and then get some experienced developers in to review but not approve, to see if we can come up with a process closer to the Theme Review Team, but not fall to backlog.
This will take a lot of experimentation and patience.
Hang in there.
Just a quick note.. Due to the Thanksgiving Holidays followed up by the entire team being at WordCamp US in Philadelphia this weekend, plugin approvals and even emails to the team will be delayed. Don’t worry, we’ll deal with the backlog when we all return home to our comfort zones. 🙂
Sneaking this in just before WordCamp US, if you’ve seen the redesign of this make site, then you may have seen the link to the handbook.
This is a rough draft – it’s not perfect and it doesn’t cover all contingencies. However, yes, that is indeed our handbook. It’s built to the new directory, which we’re not fully using yet, and it has some information that may surprise you. For example, did you know we could see every IP address you’ve ever used to submit a plugin?
On Contributor Day, I’ll be asking victims– volunteers to help with it, to explain things more clearly, and to make this something that can be used to (eventually) include more reviewers.
Speaking of, before you ask for the status, here it is: Not yet.
Once the new directory is live, and once the existing reviewers have worked out the best flow, then we will bring in some existing developers to join us. But it’s not going to suddenly be a flood gate. We’re trying to avoid hitting a backlog as bad as the theme team has, and I’ve been closely watching how they handle reviews and trying to see what we can do to navigate that kind of a delay. Obviously ‘more reviewers!’ isn’t the only answer, and right now I feel that the right fix for plugins is a more streamlined system. I have a plan. I’m sure it won’t last the first day against the enemy (i.e. plugins).
See you all soon at WordCamp US!
Does the directory currently have a kind of ‘meh’ UX? Yes. Yes it does. We know it. We know search is chancy at best, and people (especially developers) get grumbly when they can’t find what they want.
Well. Here’s your chance to step up and help us fix it.
Plugin Directory User Testing – Round 1
The tl;dr here is @mapk had some tasks for he asked people to run through to try and report on. Using that information, we’ll figure out what has to be changed, what’s going to have to be lived with, and what can and cannot be improved.
But it won’t get better without YOUR help.
So if you care about the usability of the Plugin Directory, please help. Speak up and try the tests yourself. Figure out what’s broken and speak up on it. We need to know.
We soft-launched them on the 20th, just to make sure we didn’t mess anything up. Those last few spelling and grammar edits are killer. However yes, the guidelines, reviewed and revised by the community are now the official Plugin Developer Guidelines.
While I can hope they’re easily understood by all, I know that’s a fond wish. I’m leaving the repository on Github open for the time being, in order to allow people who spot late breaking issues to report them. If you do spot problems, please open an issue on the GitHub Repo or email
firstname.lastname@example.org and let us know.
In addition to just rewriting the guidelines, we took the time to codify the expectations of developers and cost of not abiding by the guidelines, as well as a reminder that we do remove plugins for security issues. We are doing our best to be transparent of what we expect from you and, in return, what you can expect from us.
Finally, THANK YOU. Everyone who helped write this, edit it, and who was patient understanding I was chasing down people to get their sign-off on what might be construed as massive changes, I greatly appreciate the time you spent on this project. It’s a massive undertaking to re-write guidelines in the public eye, in a way that won’t pull the rug out from anyone. Our goal was to clarify, not totally change, but also to address the needs of an ever changing technology.
Our goal, as always, remains to provide a safe place for all WordPress users – from the non-technical to the developer – to download plugins that are consistent with the goals of the WordPress project.
Please take the time to read the Detailed Plugin Guidelines.
If you’ve ever received an email offering to partner with you or to join an affiliate network or to help you earn money for your plugin, it’s probably a scam.
In the last three months, we’ve seen a serious uptick in emails like “please join our affiliate network” or “I can help you earn money” or “increase your plugin’s SEO” sent to plugin developers. On review, every last one that looked iffy has turned out to be by a nefarious or malicious group of people, who want to either install backdoors into plugins or black hat SEO links.
These deals should sound too good to be true, and they are. They can irreparably harm you, your reputation, and your standing on WordPress.org. Our reaction, when we see it, is to remove the plugin and revoke all SVN access from the developers involved. We don’t always restore access, especially if we feel you may fall for such a scam again or your online behavior is inherently insecure.
I know some of you are reading this thinking “Who falls for stupid stuff like that!” and the reality is anyone. All it takes is one mistake, one moment where you’re not thinking all the way through, and you’ve shot yourself in the foot.
There are some simple tips you can take to protect yourself.
- Never let anyone else use your SVN account. If you work with a team, everyone should use their own account. This will help you track changes too.
- Look up the people. Check that they seem legit. Are they using
wordpress in their domain name (which you know is not permitted)? Do they already have any plugins? Are they active in the community?
- What other kinds of plugins do they own? If the plugins are all over the place, ask yourself: Why would they want MY plugin? Companies that make a grab for a lot of different plugins are often trying to find ones with a high user count in order to spam.
- Preview the code. Never add anything you’re not 100% sure is safe. If the code that gets added has links that look like
http://api.wp' . '-example.com/api/upd' . 'ate or
'ht'.'tp://wpcdn.example.com/api/update/ then it’s not trustworthy (those aren’t the real URLs).
- Does the email look like a form letter? WordPress is such a small community that people generally reach out like human beings. If someone’s spam-blasting a form, it’s sketchy.
- Check spelling and grammar. If it’s `Wordpress` with a lower case P, or `JetPack` with an uppercase one, it might just be an innocent mistake, but it might not. Businesses should care about these things. After all, you do.
Above all, if you see something, say something. If you get an email like that, forward it on to
email@example.com with as much information as possible. We would love to see some code samples, for example, as we can add it to our scan routines.
When emailing zips, please make sure your email client and email service provider allow this.
Increasingly, we have seen people testifying that they emailed us a file with a zip, but we never receive it. In doing some research, we’ve found that mail providers are now silent-killing large emails! While the settings can be overwritten, please keep this in mind when you email people your zips.
If you have the ability to check your mail logs, you may be rudely surprised. I know I was.
I know, it got quiet. There were things.
Plugin directory chat on 2016-10-05
They’ll be picking back up next month though! Come with your thinking hats on. Can’t make it? Leave comments on the above post 😁