What’s The Deal with Invalid Reviews?

tl;dr: Don’t make reviews for your own pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party(s) using other people’s accounts. We will remove them and warn you first, and if it keeps happening, your plugin will be closed.

There have been a lot of reviews being removed for being invalid in ways beyond a ‘normal’ sockpuppetSockpuppet A false online identity, typically created by a person or group in order to promote their own opinions or views. Generally used to promote or down-vote plugins en masse..

We know this is messy and scary because any time we say ‘Do bad things, and your plugin(s) will be closed!’ is a terrifying prospect. We really do know that. We really don’t want to do it, which is why we warn people instead of just closing everyone who makes mistakes. Our goal is, and has always been, to make a place where users can download functional, safe, plugins that solve the problems faced by users.

At the same time, we know that developers want people to use their plugins, and one of the ways that happens is by being popular. And yes, one of the ways to become ‘popular’ is to get a lot of good reviews. Which is how we get here. Sometimes people leave reviews for their own plugins. Actually, a lot of the time.

We’re not talking about an individual developer using their developer account to leave a review on their own plugin. While that’s weird and pretty pointless in the long run, it’s not currently prohibited and we leave those alone unless you’ve been flagged for fake reviews in general. Instead we recommend you not review your own plugins since it doesn’t help you out. People generally assume you like your own plugin, so your users won’t learn anything from the review, and since you left it yourself, you won’t learn anything either, making it a net-loss.

The kinds of reviews we’re talking about is when someone (or a group of someones) makes multiple accounts with which to leave reviews about plugins. And this is a global issue. Fake reviews are a huge problem not just on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/. Amazon in particular is filled with fake reviews, and they’re getting harder and harder to spot. It’s an ongoing battle to spot them before they get ‘too bad.’ We aren’t perfect, and that’s why the first time we see someone leaving fake reviews, we warn them. What happens after that is usually pretty telling.

One big thing to keep in mind, reviews are for two purposes:

  1. Your users can see how other people feel about your plugins (and how you handle bad reviews)
  2. You can see how people really feel about you and your work

Both of those things, when they’re positive, can help your plugin become more popular. And of course, if they’re negative, it can hurt you. Which is why people work so hard to earn and merit positive reviews.

What is a fake/invalid review?

A fake review is a review made by someone who is not your actual user.

Sounds simple, right? If you write a review for someone else about your own product and hide who you are, that’s fake. The most common reason this happens is that an intern or a marketer gets the bright idea to share customer stories on the WordPress.org review system. The problem? They’re posting for the customer, which is making a fake review.

Another common way to make fake reviews is to use sockpuppets.

What’s a sockpuppet?

A sock puppet or sockpuppet is an online identity used for purposes of deception. The term references the manipulation of a simple hand puppet made from a sock, and was originally referred to a false identity assumed by someone to hide who they are and talk up themselves.

For example, if you make a second account and post a question about your plugin and then reply as your normal account? You’ve made a sockpuppet.

Sockpuppet accounts are very commonly used to leave positive reviews on plugins.

What’s an invalid review?

An invalid review is one that was made under duress or other promotional encouragement, or one that was made on behalf of a real person.

For example, if you offer a discount for your products if a user leaves a review, then you’ve actually just bribed them for a review, which makes it an invalid review. When people are compensated for a review, they generally leave better ones than they might if you just asked. Related to this, if you tell someone you won’t refund their money unless they leave a positive review, you’ve blackmailed them, and that too is invalid.

As another example, if someone leaves a great review for you via email or on your website, and you help them make a user account on WordPress.org (or make it for them) just to leave that review, you have invalidate their review. We have no way to be sure you didn’t alter the review, and your involvement could have altered the review content simply by being there.

Another kind of invalid review would be one made by someone with a personal, or professional, relationship to you. In other words, if you ask your parents or co-workers or people who share a co-working-location to leave a review, you’ve inadvertently asked them to make invalid reviews. This is a little touchy, since sometimes they are your users. The issue here is that people who know you are more include to leave favorable reviews, but also they can tell you to your face (virtual or otherwise) how they feel. You don’t actually need their review, and they can be more honest by talking to you via your existing connections.

A counter to this is sometimes your friends do legitimately use your plugin and see the note “Please review!” in wp-admin and leave you a review. Those are totally fine and rarely raise red flags.

How do you know the review isn’t real?

More or less the same way people know when a term paper is plagiarized.

There are significant tells in most reviews that give away the actual author. We also take into account things like the age of the user (that is, how long ago did they create their account), what their other actions were, where they logged in from, what their digital footprint is, what their email is, etc etc. Then we compare that to all the other reviews made for that plugin and for other plugins and themes around the same time.

Or, as we tell people, we have a complex set of heuristics, as well as researchers who are experts with tracking down users.

Why can’t you provide details?

Two reasons which sum up as privacy and security.

First, the more we let on about exactly how we do this, the more people will learn about how to get around them. It’s like spam. The more spammers know about how they’re caught, the more they work to get around those limits.

Second, and this is more important, some of that information is private. Telling people exactly who did the bad thing, how we know, and sharing IPs and emails, is a privacy violation. It would run afoul of GDPR related laws, which by the way is also the case in some states in the US (like California).

I reported a review/account as fake, why did someone tell me it wasn’t?

Because it wasn’t.

The majority of reviews reported as ‘fake’ come from developers reporting a brand new user whose only post in the forums is a negative review on their product.

This does not mean the account is fake. It doesn’t even mean the review is invalid. It means someone was angry enough to make an account and leave a review. That’s a pretty painful thing to get, I know, but just because someone doesn’t like your work doesn’t mean they or their comment is invalid.

We use our tools to check on the account and will remove anything that we can prove is fake, but a lot of the time it’s really just angry users.

I heard you track VPN usage, is that true?

No, we don’t track VPN usage, but we do take it’s use into consideration.

There’s nothing wrong with using a VPN. I’m writing this post on one. What’s wrong is people using VPNs to get around things like bans or to hide their accounts. That’s why flagging the use of a VPN (and which specific VPN it is) is a part of our process, but it’s not the ultimate be-all and end-all of things.

Keep in mind, there are certain VPNs utilized heavily by malicious actors. Some specifically exist to be used to generate fake reviews. If your company is using a VPN, make sure it’s a legit one (not one of those free, fly by night, ones).

What happens if my plugin is flagged for fake reviews?

First of all, you’ll get a warning. In general this is how everyone finds out about being flagged. We will make a note in your plugin as well as on the accounts used.

In that warning email, you will be told why you got flagged, that we saw the reviews and they’ve been removed, and that all suspect accounts have been suspended. We have read-receipts on our emails, so we know if/when someone read it. That means the situation persists, and no one read the email, we will close your plugins to force you to pay attention. If it keeps happening after that, you will find your plugins and account closed.

The email also explains that all we want is for the fake reviews to stop. Mistakes happen, please don’t do it again.

Why did some of my reviews vanish and I wasn’t warned?

That means either you noticed before you got the email or (more common) we figured out someone else was trying to frame you. We usually don’t tell you so as not to scare you. Removing invalid reviews is a regular occurrence for every single review-platform, and if we told you every time we removed a spam or fake review, you’d get real tired of it real fast.

Some valid reviews were removed, how do I get them back?

In most cases, you won’t.

We know that the reviews appear valid to you, but we can see things you cannot. Just for an example, a real user of yours wouldn’t use a VPN from Russia and a disposable email address to leave that glowing review which is identical to another review also left from Canada and a different VPN at the same time. Also some users think it’s a great idea to make fake accounts to promote you. We have no idea why they think that, but we will remove those and the user will be banned, so all their reviews become invalid.

There’s also a common trend where companies make reviews for people. They get a good testimonial and make a review using that. Sounds smart, but it’s still spamming.

What do I do if I get warned for fake reviews and I know I didn’t do it?

As horrible as this sounds… Are you sure? Double check. Do you work with anyone else? Do you share a co-working place with others? Do you and your company all use the same VPN? Did you ask a bunch of people at an in-person event to leave a review? Did your spouse tell you how cool your plugin was and leave a review? All those things can set up warning flags because they mimic suspicious actions.

If any of those sound familiar, fess up. Just tell us “Hey, I’m sorry, I asked my coworkers/spouse/family to leave reviews. I didn’t realize how that looks.”

If you’re still certain you didn’t do it, just tell us. “I don’t work with anyone else, and I know I didn’t do this.” We’ll check again. It’s possible that someone’s trying to attack you, and while we make every effort to be as certain as we can be that it’s not that, we’re not perfect any more than you.

We are very well aware how painful and scary the email is, and we’ve worked on the language to try and make sure it’s less so.

I got warned for fake reviews and it was my fault. Now what?

Apologize and don’t do it again. Seriously, that’s it. Mistakes happen, and it’s okay if you make one. Just don’t repeat it. We absolutely, totally, forgive honest mistakes.

We do remind you to make sure everyone who works with you on the plugin knows this. You are responsible for the actions your employees/coworkers/etc take on your behalf. If they spam, you are on the hook for their actions. Usually we see repeat infractions come from that.

I got emailed that one of my support reps was banned for fake reviews. Can I help them resolve this?

In most cases, yes. However you will be asked to formally take responsibility for all of that person’s actions on WordPress.org for as long as they represent your company. That means everything they do is your responsibility and if they violate any guidelines, you will be on the hook for that infraction.

In some cases, the person is permanently banned and that generally means it’s related to previous guideline issues. If that is the case, we will explain that, under no circumstances, are you to help this person regain access. We recognize that sometimes employees or staff go rogue, and we are attempting to insulate your from their behavior.

How can I be sure I won’t be accidentally flagged for fake reviews?

Glad you asked! Besides the obvious (don’t hire people to boost your review rating), you should be aware of the following:

  • Don’t ask people you work with (either the same company or share a coworking space) to leave reviews
  • Don’t ask people to leave a review in your physical presence
  • Don’t ask your family/friends to leave reviews
  • Don’t offer people a ‘reward’ for reviews (that’s bribery)
  • Don’t make accounts for people to leave reviews
  • Don’t require a review for anything (i.e. ‘You get a free X if you leave a review!’)
  • Use only reputable VPN services (if it’s free, don’t use them)
  • Make sure every person you work with, who uses the WP.org forums, has their OWN account

How do I get more valid reviews?

You can (and should) ask your users! Put a notice on your plugin settings page. Make a dismissable alert that asks people to review. Post on Twitter or your website. But really? It’s down to asking your users in a kind, and non spammy, way. Those people will leave the reviews you need.

Why I shouldn’t ask people I know to leave reviews?

I understand why people get confused about this one. Asking people for reviews is fine, but then to say asking people you know isn’t? Yeah that sounds weird. But the crux is to think about what a review is for in the first place.

A review is someone’s experience with your plugin. For good or ill, it’s them using the plugin and sharing their story.

If you’re asking people to leave reviews to learn about what they do and don’t like about your plugin, then there’s no point to asking folks you know since you can just … ask them. In turn, they can just tell you to your face how they feel. Also they’re generally more inclined to leave good reviews, though I will admit we’ve seen someone leave a 1-star review for their spouse.

Interestingly, that review was invalid, as the review was a personal attack on the developer.

Questions? Concerns?

Have a shout.

#guidelines, #reminder, #reviews

Rejoice to sanitize_url()

At least once a day, someone has to explain that the only esc_ function you can use to sanitize is esc_url_raw(). This stems from what was (at the time) a logical change. The function sanitize_url() was an alias for esc_url_raw() and it’s redundant to have both.

Except …

Over the years, WordPress has evolved and improved function names to the point that we can nearly say “Use sanitize_ functions to sanitize and esc_ functions to escape” which makes life a lot easier for new users. They don’t have to remember any odd-functions-out except the wp_kses* ones.

For WordPress 5.9, I made a ticket to restore sanitize_url() and I’m delighted to be able to say that it’s back! It’s un-deprecated!

What’s the difference?

Nothing, except the name.

Can I keep using esc_url_raw()?

Yes, for now. Eventually we’d like to wean people off it, but it’s a process. No worries. If you’re using it, we won’t ding you.

Why does this matter?

Because now you (and anyone else) can look at $variable = sanitize_url( $_POST['variable_url'] ); and know “Ah, yes, this is sanitized.”

Are you only posting this because you made the change?

No. I’m posting this because I promised some of the people I made that ticket for that I would 🙂 It’s delayed because I’ve been swamped.

It’s something that changes very little for most people, but will greatly help newer developers and minimize their confusion. And that? That is a fantastic thing!

My code sniffer tells me it’s wrong, what do I do?

Tell the people who run the sniffer, but keep in mind they’re probably adding in a bunch of changes, so it may take a while 🙂 Be cognizant of the work they do and respectful of the time they give you. Helps everyone.

#core, #security

Featured/Beta Plugins Now Limit Changes

If your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party is a FEATURED or BETABeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. plugin, which means officially recognized as such by the WordPress project, you will no longer be able to add or remove committers, nor will you be able to change ownership.

This change was made due to the high profile nature of those plugins, and the potential for abuse if a plugin is given to someone who turns out to be malicious. We hope that it will prevent issues like a featured plugin being turned into a premium-upsell plugin.

This does not relate to the size of a plugin. If a 2-user plugin is made a Featured Plugin, then it will be have this limitation. That said, it also will not cause any change to proposed feature plugins or self-declared beta.

If you are an owner/committer to one of those plugins, you can add support reps as needed, but you will need to email the plugins team (`plugins@wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/`) to have new committers added/removed, and to change ownership if needed.

#features #security

Inaccurate Stats Have Been Corrected

It gives me no joy whatsoever to have to post this.

A little over 100 plugins recently were impacted by a stats gathering change. This means those plugins had their active install stats seemingly adjusted downward.

We understand this was painful for a number of developers and we held off on announcing this as we were still doing a bit of triage and making sure it was blocked. We are sorry about that confusion.

What happened?

Recently, it was pointed out that the active install counts of several plugins appeared to be inflated artificially. When we looked at the raw data, we found that this was correct for roughly 100+ plugins; fake update data was being sent to us.

This is not unusual, it’s happened before, although people are usually much more blatant about it, which is why it took a long time to notice it. In any case, we adjusted our stats mechanisms to ignore these, and so those 100+ plugins will have seen a drop of around ~8000 installs.

As the data was being faked before, this new count is more accurate. But it doesn’t change the old counts, and we can’t redo those counts as we don’t store that raw data for more than 2 days. 

@Otto42

Will this happen again?

Probably. This specific attack won’t, as the folks with server power on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ are outstanding. However about once every other year someone tries to do stuff like this. We usually catch on to them a little faster and blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. them. Now that we know about this one, we’ll add it to the list of things to monitor and block. But yes, people love munging with stats, they’ll certainly try it again.

Why didn’t you post right away?

We were asked not to while people were still working on stopping it, and then we didn’t want to while we were investigating the root cause. Basically we didn’t want to announce it until we had all the facts.

Can you tell us exactly what happened?

No, we cannot. We’ve learned that telling people exactly how we caught what they did, or even just what they did in details, leads to them doing it again in a slightly more clever way. Right now, they have no idea how we solved it, and that’s just fine.

How many users did I lose?

The Active Install count for affected plugins would be decreased by somewhere between 1 and 8 thousand. Depends on the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party. And yes, we know that’s a galling number.

Were any of them valid users?

We can give you 100% assurance that no, they were not. The counts were inflated, so the number it shows now is much closer to the true active install count.

My plugin was impacted – am I in trouble?

No. If you were the culprit, your plugin would be already closed, your account banned, and you got a stern email from us about why you were banned for doing that, and you’re not welcome here anymore. If all of those aren’t true, we know you didn’t do it, and you have not a single thing to worry about.

Will a big drop in usage hurt my plugin popularity?

Not really, no. Please keep an eye on the big picture for a moment:

  • If you wants stats to be useful then they have to be accurate, right? Well, we fixed that.
  • The majority of end users don’t look at the charts that actually show the massive drop, they just look at the full usage count. And no, they don’t remember what you had yesterday.
  • You can point people here to explain “Someone else was a right prat and messed up stats for a lot of us.”

In the long run, this will even out and no one will notice. If you’re worried about your popularity, make sure you have a good readme that explains why someone wants the plugin and how to use it. That will help you much more than numbers or charts.

Did this impact historical data?

You mean from last month? Yes. Sadly. It’s been going on a while, like for most of the year. We don’t keep old stats like that in a manner that allows us to clean this up, so that’s why it looks like you had a big drop. At best we could force edit everyone impacted and drop them by X amount going back to when we think this started, but that doesn’t really change much, it just moves the weird needle back so it looks like a month or whatever ago, you had a massive drop.

There’s also the fact that the climb was a slow creep. We know the end volume of fake usage only because we saw the drop like you did. We could guess at how much it grew a month that was fake, but you run a higher risk of looking worse, like you were loosing 100s of users a month for a year.

Finally … asking us to manually edit your stats is a pretty terrible precedent. We don’t do that. We should never do that.

Why don’t you keep old data?

Two reasons: Privacy and size. We delete tracking data for your privacy, but also because with millions of sites out there, it’s heckin’ huge! Like “What comes after Petabytes?” huge. (Answer: exabyte, now you know.)

Can you undo this?

According to what I’ve been told, no. By blocking the fake data source, the stats automatically adjusted. The only way anyone would possibly be able to revert it would be to restore the fake data. We feel that is a terrible suggestion, as that would be intentionally lying to your users.

Who did this?

We are not about to disclose that. It’s being handled, and we are not in the business of dog-shaming people, nor encouraging mob-mentality to attack them.

If I didn’t do it, why am I being punished?

You’re not. Your plugin stats changed when we blocked the cause for the inaccurate counts. No one on WordPress.org has manually adjusted numbers. Basically we said “data like this is invalid” and when the counter recounted, which happens every day, those plugins were impacted.

This isn’t fair!

It’s equitable. Everyone who had their stats incorrectly inflated were corrected when we removed the data source.

I have some suggestions and ideas about how to fix this, where can I post those?

I am so glad you asked! The best way is to join us to be part of the ongoing solutions! And the easiest way to do that would be to come on over to help the META team. See, plugin reviews is just plugin reviews. But MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress.? They do the heavy lifting of making the WordPress.org experience better for everyone. And, perhaps not shockingly at all, it’s mostly PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php. and JS. Yes, that’s right, WordPress.org runs on WordPress!

Meta has a meeting every other week in #meta on Slack. You can keep tabs on all meetings via https://make.wordpress.org/meetings/

Also if you have a fully formed idea, that you think is a good proposal, head over to https://meta.trac.wordpress.org/ and make a ticket. If you have detailed screenshots and example code, all the better.

#statistics

Change to How Long Active Reviews Remain Open

tl;dr Starting in October, you will have THREE (3) months to complete your review before we reject it.

This will not affect most of you who actively read this site.

For a very long time, we’ve allowed plugins 6 months to finish a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party review. That’s more than enough time for any reasonably attentive developer to make changes (especially considering the majority are ‘please sanitize/escape’).

In January 2021, we had 596 ‘pending’ reviews, which meant there just under 600 plugins that had been reviewed and we were waiting on a reply/completion. We’re seeing over 800 in September.

That rise is out of step with the number of plugin submissions. In fact, if you look at our posts to Make/Updates, you can see we’re pretty stable around 140 plugins submitted a week, but the “pending; replied to” value is inching up.

Since the majority of those plugins that don’t reply or finish in 3 months aren’t going to any time soon, we’re changing our policy to try and be more sustainable and less work. From now on, you have THREE months to finish a review before we reject it.

What about existing plugins/reviews through September?

There’s no change to existing submissions. Which means the “Reject all reviews pending completion” logic works like this:

  • Sept 30 – 6 months (i.e. from March ’21)
  • Oct 31 – 6 months (i.e. from April ’21)
  • Nov 30 – 6 months (i.e. from May ’21)
  • Dec 31 – 6 months (i.e. from Jun ’21)
  • Jan 31 – 6 months (i.e. from Jul ’21) and 3 months (i.e. Oct ’21)
  • Feb 28 – 6 months (i.e. from Aug ’21) and 3 months (i.e. Nov ’21)
  • March 31 – 6 months (i.e. from Sept ’21) and 3 months (i.e. Dec ’21)
  • April 30 – 3 months and older (i.e. Jan ’22 and before)

Yes, it’s a little messier for us, but it’s the most fair we can be to existing reviewers. It would not be kind to pull the rug out from under them.

What happens if I take more than 3 months?

Just keep replying to the review! We’ll work through it with you and tell you to resubmit when the review is good. That also lets us fast track you since you’ve worked so hard!

Can’t I just resubmit right away?

You could, but we’d pend your review and ask you why you never finished the previous one, which means your whole review will take longer, and we’ll make a note on your account about not following directions.

What if I can’t reply because I deleted/lost the review?

We get it. Mistakes happen. We’ve all deleted the important email! Email us at plugins@wordpress.org from the account/address that submitted the plugin and we will re-send it for you.

Why did I get rejected if I never got a review?

There are two cases where this could happen:

  1. Your plugin was rejected right away. In those cases we email you with an explanation as to why, so please wait an hour. You should get a followup.
  2. Your email ate the review email. A number of services (including Gmail) can be configured in a way that might cause you to have a review misplaced through no one’s fault.

In both cases, reply to the rejection email and ask.

Is this automated?

Not yet, no, but I’d like it to be eventually.

UYes, this means every month end, someone goes through and selects all submissions from a time period and changes the status en bulk.

Why did you rejected my plugin after you emailed and said it was approved?

Human error. Or internet greebles. Probably the first. We do our best, but sometimes a mouse didn’t click when we thought it did, or a human got distracted, and mistakes happen. Those are generally our mistakes, and we are sorry when that happens.

Please email us back and tell us. We’ll get you fast tracked and sorted.

I have another question not answered!

Have a shout in the comments.

#reviews, #timeline

Trunk vs Tags? Which is Better? (Answer: Tags)

tl;dr – We strongly recommend you use tagged folders for your releases of your plugins. Future you will thank you.

While we have always advocated for people to use a tag folder with their plugins instead of trunk, it persists that a number of developers like using the “Stable TagTag Tag is one of the pre-defined taxonomies in WordPress. Users can add tags to their WordPress posts along with categories. However, while a category may cover a broad range of topics, tags are smaller in scope and focused to specific topics. Think of them as keywords used for topics discussed in a particular post.” of trunk. There are logical reasons for this. Having your stable tag be trunk feels like it’s one less thing to keep in mind when you update your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party for a new release.

The problem with that setup is that you suddenly made it harder for everyone else to keep tabs on your plugin, to make sure they downloaded the correct version, and worst of all … you made it nearly impossible to roll back to a previous release. And with the advent of automated plugin updates, that last one is going to be damaging to you in the long run.

In fact, here’s what you’re making worse:

  • No easy way to download older versions to debug compatibility issues
  • Translators cannot work in ‘advance’ of a release, meaning as soon as you push your code, the translations are out of date until volunteers can work on it
  • You increase your risk of an accidental release
  • No way to allow people to download the ‘pre-release’ version from official WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ sources
  • No ability to ‘roll back’ versions

So what’s the right way?

  1. Make sure your readme.txt has the stable tag to your stable version in the main plugin file (those need to match)
  2. Put everything into your trunk folder on your local checkout (use svn add and so on as needed)
  3. Run svn cp trunk tags/1.2.3 — this will copy from trunk to the tag folder
  4. Run svn ci -m "Releasing new version" — this will push both trunk and tag

That’s it. You’re done. Now you can upload and edit trunk all you want, for a dev version, and as long as the readme points to the proper stable tag, your users won’t get any updates.

Okay, but what if you want to have a trunk version for testing? Do not edit the stable tag in the trunk readme! It’s that value that tells WordPress which version is ‘stable’ and if you’re working on 1.2.3, keep stable as 1.2.2 in trunk and no one will get the new code until you’re ready.

#release, #svn, #tags

Reminder: Forked Premium Plugins Are Not Permitted

tl;dr: We do not permit copies or forks of premium (pay for) plugins to be hosted on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/.

Caveat: While this topic always brings up people arguing that the GPLGPL GPL is an acronym for GNU Public License. It is the standard license WordPress uses for Open Source licensing https://wordpress.org/about/license/. The GPL is a ‘copyleft’ license https://www.gnu.org/licenses/copyleft.en.html. This means that derivative work can only be distributed under the same license terms. This is in distinction to permissive free software licenses, of which the BSD license and the MIT License are widely used examples. means they can (and yes, you can copy GPL plugins and do whatever you want with them), we wish to remind developers that just because the GPL allows something doesn’t mean we will host it here. Our guidelines are considered above and beyond the GPL. After all, the GPL doesn’t say you can’t punch someone, but if you get into a fistfight at a WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more., we’re not going to host your plugins.

Taking someone’s pay-for code and re-releasing it as free-of-charge is considered (by us — the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review Team) to be a form of piracy and is not welcome here. It doesn’t matter if the code is GPL, it matters that When you do that, when you copy and re-release someone’s code without any changes, you’re stealing the opportunity of the original developers to make a living, and we feel that is detrimental to the community. In addition, it’s often in violation of the terms you agreed to when you downloaded the plugin from the developer in the first place.

By you doing that, and rehosting here, you put the entire directory in peril. Arguably we become responsible for your actions. As such, we do not permit plugins that are sold off WordPress.org to be re-hosted here.

The only exception to this (besides it being your own plugin) is if you have made a significant fork, properly credited in the readme and inline code, and everything was 100% GPL compatible, including the terms from where you bought the plugin. If you pirated a plugin, or if you violated the license purchasing terms (which may say things like you cannot resell it), then we cannot host the code.

Edit: It’s important to note that adding non-GPL compliant terms to a license may in fact invalidate the license, which means we can’t host it here anyway. The above comment is not in support of people violating licenses nor are we attempting to protect and help those people in any way. We are trying to point out that even if a license says it’s GPL, if it’s sold with terms that violate the GPL, it cannot be hosted here either. tl;dr? If the license or terms are sus, we can’t host it.

If the plugin is your own plugin and you just want to re-host here, we will do our best to validate that claim, and may pend your plugin while this is researched. We appreciate your patience when that happens.

If you feel someone took your plugin and hosted a copy of it here, please email plugins@wordpress.org with a link to the plugin as it’s hosted here, a link to your original plugin, and (if the plugin is hosted outside WordPress.org) attach a zip of the plugin so that we may compare the two.

Edited to add: This post is not about the GPL. This is only about the existing WordPress.org Plugin Developer Guidelines. You should not, under any circumstances, use this post to frame your understanding or interpretation of the GPL as it is not intended as such. Again, this post is about the plugin guidelines, the ones all plugin devs already committed to following, which have long since stated that immoral or ethical practices are not permitted here.

#reminder, #theft

Why the Plugin Emails are ‘Anonymous’

In 2019, we transitioned to a new email service which has allowed us to make all emails anonymous. This decision was not initially well received by all, especially when people feel they are unfairly targeted for guideline violations, though over time it’s settled down.

I wanted to take a minute to explain the backstory about why this had to happen.

Backstory

Over the last four years, there has been a disturbing escalation in behavior with regards to plugins. Reviewers have found themselves targeted in rather terrifying ways, including:

  • emailing someone’s employers to complain
  • making credible threats against safety at an upcoming WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more.
  • doxxing a reviewer by publishing their address
  • publicizing information about their families
  • death threats
  • sending physical packages/mail to them

All those things happened from people who were censured for not complying with the guidelines. Some of them even chose to quit, asking us to pull their plugins, and then retaliated in that manner.

Their reactions are always rather odd to look at in the community because the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Team does not publicize these issues. That is to say, we generally will not explain, to the general public, the full details on why something was closed or a developer banned. We don’t do this to hide anything for our own benefit, though that appears to be a common misconception. The reason we keep those issues private is that we feel it gives developers a chance to walk back from a very bad day.

We know we’re sending out some pretty devastating emails to people. Being told “Your plugins have been closed” is a gut-punch, and it’s one we really try to avoid. When people are hurt, they have a tendency to lash out, and in doing so they can cause irreparable harm to their own standing in society. The Internet never forgets anything, and the words said in anger and frustration will haunt us to our dying day and beyond.

By keeping the conversations private, we are allowing developers to have the ability to survive their bad day. You can think of it as giving people a second chance. Of course, you can’t help everyone, and we do know to cut our losses. Not everyone will come back, and some people will burn bridges so badly that it would be detrimental to the community at large to allow it, no matter how much they apologize.

The Decision

2019 was the worst year on record for categorical abuse of the members of the team. It’s difficult to express without violating confidence (and in some situations, legal cases still pending) exactly how bad. When we say ‘Someone mailed things to a reviewer’ we literally do mean that unasked for items were sent via physical mail. And when we say that someone’s home address was leaked, it was absolutely done with intent to harm.

All this leads to the great cost we bear, willingly, as we shoulder the outrage quietly. When we had people’s real names attached to the emails, we had them targeted specifically and personally. They were clear attacks on people, many times misguided and misdirected, that prompted us to change the emails to anonymous.

Because of the attacks on people’s safety and out of a desire to protect their health and well being, we have chosen to make all emails from the Plugin Review Team anonymous.

Failures

This choice has not really gone over as well as we’d hoped.

It’s no secret that people get very passionate about their plugins. They’ve created something out of their heart and minds, and getting emails from us telling them that there are issues with their work is disheartening. It’s worse when those are clearly a form email.

When we moved to form replies years ago, in order to expedite the review process, they were generally understood to be the cost of the high volume of reviews. Having impersonal emails sent from a real human was annoying, but acceptable. Having impersonal emails sent from an anonymous account makes us feel like we’re not valued as humans.

That’s why we’ve worked hard to rewrite a lot of the emails to be more clear about what the problem is and what you need to do to resolve it. We’ve tried to make our dreaded ‘Final Warning’ email even more clear.

We Want You To Do Well

We want nothing more than the continued success of the Plugin Ecosystem, hosted on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ and not. When we’re reviewing your code, we want the code to be safe and to be well documented so that you have every possible opportunity to be a success.

We can no longer sacrifice ourselves in doing so.

Our emails are always sent by a real human being, who is just as flawed as you are. They’re never personal attacks. While we always do our best to make sure we’re in the right before we send a warning, we are humans, like you, and we make mistakes.

We Will Continue to Be (Mostly) Anonymous

With rare exceptions, emails from plugins will remain anonymous. In some cases, the person replying may divulge who they are, but that is their personal choice to do so. No one on the team will ever be required to reveal their identity in an email.

We hope you can understand this frustrating, but needed, action.

#abuse, #explanation, #privacy

Reminder: Plugins Must Not Interfere with Updates

While we do look for plugins that touch the update services on submission, we do not monitor existing plugins, which is where this reminder stems from.

Unless your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party has the purpose of managing updates, you must not change the defaults of WordPress’ update settings.

You may offer a feature to auto-update, but it has to honor the coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. settings. This means if someone has set their site to “Never update any of my plugins or themes” you are not to change those for them unless they opt-in and request it.

The reason for this is that plugins should not over-reach their authority. When a plugin is made, it is self-defined by the developers as what it will do and why. There are some logical reasons to expand that of course (an anti-spam comment plugin may grow to also handle feedback forms), but for most plugins, the arbitrary management of plugin updates is outside their stated goals.

Plugins crossing over purposes, overriding settings that are unrelated to the function of their specific goal, can and will cause unexpected outcomes. It also destroys the faith users have in you to not break their sites. Sadly, this happened recently to a well used plugin, and the fallout has been pretty bad.

We do understand that many plugins want to take advantage of the new features within WordPress. But if your plugin is a custom blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience., you really don’t have a need to be changing how the uploader works, or even setting your plugin to default-auto-update.

At this time, we have no plans to spell this out in a guideline. We do currently, regularly flag plugins that go outside their dictated (self defined) boundaries, and this is not a change. Please, respect your users.

#reminder, #updates

2020 Roundup

Well. It’s been a year…

Overview

Between December 31 2019 and December 28 2020, we have:

  • 8486 plugins submitted (up from 8048)
  • 1338 plugins rejected (up from 1221)
  • 3317 plugins closed (down from 6038)
  • 676 plugins pending review on average week to week (up from 623)

It’s not a huge increase in workload, and unlike last year, we have only three spikes of massive closures.

Here’s an overview in table format:

RequestedRejectedClosedApprovedPending
Most in a week221111600132790
Least in a week12821041560
Average169286569676
YEAR TOTAL8486133833173451595

Overall, the load was slightly up but nothing to phone homePhone home A plugin that “phones home” sends back tracking information to the plugin developer once it’s installed on a site. This may include IP addresses, usernames, or other data. about.

The number one reason a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party is closed is, still, bounced emails. The number two reason is security, followed by general guidelines and trademarks.

The number one reason a plugin is pended for approval is sanitization/validation related (remember you have to do both – sanitize and validate – because otherwise people will put ‘dog’ in for a value of how many hats they need).

Looking Back at 2020

We had some wins and some losses.

First, here’s what didn’t go great:

  • New Team Members — this was probably the worst year for that, seeing as real life kicked everyone around. Of the people onboarded, one remains semi-active.
  • Tools — I did not manage to convert my shell script to something mass-consumable, but I did make significant progress in improving it
  • Trademarks — Legal representatives from multiple companies have forced us to be harsher and more strict with trademark usage. There’s very little we can do here.

Now here’s what did go well!

  • HelpscoutHelp Scout A 3rd party service we use to process emails for plugin reviews. — This has been a godsend. We’ve managed to improve a lot of automation with it, speeding up everyone’s work.
  • .Org Tools
    • There are a lot more checks for trademarks in slugs and display names now, so people can’t even submit violations.
    • We added a lot of code to allow people to better manage their own plugins. For example, you can close your own plugin as well as change the primary owner.

Helpscout

As mentioned last year, we make heavy use of Saved Replies to speed up reviews and processing. Here again, in order from most used to least, are the most commonly used replies:

Reviews

These are sent out during reviews to help identify issues:

  • Review: Please sanitize, escape, and validate your POST calls
  • Review: Generic function/class/define prefix names
  • Review: Invalid Tested Up To
  • Review: Incomplete Readme
  • Review: Not using wp_enqueue commands
  • Review: Calling remote files (js, css, images, etc)
  • Review: Undocumented use of a 3rd Party or external service
  • Review: Including Libraries Already In WP CoreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. (including jquery)
  • Review: Including out of date libraries
  • Review: Including your own CURL code
  • Review: Calling file locations poorly (also hardcoding in paths)
  • Review: Whole $_POST processing
  • Review: Including full vendor/demo/documentation folders
  • Review: Using esc_ to sanitize (not esc_url)
  • Review: Plugin uses Error Reporting in public
  • Review: Display Name infringes on trademarks (slug is fine)
  • Review: Including your own update checker
  • Review: Using file_get_contents on remote files
  • Review: Calling core loading files directly (wp-load etc)
  • Review: Poorly Chosen Plugin Name
  • Review: Including a zip file
  • Review: Using variables/defines for text-domains (this breaks glotpress)
  • Review: Allowing Direct File Access to plugin files
  • Review: Not using Nonces and/or checking permissions
  • Review: Plugin is still calling localhost
  • Review: Your admin dashboard has an iframeiframe iFrame is an acronym for an inline frame. An iFrame is used inside a webpage to load another HTML document and render it. This HTML document may also contain JavaScript and/or CSS which is loaded at the time when iframe tag is parsed by the user’s browser.

Rejected

These are the most common reasons a plugin was rejected:

  • Rejected: New/renamed version of their own plugin
  • Rejected: Not Your Plugin (Tried to upload vs host)

Pended

The top three reasons a plugin is pended before we even review it:

  • Pended: Name Infringes on Trademarks (slug and name need to be changed)
  • Pended: Not Official Owner
  • Pending: Website incomplete (coming soon/demo)

Replies

These are common replies to common issues.

  • Reply: Rescan (Plugins must be checked before being reopened)
  • Reply: You can remove your own plugin
  • Reply: Plugin Slug Renamed
  • Reply: Be More Patient
  • Reply: Not a Marketplace
#year-in-review