What’s The Deal with Invalid Reviews?

tl;dr: Don’t make reviews for your own pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party(s) using other people’s accounts. We will remove them and warn you first, and if it keeps happening, your plugin will be closed.

There have been a lot of reviews being removed for being invalid in ways beyond a ‘normal’ sockpuppetSockpuppet A false online identity, typically created by a person or group in order to promote their own opinions or views. Generally used to promote or down-vote plugins en masse..

We know this is messy and scary because any time we say ‘Do bad things, and your plugin(s) will be closed!’ is a terrifying prospect. We really do know that. We really don’t want to do it, which is why we warn people instead of just closing everyone who makes mistakes. Our goal is, and has always been, to make a place where users can download functional, safe, plugins that solve the problems faced by users.

At the same time, we know that developers want people to use their plugins, and one of the ways that happens is by being popular. And yes, one of the ways to become ‘popular’ is to get a lot of good reviews. Which is how we get here. Sometimes people leave reviews for their own plugins. Actually, a lot of the time.

We’re not talking about an individual developer using their developer account to leave a review on their own plugin. While that’s weird and pretty pointless in the long run, it’s not currently prohibited and we leave those alone unless you’ve been flagged for fake reviews in general. Instead we recommend you not review your own plugins since it doesn’t help you out. People generally assume you like your own plugin, so your users won’t learn anything from the review, and since you left it yourself, you won’t learn anything either, making it a net-loss.

The kinds of reviews we’re talking about is when someone (or a group of someones) makes multiple accounts with which to leave reviews about plugins. And this is a global issue. Fake reviews are a huge problem not just on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/. Amazon in particular is filled with fake reviews, and they’re getting harder and harder to spot. It’s an ongoing battle to spot them before they get ‘too bad.’ We aren’t perfect, and that’s why the first time we see someone leaving fake reviews, we warn them. What happens after that is usually pretty telling.

One big thing to keep in mind, reviews are for two purposes:

  1. Your users can see how other people feel about your plugins (and how you handle bad reviews)
  2. You can see how people really feel about you and your work

Both of those things, when they’re positive, can help your plugin become more popular. And of course, if they’re negative, it can hurt you. Which is why people work so hard to earn and merit positive reviews.

What is a fake/invalid review?

A fake review is a review made by someone who is not your actual user.

Sounds simple, right? If you write a review for someone else about your own product and hide who you are, that’s fake. The most common reason this happens is that an intern or a marketer gets the bright idea to share customer stories on the WordPress.org review system. The problem? They’re posting for the customer, which is making a fake review.

Another common way to make fake reviews is to use sockpuppets.

What’s a sockpuppet?

A sock puppet or sockpuppet is an online identity used for purposes of deception. The term references the manipulation of a simple hand puppet made from a sock, and was originally referred to a false identity assumed by someone to hide who they are and talk up themselves.

For example, if you make a second account and post a question about your plugin and then reply as your normal account? You’ve made a sockpuppet.

Sockpuppet accounts are very commonly used to leave positive reviews on plugins.

What’s an invalid review?

An invalid review is one that was made under duress or other promotional encouragement, or one that was made on behalf of a real person.

For example, if you offer a discount for your products if a user leaves a review, then you’ve actually just bribed them for a review, which makes it an invalid review. When people are compensated for a review, they generally leave better ones than they might if you just asked. Related to this, if you tell someone you won’t refund their money unless they leave a positive review, you’ve blackmailed them, and that too is invalid.

As another example, if someone leaves a great review for you via email or on your website, and you help them make a user account on WordPress.org (or make it for them) just to leave that review, you have invalidate their review. We have no way to be sure you didn’t alter the review, and your involvement could have altered the review content simply by being there.

Another kind of invalid review would be one made by someone with a personal, or professional, relationship to you. In other words, if you ask your parents or co-workers or people who share a co-working-location to leave a review, you’ve inadvertently asked them to make invalid reviews. This is a little touchy, since sometimes they are your users. The issue here is that people who know you are more include to leave favorable reviews, but also they can tell you to your face (virtual or otherwise) how they feel. You don’t actually need their review, and they can be more honest by talking to you via your existing connections.

A counter to this is sometimes your friends do legitimately use your plugin and see the note “Please review!” in wp-admin and leave you a review. Those are totally fine and rarely raise red flags.

How do you know the review isn’t real?

More or less the same way people know when a term paper is plagiarized.

There are significant tells in most reviews that give away the actual author. We also take into account things like the age of the user (that is, how long ago did they create their account), what their other actions were, where they logged in from, what their digital footprint is, what their email is, etc etc. Then we compare that to all the other reviews made for that plugin and for other plugins and themes around the same time.

Or, as we tell people, we have a complex set of heuristics, as well as researchers who are experts with tracking down users.

Why can’t you provide details?

Two reasons which sum up as privacy and security.

First, the more we let on about exactly how we do this, the more people will learn about how to get around them. It’s like spam. The more spammers know about how they’re caught, the more they work to get around those limits.

Second, and this is more important, some of that information is private. Telling people exactly who did the bad thing, how we know, and sharing IPs and emails, is a privacy violation. It would run afoul of GDPR related laws, which by the way is also the case in some states in the US (like California).

I reported a review/account as fake, why did someone tell me it wasn’t?

Because it wasn’t.

The majority of reviews reported as ‘fake’ come from developers reporting a brand new user whose only post in the forums is a negative review on their product.

This does not mean the account is fake. It doesn’t even mean the review is invalid. It means someone was angry enough to make an account and leave a review. That’s a pretty painful thing to get, I know, but just because someone doesn’t like your work doesn’t mean they or their comment is invalid.

We use our tools to check on the account and will remove anything that we can prove is fake, but a lot of the time it’s really just angry users.

I heard you track VPN usage, is that true?

No, we don’t track VPN usage, but we do take it’s use into consideration.

There’s nothing wrong with using a VPN. I’m writing this post on one. What’s wrong is people using VPNs to get around things like bans or to hide their accounts. That’s why flagging the use of a VPN (and which specific VPN it is) is a part of our process, but it’s not the ultimate be-all and end-all of things.

Keep in mind, there are certain VPNs utilized heavily by malicious actors. Some specifically exist to be used to generate fake reviews. If your company is using a VPN, make sure it’s a legit one (not one of those free, fly by night, ones).

What happens if my plugin is flagged for fake reviews?

First of all, you’ll get a warning. In general this is how everyone finds out about being flagged. We will make a note in your plugin as well as on the accounts used.

In that warning email, you will be told why you got flagged, that we saw the reviews and they’ve been removed, and that all suspect accounts have been suspended. We have read-receipts on our emails, so we know if/when someone read it. That means the situation persists, and no one read the email, we will close your plugins to force you to pay attention. If it keeps happening after that, you will find your plugins and account closed.

The email also explains that all we want is for the fake reviews to stop. Mistakes happen, please don’t do it again.

Why did some of my reviews vanish and I wasn’t warned?

That means either you noticed before you got the email or (more common) we figured out someone else was trying to frame you. We usually don’t tell you so as not to scare you. Removing invalid reviews is a regular occurrence for every single review-platform, and if we told you every time we removed a spam or fake review, you’d get real tired of it real fast.

Some valid reviews were removed, how do I get them back?

In most cases, you won’t.

We know that the reviews appear valid to you, but we can see things you cannot. Just for an example, a real user of yours wouldn’t use a VPN from Russia and a disposable email address to leave that glowing review which is identical to another review also left from Canada and a different VPN at the same time. Also some users think it’s a great idea to make fake accounts to promote you. We have no idea why they think that, but we will remove those and the user will be banned, so all their reviews become invalid.

There’s also a common trend where companies make reviews for people. They get a good testimonial and make a review using that. Sounds smart, but it’s still spamming.

What do I do if I get warned for fake reviews and I know I didn’t do it?

As horrible as this sounds… Are you sure? Double check. Do you work with anyone else? Do you share a co-working place with others? Do you and your company all use the same VPN? Did you ask a bunch of people at an in-person event to leave a review? Did your spouse tell you how cool your plugin was and leave a review? All those things can set up warning flags because they mimic suspicious actions.

If any of those sound familiar, fess up. Just tell us “Hey, I’m sorry, I asked my coworkers/spouse/family to leave reviews. I didn’t realize how that looks.”

If you’re still certain you didn’t do it, just tell us. “I don’t work with anyone else, and I know I didn’t do this.” We’ll check again. It’s possible that someone’s trying to attack you, and while we make every effort to be as certain as we can be that it’s not that, we’re not perfect any more than you.

We are very well aware how painful and scary the email is, and we’ve worked on the language to try and make sure it’s less so.

I got warned for fake reviews and it was my fault. Now what?

Apologize and don’t do it again. Seriously, that’s it. Mistakes happen, and it’s okay if you make one. Just don’t repeat it. We absolutely, totally, forgive honest mistakes.

We do remind you to make sure everyone who works with you on the plugin knows this. You are responsible for the actions your employees/coworkers/etc take on your behalf. If they spam, you are on the hook for their actions. Usually we see repeat infractions come from that.

I got emailed that one of my support reps was banned for fake reviews. Can I help them resolve this?

In most cases, yes. However you will be asked to formally take responsibility for all of that person’s actions on WordPress.org for as long as they represent your company. That means everything they do is your responsibility and if they violate any guidelines, you will be on the hook for that infraction.

In some cases, the person is permanently banned and that generally means it’s related to previous guideline issues. If that is the case, we will explain that, under no circumstances, are you to help this person regain access. We recognize that sometimes employees or staff go rogue, and we are attempting to insulate your from their behavior.

How can I be sure I won’t be accidentally flagged for fake reviews?

Glad you asked! Besides the obvious (don’t hire people to boost your review rating), you should be aware of the following:

  • Don’t ask people you work with (either the same company or share a coworking space) to leave reviews
  • Don’t ask people to leave a review in your physical presence
  • Don’t ask your family/friends to leave reviews
  • Don’t offer people a ‘reward’ for reviews (that’s bribery)
  • Don’t make accounts for people to leave reviews
  • Don’t require a review for anything (i.e. ‘You get a free X if you leave a review!’)
  • Use only reputable VPN services (if it’s free, don’t use them)
  • Make sure every person you work with, who uses the WP.org forums, has their OWN account

How do I get more valid reviews?

You can (and should) ask your users! Put a notice on your plugin settings page. Make a dismissable alert that asks people to review. Post on Twitter or your website. But really? It’s down to asking your users in a kind, and non spammy, way. Those people will leave the reviews you need.

Why I shouldn’t ask people I know to leave reviews?

I understand why people get confused about this one. Asking people for reviews is fine, but then to say asking people you know isn’t? Yeah that sounds weird. But the crux is to think about what a review is for in the first place.

A review is someone’s experience with your plugin. For good or ill, it’s them using the plugin and sharing their story.

If you’re asking people to leave reviews to learn about what they do and don’t like about your plugin, then there’s no point to asking folks you know since you can just … ask them. In turn, they can just tell you to your face how they feel. Also they’re generally more inclined to leave good reviews, though I will admit we’ve seen someone leave a 1-star review for their spouse.

Interestingly, that review was invalid, as the review was a personal attack on the developer.

Questions? Concerns?

Have a shout.

#guidelines, #reminder, #reviews

Reminder: Trademarked Logos Cannot Be Used In Banners/Icons

tl;dr: Using someone else’s trademarked logo in your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party icons or banners is a trademark violation, and they have the right to have us remove your plugin at any time.

We’ve posted about this before, and it’s apparently time for a reminder. Logos for brands are generally trademarked. Those logos cannot be used in your plugins banners or icons unless you have their express permission.

Trademark infringement is the unauthorized use of someone else’s registered trademark. This means you are using their logos without permission. When we talk about misuse, it’s more clear to think about it in terms of physical products. Lets say you make electronic gizmos and they happen to work with MacOS. If you put Apple’s logo on your products, you would be infringing on their trademark. Basically you’re misrepresenting yourself in a way that implies or suggests that the trademark owner approves of your work when this is not true.

If you got an email from us (either a warning or a closure notice) about this sort of matter, please address it promptly. Check your banners and icons, and your display names, to make sure you aren’t in violation. Remove all trademarked logos from your plugin banners and icons (yes, even social media ones), and make sure it’s clear that your plugin is not an official plugin (unless it is, and then you don’t have to worry).

Some quick questions:

Why do trademark owners care?

Trademark owners who do not protect their trademark usage end up being unable to enforce it legally later on. So it’s in their best interests to monitor the use and prevent misuse. Also, customers often get confused about the origin of the plugins, and will complain to the wrong people if there’s an issue. Finally, you are essentially profiting from the goodwill that the trademark owner has generated.

Who actually complains to [company] about a 3rd party plugin!?

A lot of people, actually. A high number of people complain to companies and the companies come back to us and say we’re encouraging the behavior which causes confusion with users and a loss of trust in the trademark owners. After all, if your unofficial plugin breaks someone’s site, and they blame the trademark owner? Well that wasn’t fair at all.

Why are other people getting away with it?

They aren’t. They’re just living on borrowed time, as the saying goes.

We have getting close to 100k plugins. They are all monitored by humans (not automated for this one yet) and a human has to check if you had permission or not, if you’ve been warned or not, if your plugin merits a grace period or not, and if the trademark owner has officially demanded we close your plugin immediately. Plus a large number of people argue about this, which eats up time. We do things in batches to try and stay sane.

Also … we strongly recommend you never use that excuse. It makes you sound like ‘sour grapes’ or childish to argue that someone else didn’t get caught yet, so you should be allowed to keep breaking the rules. That just makes this process take longer for everyone.

I reported someone, but you didn’t do anything! Why not?

Unless it’s your trademark, we generally don’t do anything right away because, again, we have close to 100,000 plugins. The number of violations is high, and in order not to ‘play favorites’ we do them in the order we’ve got them. We don’t bump people higher (or lower) on the list just because someone complained or is our friend. That would be terribly unfair!

If it was your trademark, we probably did bump them to the top of the list. We do try to get the developers to fix things before we close (especially for larger plugins that would have a massive negative impact on the community), but this isn’t always possible.

Isn’t it fair-use to use social media logos for related plugins?

No. Besides the fact that ‘fair use’ doesn’t apply to trademarks, it’s a matter of how you’re using it. Social media companies usually give permission to use their logos on your website as a direct link to your presence on their ecosystem. So a bird links you to Twitter. However. That is not the same as using a logo for advertising which is what many of them consider banners and icons to be. Their argument is that WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ is not your site. We’ve argued about this, but some companies have slapped us with legal threats so there we are.

What about screenshots?

Some trademark owners demand we prevent that too, some don’t. I wish we had a clearer answer here, but just to grab an example, there is a certain social media company who doesn’t want to see you use the logos in screenshots. Meanwhile, there are other credit card companies who don’t mind. Keeping track of those is incredibly hard! We recommend you not use them in screenshots.

What if I redraw my own version of the logos?

Then you’re probably going to get a legal demand from the owner to stop because you broke their usage guidelines for the logo. We should note here, when you intentionally try to get around trademark law, you are effectively confessing guilt. You know what you’re supposed to be doing and you’re actively trying to get away with something? The trademark lawyers will be able to take you down in seconds.

How can I promote my plugin’s associations without violating?

First and foremost, the directory isn’t for promoting anything, it’s for listing. If you’re doing all this to basically be a big “Click Here!” method, you’re going about it the wrong way.

Now if you’re really asking “How can I improve my usage by getting people to click on my plugin?” then you start by making a great banner that is memorable.

Stop treating a banner or an icon as a billboard. You don’t need to show off what your plugin can do, you need to be memorable and noticeable. The best banners are the ones that stick in people’s minds, and the odds are not a single person remembers “Oh you’re the one with the logos in this order…”

But no, you don’t need all the examples of the possible social media uses on your plugin banner.

What about Display Names?

In general, you can use “For [Trademark]” in your display name. There are some vendors who are particular and won’t even let you do that. We do our best to try and warn you ahead of time, but sometimes vendors change things on us without notification. Most are pretty cool about working out a plan so we don’t have to close plugins, some are not. I wish I had a better answer there.

#guidelines, #trademarks

Reminder: Compatibility with Core Matters

Over the years we’ve gone from always showing all plugins in searches to devaluing plugins that aren’t updated in a time span to devaluing them if they’re not compatible with the latest few releases of coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.. All of this is done to improve the user experience and to ensure they only find plugins that are actively maintained and compatible with the versions of WordPress they use.

As part of this, when a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party is closed we currently require the ‘tested up to’ value to be, at least, the latest stable version of WordPress core. We have updated our emails for closures and re-scans to reiterate that, but it’s for a slightly different reason than helping users.

We want to help you developers. If no one can find your plugin, because it’s not compatible with (say) WP 5.5, then no one uses your plugin. Presumably, if your code is hosted here, you want people to use it. To help you and ensure your plugins can be found and used, we are requiring you update that, should we have any reason to close your plugin.

Just like you have to bump the plugin version so people get notified of updates, you need to make sure that “tested up to” value is current 🙂

So! Please keep that up to date! It’ll help people find your plugin, give them confidence in your work, and help make you more successful! Wins all around 🙂

#guidelines #reminder

Trademark Enforcement

Many of you have received an email from us regarding pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party closures for trademark violations. These emails were absolutely not made in error.

Due to recent demands by trademark owners, we will now be more strictly enforcing trademark abuse when it comes to plugins. While it should be sufficient to tell you “Don’t abuse someone’s trademarks.” the reality is that those things are complex and confusing.

We will have altered our system to prevent the submission of those plugins that violate trademarks. This is not something we do lightly, however we have been compelled to close a great many plugins recently. It’s more efficient to prevent potential abuse than to clean it up after the fact.

How Trademarks Apply

Trademarks apply to the following aspects of your plugin:

  • The Slug – Your plugin slug may not begin with someone else’s trademarked (or commonly recognized) term
  • The URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org – You may not use someone’s trademark in your domain name
  • The Display Name – You may not begin the display name with someone else’s trademarked (or commonly recognized) term and, in many cases, you may not use the name AT ALL.
  • All Images – You may not use trademarked logos/images in your banner, screenshots, logos, etc

We do our best to take care of the first one – the slug – when you submit your plugin. Plugins approved pre 2015 with trademarks in the URL are ‘grandfathered’ in and permitted to remain. All plugins approved after 2015 are required to meet this restriction. All plugins, no matter when they were approved, must comply with trademark usage in display names and images.

We also keep our eye on similar names. There’s a concept known as brand confusion, so naming your company or plugin similar to another company (like Facerange, say) you can still be legally compelled to change the name. This is why, for example, you cannot use ‘pagespeed’ in your URL for a site optimization tool, even though Google’s only trademark is on ‘page speed’ (two words). The name is similar enough that we have been required to close plugins.

Additional Restrictions

In addition to the above, many brands have an above-and-beyond requirement. You must also avoid representing the brand in a way that:

  • Makes the brand the most distinctive or prominent feature
  • Implies partnership, sponsorship or endorsement
  • Puts the brand in a negative context as part of a script or storyline

Also many have statements like this when regarding applications specifically:

  • Don’t modify, abbreviate or translate the brand name to a different language or by using non-English characters, or use any logos to replace it.
  • Don’t combine shortened versions of the brand with your own brand.
  • Don’t use our ‘wordmark’

This is where it all gets crazy weird. But an example would be the brand Facerange. With the above restrictions, naming your plugin (which is an application) “WordRange” or “FacePress” and having it be a plugin to work with Facerange would be a violation of their terms.

It all comes back to making it painfully clear that you and your work have NO relationship to their products. Some allow you to use their product name wherever you want, and some won’t permit it at all. When in doubt, the best course of action is to assume you don’t have permission and not to use it.

Quick FAQ

Can I use ‘for BRAND’ in my plugin display name?

Sometimes. It depends on the brand. We don’t have a complete list, which makes this very complex. It’s important to pay attention to the rules for brand usage and application uses. Some brands have separate rules. In general, if they’ve trademarked their wordmark then no, you cannot use it for an application. And yes, a plugin is an application.

What’s a wordmark?

That’s the name. So Facerange’s wordmark would be “FACERANGE.”

I have permission from PayBuddy to use their wordmark/logo, is that okay?

We’d rather you not use it on your PLUGIN pages. It’s impossible for us to verify, and many agreements with brand owners are rescinded. Brand your webpage all you want, but leave their official logos and word marks off your plugin.

A brand contacted me directly and asked me to change things. Is that a real demand?

More than likely they are. They’ll usually include links and directions and contact information. Use that and comply with them, because if you don’t, they’ll come to us.

What about existing violations?

We’re handling them in batches. You don’t need to report them to us.

But if you haven’t closed them, why are you closing my plugin?

Because there are thousands of plugins and we do them in small batches for sanity. Also brand owners sometimes give us a priority list, and you just happened to be higher than someone else.

Don’t they get an SEO boost?

No. Write a better readme that uses the brands properly and contextually, and you’ll be fine.

Someone’s infringing on MY brand, what do I do?

Contact them first. Ask them to stop (nicely please). Link them to your brand documentation. If they ignore you, email us the same. We’ll close the plugin until they fix it.

We recommend you BE CLEAR about what you require. Remember, most people aren’t familiar with trademark laws and their intricacies, so it’s very easy for them to get confused.

#guidelines, #trademarks

Proposal to Modify Plugin Guidelines

This post is a proposal of changes to be made to the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Guidelines.

The majority of changes are intended to address significant issues faced by ESL (English as a Second Language) developers. This proposal also contains a significant rewrite to the lamented 11th Guideline (hijacking the admin dashboard).

This proposal will remain open until after WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. EU 2019, at which point it will be closed and either re-proposed (if there are significant changes), implemented, or scrapped.

The rest of this post will go over an overview of intent, the proposed changes (with summary), and information as to how to contribute. All community members are welcome to participate.

Continue reading

#guidelines, #proposal

Reminder about Behavior

This really shouldn’t need to be said however, based on three recent incidents, it is clear we need a reminder.

You are responsible for your own actions and choices. If you decide to do a thing, you are assuming responsibility for the outcome and, like it or not, the repercussions fall on you and you alone.

When you work with a team of people to support and maintain your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party, everyone is required to follow the plugin and forum guidelines. Choices made by the team will impact the group as a whole, for good or ill.

Recently a company was banned due to having never briefed their employees on the plugin guidelines. This led to a new, un-monitored employee, egregiously violating the guidelines, harassing and abusing the volunteers of the forums as well as the end-users, who were just trying to get help with the plugin.

The company had been warned about this kind of behaviour before. In fact, they had been issued a final warning. As this was a repeat of the exact behaviour they’d been warned on, their plugin was closed and the company prohibited from hosting anymore.

Sadly this isn’t the only time that’s happened in the last 4 months.

If you work with a team of people, the company/group is responsible for each other. If one person in your group/company violates the guidelines, it’s the whole group who will suffer as you’ve demonstrated an inability to manage your team. The same is true if a rogue intern or SEO marketer spams the forums. They’re doing those actions in the name of the company, which makes the company accountable for their actions.

Don’t hire random people from companies like Fourer to do your marketing. Don’t let people loose in the forums without making sure they understand the guidelines and our expectations.

Abuse, name calling, harassment, stalking, and spamming the forum moderators is not permitted behaviour by anyone. Users are banned for this, and developers will find their companies and all plugins similarly removed. We feel it’s unfair of people to put the burden of monitoring and managing their team on the volunteers of the forums and the plugin team. This is especially true of companies.

Please make sure the people who work with you understand not just the guidelines, but the stakes. Quite often we find an enthusiastic intern is the cause of sockpuppeting, or a well-meaning SEO consultant who took the wrong lessons to heart and made a readme filled with spam.

If we have to contact you multiple times about your behaviour, or that of the people you’re working with, we’re simply not going to permit you to use our services any longer.

#guidelines, #policy, #reminder

Reminder: Respecting Trademarks Includes Icons and Banners

This is a reminder that one of our guidelines is respecting trademarks and brands.

tl;dr

Using someone else’s trademarked logo in your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party logo or banner is a trademark violation, and they have the right to have us remove your plugin at any time.

Explanation

Normally trademark situations come up when you submit a plugin like Facerange Messenger, but you don’t happen to work for Facerange. We change your slug from facerange-messenger to messenger-for-facerange (or something to that effect) and ask you to rename the plugin to “Messenger for Facerange”. Another common instance is when we have to explain bobo-facerange-messenger.com is a violation of their trademark use, and you need to rename your domain.

As of late, companies have begun enforcing logo usage as well. Originally they were just picky about the icon or banner being only their logo, but now they’ve moved on to the use at all. What this means to you is simple: Don’t use someone else’s logo in your plugin’s icon or banner. Period.

If you don’t have the legal rights to use it, don’t. If you’re not sure if you do, assume you don’t. If you lose the legal right (like no longer being a part of PayFriend’s trusted developer program), you must immediately remove their logo from your plugin’s public facing pages.

FAQ

What happens if a company complains?

You will receive a warning via email that a complaint has been filed and you are to correct the icon and/or banner immediately.

How long do I have to comply?

0-days. Technically you’re already a violation. They don’t have to let us give you a chance to come correct, so we would appreciate it being done within 48 hours.

Do I have to push a new version of my code to do this?

Nope. Just fix the images in your assets folder.

Addendum by Otto: This includes screenshots. If you have somebody else’s logos in your plugin itself, or displayed on your service, then you might want to consider getting those removed as well.

What do I do if a company asks me to change my icon/banner?

Change it. Seriously, it’s not worth it. Make your own unique and distinct logo for your plugin. It’ll make you more memorable in the long run.

Do I have to change my display name as well?

Yes, you do. Remember: Don’t start your display name with someone else’s trademark/copyright/commonly known name. If it’s not your name, it’s not a good idea.

Isn’t this contrary to the GPLGPL GPL is an acronym for GNU Public License. It is the standard license WordPress uses for Open Source licensing https://wordpress.org/about/license/. The GPL is a ‘copyleft’ license https://www.gnu.org/licenses/copyleft.en.html. This means that derivative work can only be distributed under the same license terms. This is in distinction to permissive free software licenses, of which the BSD license and the MIT License are widely used examples. and open sourceOpen Source Open Source denotes software for which the original source code is made freely available and may be redistributed and modified. Open Source **must be** delivered via a licensing model, see GPL.?

No. Licences like GPLv2 are separate entities, and in fact the GNU supports the use of copyright in code. As for open source, it’s not above the law. Check out FOSSMarks for more information and as always, contact a lawyer with your legal questions.

Addendum by Otto: Also note that Trademark and Copyright are two entirely different things. There is no “licensing” for trademarked items. The GPL and any other license will not apply. Basically, if something is trademarked, then you need to get explicit permission to use it, in writing, or you just don’t use it.

I think it’s fair use. Will you let me keep the icon while I fight them?

Alas, no. We have to consider the directory as a whole and it’s over 60k plugins. The risk for us is too high, and we will side with the legal request.

Addendum by Otto: There is no concept of “fair use” in trademark law. Don’t use other people’s trademarks. Period.

What about existing plugins that you let violate trademarks in the slugs?

That’s because we do not have the technical ability to rename a slug without breaking it for all users. They’d be abandoned. And you can’t automatically migrate users from one plugin to another, so because of that limitation, most companies have permitted us to retain plugins that violate their trademark in the slug. Some have not, and we’ve been forced to close those plugins.

Since the logo and display name can be safely changed, it’s a different matter.

Someone else is violating too! Why didn’t you shut them down?

We email people in batches. You’re welcome to report fellow plugin devs who are violating the guideline, but the odds are we’ve already been in contact with them (or will be shortly). You’re not being singled out, we just have a lot of plugins to work through and we take breaks. Keep in mind, if it’s not YOUR trademark, we generally just warn.

Someone’s using my trademark in their icon/banner, how do I get them to stop?

Contact them first and point to this post (and the 17th guideline) and just ask them NICELY to please change it. If they blow you off or don’t respond in a reasonable time (like 2 weeks), you can email us at plugins@wordpress.org and we’ll follow up.

#guidelines #trademarks

Guideline Update: Clarifications to trialware and human readability

Two situations have arisen where we feel it would be best to clarify the guidelines a little.

Guideline 4: Human Readability

We strongly feel that one of the strengths of open sourceOpen Source Open Source denotes software for which the original source code is made freely available and may be redistributed and modified. Open Source **must be** delivered via a licensing model, see GPL. is the ability to review, observe, and adapt code. By maintaining a public directory of freely available code, we encourage and welcome future developers to engage with WordPress and push it forward.

However with the advent of larger and larger plugins using more complex libraries, people are making proper use of build tools (such as npm) to generate their distributed production code. In order to balance the need to keep pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party sizes smaller while still encouraging open source development, we will be requiring plugins to make the source code to any compressed files available.

For example, if you’ve made a GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/ plugin and used npm and webpack to compress and minify it, you must either include the source code within the published plugin or provide access to a public maintained source that can be reviewed, studied, and yes, forked.

We strongly recommend you include directions on the use of any build tools to encourage future developers.

Guideline 5: Trialware

Historically we’ve not permitted test or trial plugins that arbitrarily limit usage, and then upsell, to be included in the directory. The primary reason we don’t permit this is that locking people down to a specific number of (say) images is foolish and a pointless endeavour. People can, and will, fork your locked plugin and unlock it, as well they should. That said, we’ve always allowed (and will continue to) plugins that offer a free limited service (think Akismet for a good example).

Related to this are ‘sandbox’ plugins, used for testing. For example, if your plugin only accessed the Instagram Sandbox APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways., and included upsells about a pro version that allowed full access, you would be a trial plugin. Since they are easily abused as turning the directory into a marketplace, we have modified the 5th guideline to address this more clearly.

#guidelines

WP 4.9.6, Privacy, Hooks, and You

WordPress 4.9.6 has been released. This was a focused release, a little different than other minor releases, in that it adds a system for a privacy policy to WordPress. While the only change to plugins has been our requirement that you not claim (or imply) 100% compliance in anything, the changes to privacy awareness are far reaching.

The tl;dr of the whole post is “You’re going to need to consider the impact of data collection in your plugins, even if you don’t collect anything.” So yes, I know it’s long, but please read the whole thing.

NOTE: We are not lawyers. We cannot tell you if what your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party is doing is going to break a law. Please don’t ask us to try and figure that out for you. The purpose of this post is to make you aware of what’s going on, and give you a place to start with making your plugins better.

Does This Impact You?

Yes. This impacts everyone. Plugins are used internationally which means you actually do have to be aware of the world, Net Neutrality shenanigans aside. Your plugin could, in fact, cause someone to get in legal trouble. While that is technically their responsibility, you should be as aware as possible of the implications of your code and how it’s used.

Ask yourself this: Does your plugin…

  • … write any private data of users (registered or visitors) to the database?
  • … send any data to remote servers (i.e. act as a service or embed content)?
  • … edit the comments form in any way?

If yes, then this absolutely, without a doubt, impacts your plugins.

If no, then this may still impact you, so please keep reading, because people are going to ask you about this.

Privacy Means Disclosure

If you’re a service, like you pull a library from a remote server, then you have to tell people that you pull data remotely. This has always been a policy, so if you’re not disclosing this now, please go fix it right away.  But you also need to tell people the obvious things, like embedding content via your plugin means the site administrator is consenting to the embed terms of that service.

An example for you. Let’s say you have a plugin that embeds YouTube playlists. Your plugin should be clear “This plugin embeds YouTube Playlists.” We also recommend you include a link to YouTube’s privacy doc. It’s alright to say “By using the embed features in this plugin, you will be agreeing to YouTube’s Terms of Use.”

The same holds true now for data stored locally. If your plugin stores browser data of visitors, then yes, you need to document and disclose this. You can’t force site admins to publicize this in turn, but by making sure they know, you’re helping them determine what their own reasonable disclosure should be.

Some Code To Help

WordPress has gone the extra step to make it easier to make a privacy page and hook into it, both for users and developers. The moving parts you need to be aware of are the tool for users to request an export of all the stored data associated with them on the site. There’s also a tool for users to request erasure of that same data. Both tools include admin workflows to fulfill those requests. And there’s one to suggest what kind of text should be on someone’s site.

The handbooks have been updated to help you out here:

Also, while this is a little more aimed at theme developers, if your plugin happens to mess around with comments, please read the changes that affect themes, as there is going to be a new checkbox for comments.

Update Your Plugins

The tl;dr of all this is that plugins should…

  • … disclose what user/visitor information it saves in the readme;
  • … hook into the privacy page creator to inform people there too;
  • … provide a way to export said information;

We aren’t (currently) changing any policy to require all this. At the same time, I strongly recommend at the bare minimum everyone put a privacy policy in your readme. Even if you don’t save any data and you don’t send anything, make a Privacy Policy anyway and tell people that.

Why? At the very least, it may stop people from asking you “Is this plugin collecting any data?” which saves you time. But more importantly, this is to protect yourself. After all, if people come through with a 1-star review that you caused them to become non-compliant because you didn’t disclose local data collection, well, that would be a very justified review.

#core, #guidelines, #privacy

Legal Compliance Added to Guidelines

Guideline 9 (Developers and their plugins must not do anything illegal, dishonest, or morally offensive.) has been amended to include the following new prohibition:

  • implying that a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party can create, provide, automate, or guarantee legal compliance

While the vast majority of plugins will never run into this issue, we want to explain why this change is necessary.

Over the years, by accident or intent, some developers have claimed their plugins can provide legal compliance, sometimes automatically, across various aspects of site administration. These areas have included security (e.g. FIOS, PCI/DSS), cookies and tracking (i.e. the “EU Cookie Law”), online shopping (VAT), privacy (GDPR), accessibilityAccessibility Accessibility (commonly shortened to a11y) refers to the design of products, devices, services, or environments for people with disabilities. The concept of accessible design ensures both “direct access” (i.e. unassisted) and “indirect access” meaning compatibility with a person’s assistive technology (for example, computer screen readers). (https://en.wikipedia.org/wiki/Accessibility) (ADA), copyright, and more.

Sadly, no plugin in and of itself can provide legal compliance. While a plugin can certainly assist in automating the steps on a compliance journey, or allow you to develop a workflow to solve the situation, they cannot protect a site administrator from mistakes or lack of compliance, nor can they protect site users from incorrect or incomplete legal compliance on the part of the web site.

In short, plugins are helpful tools along the legal compliance journey, but should never be presented as a solution, nor should they give users a false sense of security.

Because of that, going forward we will be attempting to prevent these types of claims in all plugins. These issues will be handled in the same way we try to make sure that people don’t use ‘official plugin’ without actually being official.

Plugins that are are currently at odds with this change, either by accident or intent, will be notified shortly and required to change their titles, descriptions, and/or readmes.

ETA: I made the FAQ public early to hopefully help you with any questions!

#guidelines, #notice