Use of Code Generators Must Remain GPL Compatible

tl;dr – If you use a tool to generate code (be that a website that generates settings pages, or something complex like an AI to build the whole pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party), remember that YOU are responsible for licensing.

All code hosted on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ has to be GPLGPL GPL is an acronym for GNU Public License. It is the standard license WordPress uses for Open Source licensing https://wordpress.org/about/license/. The GPL is a ‘copyleft’ license https://www.gnu.org/licenses/copyleft.en.html. This means that derivative work can only be distributed under the same license terms. This is in distinction to permissive free software licenses, of which the BSD license and the MIT License are widely used examples. Compatible. This is not in doubt. More and more people are using tools to build code for them, based on bare-bones input. With the advent of ChatGPT, this has become more popular.

To be clear here: There is no guideline AGAINST using generated code.

You’re welcome to use whatever tool you want to build plugins. That said, you are 100% responsible for that code if you chose to host it here. This is not a change to any guideline, merely a reminder that if you claim it’s your code, you are responsible for it.

But the important bit here is that if means if ChatGPT, for example, built your plugin, you have to verify that all the code used is GPL compatible. Just like you are expected to validate licenses on libraries and code-snippets, everything in your plugin has to be GPL compatible. Should we determine that your code is a copy of someone else’s or includes code from non-GPL plugins, your submission will be rejected and any live plugins will be closed.

Sadly this has already become a small issue, as people asked an AI to build a ‘scroll to top’ plugin and it literally copied code from another, existing, plugin hosted on WordPress.org. Actually five times. And they were all rejected since it was pretty obvious.

Now before someone asks, yes it’s fine to fork code. You have to credit them, however, and that’s something those AIs have been pretty bad at doing. Also remember that the AI can tell you how to submit a plugin and be wrong. And by wrong I mean totally, 100%, that was really some bad advice someone got wrong. Make sure you double check. Robots won’t take our jobs yet.

If you submit code, it’s your responsibility. Nothing’s changed.

#guidelines, #reminder

Reminder about Final Notices

tl;dr? If you get a final notice from the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party team, please take it seriously. That really is you reaching your final chance with us.

There has been some confusion about what a ‘final notice’ means with regards to plugins or what it means to be banned.

The Plugin Team does not capriciously ban anyone. Actually we hate banning people. It’s a lot of work, it’s frustrating, it comes with anger no matter how we do it, and people always get hurt, especially users. That’s why we’ve established a warning system and do our best to ensure all developers are aware of infractions and allowed to course-correct.

What is a final warning?

A final warning, like it sounds, is an email with a rather stern content telling you that you’re on your very last chance.

The plugin directory emails out final warnings to developers/companies/groups who have either demonstrated a repeatable, constant, habit of violating guidelines, or who have committed an incredibly egregious violation. Those emails contain a reminder (usually in the form of a list of all existing problems) and a notice that if the plugins team has to contact them for any reason other than security related, the developer/company will be banned and all plugins closed.

If you keep making the same mistakes, and you keep violating forum, plugin, theme, WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more., or any other official guideline of WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/, we will cease to host your plugins here anymore. You would have repeatedly proven that you aren’t able (or willing) to follow the guidelines, and we feel it’s unfair to put the burden of monitoring you on the volunteers, as well as subject your users to that kind of behavior.

What happens after a final warning?

In general, people are quite responsive to those emails. They recognize the issue, modify their behavior, and it doesn’t come up ever again.

The warnings are a wake-up call as to the risks involved, as well as our expectations, and while they can scare people, it’s somewhat of a needed scare. By the time someone gets to that point, we have usually sent multiple warnings about various issues (be they fake reviews, asking for admin access, spamming users, or sharing developer accounts) prior to the final-notice, in the hopes that people will change their behavior before we have to get to the final notice.

Sadly, there are always people who don’t take those emails seriously, or think that if enough time has passed, the finality has faded and it’s okay to make the same mistakes and we will forget about it and forgive everything.

Why do people get banned after a final warning?

Given the size and scale of WordPress, it’s impractical to have to keep reminding people over and over that they actually do have to comply with the guidelines they agreed to, and it takes away time from frankly more important matters, like security.

Do people get warned first?

Most of the time, yes. The rare exception is if something is so terrible, we have to pull the plug right away. Usually that means someone snuck back in after being banned, or made a death threat.

But the majority of users get an email with the subject [WordPress.org Plugin Directory] Notice: (your plugin name) and that contains a warning of a specific behavior.

I got a warning about something. Is that a final warning?

Unless the email said “This is your final warning” then no.

We regularly warn people about issues, from trademark abuse to fake reviews. Those are just warnings. As long as they don’t repeat, we don’t have any issues. People make mistakes and it’s okay, as long as you learn from them and stop making them.

I’ve been mod-watched in the forums. Is that a warning?

No, not a plugin one. That just means the forum moderation are concerned about your actions and want to keep tabs on you. That could be anything from asking to admin access to swearing or jumping on other people’s topics all the times.

That said, if the forum team flags you like that, and you keep making the same mistakes, they may come to the plugin team for backup.

What kind of events cause a final warning?

Usually it’s not a single event, but a demonstrable pattern of violations. By that we mean the person(s) involved have broken many guidelines, over and over, for a sustained period of time.

Just for an example, let’s think about asking someone for admin access. That is prohibited in the forum guidelines for safety. Asking once is a mistake, and we know mistakes happens, so the person will get a warning from the forum mods. If they happen to ignore (or miss) the warning and do it again, their account gets put into a ‘moderated’ status, and all posts have to be approved by a moderator. That moderation flag is not a punishment. It’s there to make sure the mistakes stop, and to help protect the developer from harming themselves. After that, though, if it keeps happening, the plugin team is asked to step in and issue a warning.

But even so, our first warning is not a final notice! It’s a first warning.

From them on, if the person keeps violating the guideline, that is when that they will get that dreaded ‘final warning’ from plugins.

Why did I get a final warning without previous notifications?

That means you did something really bad, but not quite ban-worthy yet.

Sometimes it happens when someone gets a warning (like ‘don’t ask for admin access’) and replies “I cannot be held responsible for what my staff does.” That gets a final warning right away and a reminder that you absolutely will be held responsible for the people who represent you and your product. If you cannot trust your people, don’t let them represent you.

Other times, it’s a mistake so large, and so fraught with danger or concern, we feel that the only proper recourse is to jump directly to the final notice. Those are incredibly rare, and I’ll explain a little more about that later in this post.

How do I avoid a final warning?

Besides ‘never violate the guidelines,’ the easiest way would be to acknowledge and rectify any issue that a moderator or plugin rep brings up. If someone tells you not to ask for admin access? Stop asking for admin access. If they tell you not to call users vulgar names? Stop calling people names.

Basically listen to the warnings, take them all seriously, learn from them, and change your behavior as needed.

We know that everyone makes mistakes, and we will forgive a lot. But at the same time, that kind of forgiveness requires you to make changes. If you apologize and just do it again, we’re not going to be able to trust you, and that’s how you end up with a final warning.

I keep getting warnings because of my support staff, what do I do?

If that happens, it means you’ve somehow failed to impart on your support staff the reality that they have to follow the guidelines too. They are your responsibility, and if you cannot ensure they follow the guidelines, we simply won’t allow them to use the forums at all anymore, and you will be told why.

As for how to fix it? You need to address the issue on your end. Why are you staff not aware they have to follow the guidelines? Why are they not listening to the warnings issued? Why are they continuing to have this kind of problem?

Make sure everyone who represents you (in the forums, on social media, wherever) knows that their actions reflect on your whole company, and they have to follow the guidelines too. After all, if your intern violates Twitter’s guidelines using the company account, it’s your company account that gets suspended.

Other people are making the same mistake I am! Why aren’t they getting banned/warned?

They probably are, actually.

We respect everyone’s privacy and we don’t blast anyone on socials, so all conversations are in confidence as much as can be. After all, if you make mistakes and change your ways, you wouldn’t want the whole world knowing how much you messed up, right? It would be terrible embarrassing! Instead, we treat you like an adult, take you to the side, and talk to you privately.

Most people actually listen to the first warnings. If a forum mod tells them to please stop doing a thing, they apologize and stop. The plugins team never gets involved, and honestly that’s the best way.

I made similar mistakes. Why did I never get warned?

Luck? Or maybe we saw you made it once, and never again.

Mistakes happen. Most mistakes, as long as they aren’t repeated, are recoverable. Don’t panic if you made one mistake. As long as you keep learning, adjust as needed, and don’t do it again, you’re going to be fine.

Why did I get a second final notice?

Most of the time, that means we changed the guidelines since the first one, and felt it would be inhumane to not warn you about them. We will do this even if your violations are unrelated to the changes to the guidelines.

The other time would be if we think you really did change enough since the last notice, but you’re running down another wrong path. Basically? We think you are capable of change based on your historical behavior, and we want to give you another chance.

Why did I get banned without a final warning?

Normally we warn but yes, in some specific cases, we won’t. They include, but are not limited to:

  • physical altercatoions at official WordPress events
  • banned users attempting to circumvent their ban
  • intentional security violations (ex. making a backdoor in your plugin on purpose)
  • cyberstalking/harassing anyone from wordpress.org
  • doxxing anyone
  • all plugins/themes are non-credited forks or wholesale copies
  • outright vulgarity/hostility/threats towards any member of the community

In those cases, we will always email and tell you exactly why you were banned.

The people who get those insta-bans are often ones who got a plugin review and replied with vulgarities or suggestions of sexual activities involving a cactus. Not a joke. It was in response to being told to not include their own jQuery, to boot. We do get that people have bad days, and we try to help them get back from it, but that kind of abuse is untenable. If you’re willing to talk to us like that, we shudder to think how you’d behave to users!

What can I do after I got banned after a final warning?

Honestly? Not a whole lot. It’s incredibly hard to make anyone trust you after you reached that point.

If you got the final warning and kept violating guidelines, then you just squandered your last chance. The whole reason you got that warning, and not an instant ban, was that we were trying really hard to get you to correct your behavior. When you don’t listen to those warnings, we believe you are who you act like, and we ban you.

Now of course there are always exceptions. They are incredibly rare, and come with a lot of provisions and caveats. If you really think you should be given a second final-chance, reply to the email and explain why. Just be aware that the odds are against you, since you have already demonstrated you cannot (or will not) follow guidelines.

Why don’t you publicly declare why someone was banned?

Historically because we don’t want to keep hurting them.

Angry people lash out see, and while we’re ‘fine’ with taking it on the chin when people lash at us because we don’t explain the details about a ban (except in very rare cases), if we made things public that mob would go after the banned dev.

See, if everyone knew that a person or even a company was banned after we argued with them every few months for three years about not asking people for admin access on the forums, or not tracking users in their plugins, they would have a very different view of the developers.

If everyone knew a company was banned for telling the plugin team they could perform sexual acts on their parents (wish I was joking), then what? Making that public in a place where they cannot refute means they have no ability to make amends. And yes, sometimes people do come back and apologize sincerely for that behavior.

We don’t disclose because of a kindness, and a desire not to destroy someone’s reputation (or livelihood). Perhaps we’re now at the point where that policy needs to change, in order to minimize the false narratives running around, but I’m really divided about that one, personally.

Someone says they were banned. Should I stop using their plugins?

I can’t answer that for you.

Personally, I would take their explanations with a grain of salt. Everyone (and this includes the Plugin Team) tends to tell a story to paint themselves in a better light. If someone is arguing they did no wrong and were banned, they’re probably leaving some information out. Then again, there are developers who tell people they messed up and got banned and deserved it.

Questions?

I know this is a lot to think about, and some of it sounds incredibly petty.

No one on the plugin team wants to close plugins, especially the well-known ones. It’s harmful to the community as well as the developers. At the same time, there is a practical limit as to how much the volunteers on WordPress.org are willing to put up with someone’s misbehavior. That’s why we have taken to formally warning people that they are on their last chance.

It’s our fervent hope that with the information in the final warning, people will correct their behavior and stop violating guidelines.

#final-notice, #reminder

Reminder: We will check your website

tl;dr: If you put a website as the official developer or pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org and it does not exist (or is under construction), your review will be pended.

We know that sounds really weird, but yes, we’re saying if you tell us that your domain is XYZ and that domain doesn’t exist, or isn’t public, your review is going to be paused until you finish the site.

The primary reason for that is because those URLs will be seen by all your users, and if a user sees a great looking plugin with an incomplete website, they will not trust you. That’s actually something that scammers do on the regular, and you’ve made yourself look like that.

So to protect you from an undeserved bad-rep, we check your domains.

The secondary reason is, if you’re a service, we really do need that live so we can review the website and ensure it and the plugin are compatible with our guidelines.

Can I just remove the URL from the code?

Most of the time, yes.

However if you’re a service and the service runs through that website, then not only will you be required to make the site public, but you will also need to include a terms of use and/or privacy page on your site.

I made a typo! What do I do?

Reply to the email with “Ooops, I typoed, the real URL is …” We’ll ask you to update the code and your account, so your users don’t get confused, and all will be well.

What if the site isn’t mine, it’s the service owner’s?

Then you used the wrong account to submit the plugin. Remember ALL official plugins have to be owned by the official company. If you were hired to make a plugin for BoogieDownBlues (a fake company) and the domain is boogiedownblues.com then the account that submits the plugin has to use that domain for their email.

That protects you and them from any legal action later on.

My site is nearly done, can I have a pass?

No. Again, we’re trying to protect you from being seen as an untrustworthy developer. Also we want to make sure your site isn’t violating rules.

What if I need to have the plugin before I can have the site?

This generally happens with service plugins, and if that’s the case, we will tell you no. The site has to exist so we can validate the service.

Do I need an about page and all that?

You do not, but we do recommend it. People prefer to know there are real humans behind things.

Can I make a simple, placeholder?

Maybe. It depends on what you put on the placeholder page and (again) if you’re a service. If the placeholder says ‘Coming soon!’ then no.

What about Lorem Ipsum pages?

If your domain is filled with placeholder, we consider it to be incomplete and will point out the problem. Same goes for clearly fake addresses and those about pages that all have the same face.

Why does it matter if my personal site exists?

Because you told us (and by extension all your users) “this is who I am!” If your personal site is ‘coming soon’ or has a placeholder, no one can make a judgement on you save to say you’re a dev who can’t make a website. And yes, that is patently unfair, we know, but that’s what people will think. Heck, they complain to us every time we miss it. We would rather you not start in a bad place.

Why was I told not to use trademarks in my URL?

Because using a trademark in the domain name violates trademark law.

Using a company’s trademark in a URL as a domain name in whole (or in part like wordpress-example.com) may constitute a violation of the company’s trademark rights.  See Brookfield Communications, Inc. v. West Coast Entertainment Corp., 174 F.3d 1036 (9th Cir. 1999). 

What you can do instead is have example.com/trademark/ — that is generally allowed.

Keep in mind, some organizations (like WordPress) will allow the ‘short’ versions so wpexample.com would be fine. Others (like WooCommerce) have more restrictions, and actually prohibit wooexample.com

Always check the trademark guidelines first!

#reminder

What’s The Deal with Invalid Reviews?

tl;dr: Don’t make reviews for your own pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party(s) using other people’s accounts. We will remove them and warn you first, and if it keeps happening, your plugin will be closed.

There have been a lot of reviews being removed for being invalid in ways beyond a ‘normal’ sockpuppetSockpuppet A false online identity, typically created by a person or group in order to promote their own opinions or views. Generally used to promote or down-vote plugins en masse..

We know this is messy and scary because any time we say ‘Do bad things, and your plugin(s) will be closed!’ is a terrifying prospect. We really do know that. We really don’t want to do it, which is why we warn people instead of just closing everyone who makes mistakes. Our goal is, and has always been, to make a place where users can download functional, safe, plugins that solve the problems faced by users.

At the same time, we know that developers want people to use their plugins, and one of the ways that happens is by being popular. And yes, one of the ways to become ‘popular’ is to get a lot of good reviews. Which is how we get here. Sometimes people leave reviews for their own plugins. Actually, a lot of the time.

We’re not talking about an individual developer using their developer account to leave a review on their own plugin. While that’s weird and pretty pointless in the long run, it’s not currently prohibited and we leave those alone unless you’ve been flagged for fake reviews in general. Instead we recommend you not review your own plugins since it doesn’t help you out. People generally assume you like your own plugin, so your users won’t learn anything from the review, and since you left it yourself, you won’t learn anything either, making it a net-loss.

The kinds of reviews we’re talking about is when someone (or a group of someones) makes multiple accounts with which to leave reviews about plugins. And this is a global issue. Fake reviews are a huge problem not just on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/. Amazon in particular is filled with fake reviews, and they’re getting harder and harder to spot. It’s an ongoing battle to spot them before they get ‘too bad.’ We aren’t perfect, and that’s why the first time we see someone leaving fake reviews, we warn them. What happens after that is usually pretty telling.

One big thing to keep in mind, reviews are for two purposes:

  1. Your users can see how other people feel about your plugins (and how you handle bad reviews)
  2. You can see how people really feel about you and your work

Both of those things, when they’re positive, can help your plugin become more popular. And of course, if they’re negative, it can hurt you. Which is why people work so hard to earn and merit positive reviews.

What is a fake/invalid review?

A fake review is a review made by someone who is not your actual user.

Sounds simple, right? If you write a review for someone else about your own product and hide who you are, that’s fake. The most common reason this happens is that an intern or a marketer gets the bright idea to share customer stories on the WordPress.org review system. The problem? They’re posting for the customer, which is making a fake review.

Another common way to make fake reviews is to use sockpuppets.

What’s a sockpuppet?

A sock puppet or sockpuppet is an online identity used for purposes of deception. The term references the manipulation of a simple hand puppet made from a sock, and was originally referred to a false identity assumed by someone to hide who they are and talk up themselves.

For example, if you make a second account and post a question about your plugin and then reply as your normal account? You’ve made a sockpuppet.

Sockpuppet accounts are very commonly used to leave positive reviews on plugins.

What’s an invalid review?

An invalid review is one that was made under duress or other promotional encouragement, or one that was made on behalf of a real person.

For example, if you offer a discount for your products if a user leaves a review, then you’ve actually just bribed them for a review, which makes it an invalid review. When people are compensated for a review, they generally leave better ones than they might if you just asked. Related to this, if you tell someone you won’t refund their money unless they leave a positive review, you’ve blackmailed them, and that too is invalid.

As another example, if someone leaves a great review for you via email or on your website, and you help them make a user account on WordPress.org (or make it for them) just to leave that review, you have invalidate their review. We have no way to be sure you didn’t alter the review, and your involvement could have altered the review content simply by being there.

Another kind of invalid review would be one made by someone with a personal, or professional, relationship to you. In other words, if you ask your parents or co-workers or people who share a co-working-location to leave a review, you’ve inadvertently asked them to make invalid reviews. This is a little touchy, since sometimes they are your users. The issue here is that people who know you are more include to leave favorable reviews, but also they can tell you to your face (virtual or otherwise) how they feel. You don’t actually need their review, and they can be more honest by talking to you via your existing connections.

A counter to this is sometimes your friends do legitimately use your plugin and see the note “Please review!” in wp-admin and leave you a review. Those are totally fine and rarely raise red flags.

How do you know the review isn’t real?

More or less the same way people know when a term paper is plagiarized.

There are significant tells in most reviews that give away the actual author. We also take into account things like the age of the user (that is, how long ago did they create their account), what their other actions were, where they logged in from, what their digital footprint is, what their email is, etc etc. Then we compare that to all the other reviews made for that plugin and for other plugins and themes around the same time.

Or, as we tell people, we have a complex set of heuristics, as well as researchers who are experts with tracking down users.

Why can’t you provide details?

Two reasons which sum up as privacy and security.

First, the more we let on about exactly how we do this, the more people will learn about how to get around them. It’s like spam. The more spammers know about how they’re caught, the more they work to get around those limits.

Second, and this is more important, some of that information is private. Telling people exactly who did the bad thing, how we know, and sharing IPs and emails, is a privacy violation. It would run afoul of GDPR related laws, which by the way is also the case in some states in the US (like California).

I reported a review/account as fake, why did someone tell me it wasn’t?

Because it wasn’t.

The majority of reviews reported as ‘fake’ come from developers reporting a brand new user whose only post in the forums is a negative review on their product.

This does not mean the account is fake. It doesn’t even mean the review is invalid. It means someone was angry enough to make an account and leave a review. That’s a pretty painful thing to get, I know, but just because someone doesn’t like your work doesn’t mean they or their comment is invalid.

We use our tools to check on the account and will remove anything that we can prove is fake, but a lot of the time it’s really just angry users.

I heard you track VPN usage, is that true?

No, we don’t track VPN usage, but we do take it’s use into consideration.

There’s nothing wrong with using a VPN. I’m writing this post on one. What’s wrong is people using VPNs to get around things like bans or to hide their accounts. That’s why flagging the use of a VPN (and which specific VPN it is) is a part of our process, but it’s not the ultimate be-all and end-all of things.

Keep in mind, there are certain VPNs utilized heavily by malicious actors. Some specifically exist to be used to generate fake reviews. If your company is using a VPN, make sure it’s a legit one (not one of those free, fly by night, ones).

What happens if my plugin is flagged for fake reviews?

First of all, you’ll get a warning. In general this is how everyone finds out about being flagged. We will make a note in your plugin as well as on the accounts used.

In that warning email, you will be told why you got flagged, that we saw the reviews and they’ve been removed, and that all suspect accounts have been suspended. We have read-receipts on our emails, so we know if/when someone read it. That means the situation persists, and no one read the email, we will close your plugins to force you to pay attention. If it keeps happening after that, you will find your plugins and account closed.

The email also explains that all we want is for the fake reviews to stop. Mistakes happen, please don’t do it again.

Why did some of my reviews vanish and I wasn’t warned?

That means either you noticed before you got the email or (more common) we figured out someone else was trying to frame you. We usually don’t tell you so as not to scare you. Removing invalid reviews is a regular occurrence for every single review-platform, and if we told you every time we removed a spam or fake review, you’d get real tired of it real fast.

Some valid reviews were removed, how do I get them back?

In most cases, you won’t.

We know that the reviews appear valid to you, but we can see things you cannot. Just for an example, a real user of yours wouldn’t use a VPN from Russia and a disposable email address to leave that glowing review which is identical to another review also left from Canada and a different VPN at the same time. Also some users think it’s a great idea to make fake accounts to promote you. We have no idea why they think that, but we will remove those and the user will be banned, so all their reviews become invalid.

There’s also a common trend where companies make reviews for people. They get a good testimonial and make a review using that. Sounds smart, but it’s still spamming.

What do I do if I get warned for fake reviews and I know I didn’t do it?

As horrible as this sounds… Are you sure? Double check. Do you work with anyone else? Do you share a co-working place with others? Do you and your company all use the same VPN? Did you ask a bunch of people at an in-person event to leave a review? Did your spouse tell you how cool your plugin was and leave a review? All those things can set up warning flags because they mimic suspicious actions.

If any of those sound familiar, fess up. Just tell us “Hey, I’m sorry, I asked my coworkers/spouse/family to leave reviews. I didn’t realize how that looks.”

If you’re still certain you didn’t do it, just tell us. “I don’t work with anyone else, and I know I didn’t do this.” We’ll check again. It’s possible that someone’s trying to attack you, and while we make every effort to be as certain as we can be that it’s not that, we’re not perfect any more than you.

We are very well aware how painful and scary the email is, and we’ve worked on the language to try and make sure it’s less so.

I got warned for fake reviews and it was my fault. Now what?

Apologize and don’t do it again. Seriously, that’s it. Mistakes happen, and it’s okay if you make one. Just don’t repeat it. We absolutely, totally, forgive honest mistakes.

We do remind you to make sure everyone who works with you on the plugin knows this. You are responsible for the actions your employees/coworkers/etc take on your behalf. If they spam, you are on the hook for their actions. Usually we see repeat infractions come from that.

I got emailed that one of my support reps was banned for fake reviews. Can I help them resolve this?

In most cases, yes. However you will be asked to formally take responsibility for all of that person’s actions on WordPress.org for as long as they represent your company. That means everything they do is your responsibility and if they violate any guidelines, you will be on the hook for that infraction.

In some cases, the person is permanently banned and that generally means it’s related to previous guideline issues. If that is the case, we will explain that, under no circumstances, are you to help this person regain access. We recognize that sometimes employees or staff go rogue, and we are attempting to insulate your from their behavior.

How can I be sure I won’t be accidentally flagged for fake reviews?

Glad you asked! Besides the obvious (don’t hire people to boost your review rating), you should be aware of the following:

  • Don’t ask people you work with (either the same company or share a coworking space) to leave reviews
  • Don’t ask people to leave a review in your physical presence
  • Don’t ask your family/friends to leave reviews
  • Don’t offer people a ‘reward’ for reviews (that’s bribery)
  • Don’t make accounts for people to leave reviews
  • Don’t require a review for anything (i.e. ‘You get a free X if you leave a review!’)
  • Use only reputable VPN services (if it’s free, don’t use them)
  • Make sure every person you work with, who uses the WP.org forums, has their OWN account

How do I get more valid reviews?

You can (and should) ask your users! Put a notice on your plugin settings page. Make a dismissable alert that asks people to review. Post on Twitter or your website. But really? It’s down to asking your users in a kind, and non spammy, way. Those people will leave the reviews you need.

Why I shouldn’t ask people I know to leave reviews?

I understand why people get confused about this one. Asking people for reviews is fine, but then to say asking people you know isn’t? Yeah that sounds weird. But the crux is to think about what a review is for in the first place.

A review is someone’s experience with your plugin. For good or ill, it’s them using the plugin and sharing their story.

If you’re asking people to leave reviews to learn about what they do and don’t like about your plugin, then there’s no point to asking folks you know since you can just … ask them. In turn, they can just tell you to your face how they feel. Also they’re generally more inclined to leave good reviews, though I will admit we’ve seen someone leave a 1-star review for their spouse.

Interestingly, that review was invalid, as the review was a personal attack on the developer.

Questions? Concerns?

Have a shout.

#guidelines, #reminder, #reviews

Please don’t ‘test’ submitting other people’s plugins.

tl;dr: Never test vulnerabilities on someone else’s live site without their permission.

By now, a lot of you have read the post about the so-called “WordPress Plugin Confusion” whereby a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party hosted on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ can ‘override’ a plugin not hosted here, by using the same name/permalink. Someone even made a CVE for it.

Please stop ‘testing’ this vulnerability with us.

This is not a new issue by any means. Heck, this has been something people report on now and then for years. In the past, the plugin team coordinated a release of a plugin to intentionally do that and protect users from a significantly dangerous plugin. We’ve locked out permalinks to prevent abuse and so on.

Sadly, the post conflated a couple of issues, which have to do with social engineering and a misunderstanding of why we have those permalink-checks for trademarks. Also it’s entirely incorrect with this one claim:

and the whole approval process is automated

This could not be further from the truth. All new plugins submitted go through human review. When you submit a plugin, somebody reads your plugin code, your submitted slug and name, checks on the history of the plugin, checks that the developer isn’t a returned banned user, etc. The process is by no means “automated” and while it has some automated pre-flight checks, they’re really there to weed out things that would end with a pended review, to make the process faster for everyone. While we have some tools we run, they don’t actually approve or reject anything, they’re just fancy code-sniffers, customized to look for specific patterns or known bad behavior, outside of the overall quality like PHPCSPHP Code Sniffer PHP Code Sniffer, a popular tool for analyzing code quality. The WordPress Coding Standards rely on PHPCS. (you are using that, right?). Submitting things to test out what you think is an “automated” system is wasting the time of our volunteers and reviewers.

See, that trademark ‘blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience.’ isn’t actually there to protect trademarks for the owners. We have them to make our life easier and to protect you, the developers, from making some pretty common mistakes. Just for an example, we block ‘akismet’ not because we were asked to by Automattic, but because over 50 people a year tried to submit a copy of Akismet instead of uploading it to their own site.

As the post (properly) notes, you can’t submit a plugin with a permalink that’s already in use, be it on WordPress.org or if it has a notable user-base outside of WordPress.org. Even if a name gets by those checks, the review team can see if the permalink is being used and by (roughly) how many people. That’s a large part of why we have humans checking these things. A human can look at an email and a plugin and check for proper ownership.

By the way, as a number of people have complained about, this is why we require official plugins to be owned by demonstrably official accounts (like with an email address that uses the right domain, and so on). It’s not just to prevent trademark abuse, it’s to ensure that kind of thing is less likely to happen.

Now. Do you need to test this? No. All you’re doing is making things more stressful and more likely to be missed, which doesn’t solve a problem. Do you need to add your trademark to the blocked list? Again, no. Unless it’s being actively abused, or there’s a high-risk situation that it might be, it’s just adding more work for a low (to negligible) risk in the first place.

How DO you protect your own, non-org hosted plugins, from this?

Use the UPDATE URI flag.

We check for it on .org, and won’t allow you in with it (since… why?) but for plugins we don’t host, well that’s literally why it exists 🙂 Use it. Love it. But please, remember the first step in ethical hacking is never trying out a vulnerability on someone else’s site without their permission.

#reminder, #security, #trademarks

Reminder: Check Your Accounts’ Emails (and your Committers)

Hi Devs!

We’re getting nearer to WordPress 5.9, and that means the email will be headed out soon.

This is the perfect time to double check the email on your accounts, especially if it’s a group email/mailing list. Make sure external emails (like … us) can contact you without bounces or autoreplies.

You also should check everyone who has commit access to your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party! Did someone leave? It’s okay to remove their access, and in fact is great to do so for security 🙂

And as a regular reminder: Never share accounts! Every individual human should have their own individual account. That lets you (and us) keep tabs on who did what.

#reminder

The WordPress 5.7 Email Has been Sent

The field guide is out and the email has been sent.

If you find your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party has been closed, it would be for one of the following reasons:

  • Email bounces
  • Auto replies continue after a warning
  • Email reply says the email address is no longer checked/in use
  • We have received the exact same out of office for 3 releases in a row

If your plugin is still open? Please re-read the field guide. It has some pretty cool stuff 🙂

WordPress 5.7 Field Guide

#email #field-guide #reminder

Reminder: Forked Premium Plugins Are Not Permitted

tl;dr: We do not permit copies or forks of premium (pay for) plugins to be hosted on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/.

Caveat: While this topic always brings up people arguing that the GPLGPL GPL is an acronym for GNU Public License. It is the standard license WordPress uses for Open Source licensing https://wordpress.org/about/license/. The GPL is a ‘copyleft’ license https://www.gnu.org/licenses/copyleft.en.html. This means that derivative work can only be distributed under the same license terms. This is in distinction to permissive free software licenses, of which the BSD license and the MIT License are widely used examples. means they can (and yes, you can copy GPL plugins and do whatever you want with them), we wish to remind developers that just because the GPL allows something doesn’t mean we will host it here. Our guidelines are considered above and beyond the GPL. After all, the GPL doesn’t say you can’t punch someone, but if you get into a fistfight at a WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more., we’re not going to host your plugins.

Taking someone’s pay-for code and re-releasing it as free-of-charge is considered (by us — the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review Team) to be a form of piracy and is not welcome here. It doesn’t matter if the code is GPL, it matters that When you do that, when you copy and re-release someone’s code without any changes, you’re stealing the opportunity of the original developers to make a living, and we feel that is detrimental to the community. In addition, it’s often in violation of the terms you agreed to when you downloaded the plugin from the developer in the first place.

By you doing that, and rehosting here, you put the entire directory in peril. Arguably we become responsible for your actions. As such, we do not permit plugins that are sold off WordPress.org to be re-hosted here.

The only exception to this (besides it being your own plugin) is if you have made a significant fork, properly credited in the readme and inline code, and everything was 100% GPL compatible, including the terms from where you bought the plugin. If you pirated a plugin, or if you violated the license purchasing terms (which may say things like you cannot resell it), then we cannot host the code.

Edit: It’s important to note that adding non-GPL compliant terms to a license may in fact invalidate the license, which means we can’t host it here anyway. The above comment is not in support of people violating licenses nor are we attempting to protect and help those people in any way. We are trying to point out that even if a license says it’s GPL, if it’s sold with terms that violate the GPL, it cannot be hosted here either. tl;dr? If the license or terms are sus, we can’t host it.

If the plugin is your own plugin and you just want to re-host here, we will do our best to validate that claim, and may pend your plugin while this is researched. We appreciate your patience when that happens.

If you feel someone took your plugin and hosted a copy of it here, please email plugins@wordpress.org with a link to the plugin as it’s hosted here, a link to your original plugin, and (if the plugin is hosted outside WordPress.org) attach a zip of the plugin so that we may compare the two.

Edited to add: This post is not about the GPL. This is only about the existing WordPress.org Plugin Developer Guidelines. You should not, under any circumstances, use this post to frame your understanding or interpretation of the GPL as it is not intended as such. Again, this post is about the plugin guidelines, the ones all plugin devs already committed to following, which have long since stated that immoral or ethical practices are not permitted here.

#reminder, #theft

Reminder: Plugins Must Not Interfere with Updates

While we do look for plugins that touch the update services on submission, we do not monitor existing plugins, which is where this reminder stems from.

Unless your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party has the purpose of managing updates, you must not change the defaults of WordPress’ update settings.

You may offer a feature to auto-update, but it has to honor the coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. settings. This means if someone has set their site to “Never update any of my plugins or themes” you are not to change those for them unless they opt-in and request it.

The reason for this is that plugins should not over-reach their authority. When a plugin is made, it is self-defined by the developers as what it will do and why. There are some logical reasons to expand that of course (an anti-spam comment plugin may grow to also handle feedback forms), but for most plugins, the arbitrary management of plugin updates is outside their stated goals.

Plugins crossing over purposes, overriding settings that are unrelated to the function of their specific goal, can and will cause unexpected outcomes. It also destroys the faith users have in you to not break their sites. Sadly, this happened recently to a well used plugin, and the fallout has been pretty bad.

We do understand that many plugins want to take advantage of the new features within WordPress. But if your plugin is a custom blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience., you really don’t have a need to be changing how the uploader works, or even setting your plugin to default-auto-update.

At this time, we have no plans to spell this out in a guideline. We do currently, regularly flag plugins that go outside their dictated (self defined) boundaries, and this is not a change. Please, respect your users.

#reminder, #updates

Reminder: Compatibility with Core Matters

Over the years we’ve gone from always showing all plugins in searches to devaluing plugins that aren’t updated in a time span to devaluing them if they’re not compatible with the latest few releases of coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.. All of this is done to improve the user experience and to ensure they only find plugins that are actively maintained and compatible with the versions of WordPress they use.

As part of this, when a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party is closed we currently require the ‘tested up to’ value to be, at least, the latest stable version of WordPress core. We have updated our emails for closures and re-scans to reiterate that, but it’s for a slightly different reason than helping users.

We want to help you developers. If no one can find your plugin, because it’s not compatible with (say) WP 5.5, then no one uses your plugin. Presumably, if your code is hosted here, you want people to use it. To help you and ensure your plugins can be found and used, we are requiring you update that, should we have any reason to close your plugin.

Just like you have to bump the plugin version so people get notified of updates, you need to make sure that “tested up to” value is current 🙂

So! Please keep that up to date! It’ll help people find your plugin, give them confidence in your work, and help make you more successful! Wins all around 🙂

#guidelines #reminder