WordCamp Asia 2024: Plugin’s team table on contributor day

With WordCamp Asia 2024 coming soon, we need to get ready for contributor dayContributor Day Contributor Days are standalone days, frequently held before or after WordCamps but they can also happen at any time. They are events where people get together to work on various areas of https://make.wordpress.org/ There are many teams that people can participate in, each with a different focus. https://2017.us.wordcamp.org/contributor-day/ https://make.wordpress.org/support/handbook/getting-started/getting-started-at-a-contributor-day/.!

To ensure a smooth experience on the day, we recommend installing a local development environment on your laptop in advance. The conference venue’s Wi-Fi may not always be optimal, especially when many people are using it simultaneously. Achieving this prerequisite over a stable and fast connection is much simpler.

Here’s the checklist:

  1. Latest Local WordPress Setup: You can use tools like MAMP, XAMPP, Local by Flywheel, Docker, or WP-Now.
  2. Latest Stable Version of Node.js and npm: You can find it here: Node.js (LTS version is the one used by coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. and GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/).
  3. Code Editor: Consider using VSCode or Sublime.4. GitGit Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. Most modern plugin and theme development is being done with this version control system. https://git-scm.com/.: its optional but good to have

We eagerly anticipate your presence at the event!

Thanks to @kafleg for your help drafting this post.

Plugin Guideline Update: Community Code of Conduct

tl;dr: All representatives of a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party are required to comply with the Community Code of Conduct.

One of the longstanding open tickets for the Plugin Guidelines has been adding in the Community Code of Conduct.

With the announcement of the Incident Team, we have updated the guidelines to indicate that all representatives of a plugin must comply with the Community Code of Conduct.

The updates can be found in the “Developer Expectations” (where we list out the guidelines/CoCs you must comply with) and in Guideline #9 (Developers and their plugins must not do anything illegal, dishonest, or morally offensive.)

Effectively? Yes, you actually do have to follow the Community Code of Conduct if you want to be part of the community.

This shouldn’t be a surprise to anyone.

#code-of-conduct, #guidelines

Reminder: We will check your website

tl;dr: If you put a website as the official developer or pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org and it does not exist (or is under construction), your review will be pended.

We know that sounds really weird, but yes, we’re saying if you tell us that your domain is XYZ and that domain doesn’t exist, or isn’t public, your review is going to be paused until you finish the site.

The primary reason for that is because those URLs will be seen by all your users, and if a user sees a great looking plugin with an incomplete website, they will not trust you. That’s actually something that scammers do on the regular, and you’ve made yourself look like that.

So to protect you from an undeserved bad-rep, we check your domains.

The secondary reason is, if you’re a service, we really do need that live so we can review the website and ensure it and the plugin are compatible with our guidelines.

Can I just remove the URL from the code?

Most of the time, yes.

However if you’re a service and the service runs through that website, then not only will you be required to make the site public, but you will also need to include a terms of use and/or privacy page on your site.

I made a typo! What do I do?

Reply to the email with “Ooops, I typoed, the real URL is …” We’ll ask you to update the code and your account, so your users don’t get confused, and all will be well.

What if the site isn’t mine, it’s the service owner’s?

Then you used the wrong account to submit the plugin. Remember ALL official plugins have to be owned by the official company. If you were hired to make a plugin for BoogieDownBlues (a fake company) and the domain is boogiedownblues.com then the account that submits the plugin has to use that domain for their email.

That protects you and them from any legal action later on.

My site is nearly done, can I have a pass?

No. Again, we’re trying to protect you from being seen as an untrustworthy developer. Also we want to make sure your site isn’t violating rules.

What if I need to have the plugin before I can have the site?

This generally happens with service plugins, and if that’s the case, we will tell you no. The site has to exist so we can validate the service.

Do I need an about page and all that?

You do not, but we do recommend it. People prefer to know there are real humans behind things.

Can I make a simple, placeholder?

Maybe. It depends on what you put on the placeholder page and (again) if you’re a service. If the placeholder says ‘Coming soon!’ then no.

What about Lorem Ipsum pages?

If your domain is filled with placeholder, we consider it to be incomplete and will point out the problem. Same goes for clearly fake addresses and those about pages that all have the same face.

Why does it matter if my personal site exists?

Because you told us (and by extension all your users) “this is who I am!” If your personal site is ‘coming soon’ or has a placeholder, no one can make a judgement on you save to say you’re a dev who can’t make a website. And yes, that is patently unfair, we know, but that’s what people will think. Heck, they complain to us every time we miss it. We would rather you not start in a bad place.

Why was I told not to use trademarks in my URL?

Because using a trademark in the domain name violates trademark law.

Using a company’s trademark in a URL as a domain name in whole (or in part like wordpress-example.com) may constitute a violation of the company’s trademark rights.  See Brookfield Communications, Inc. v. West Coast Entertainment Corp., 174 F.3d 1036 (9th Cir. 1999). 

What you can do instead is have example.com/trademark/ — that is generally allowed.

Keep in mind, some organizations (like WordPress) will allow the ‘short’ versions so wpexample.com would be fine. Others (like WooCommerce) have more restrictions, and actually prohibit wooexample.com

Always check the trademark guidelines first!

#reminder

Heroku Free Tier Being Retired

tl;dr: Heroku’s free plan is going away. Please update your services and make sure all your 3rd party libraries are up to date.

From their recent post:

Starting October 26, 2022, we will begin deleting inactive accounts and associated storage for accounts that have been inactive for over a year. Starting November 28, 2022, we plan to stop offering free product plans and plan to start shutting down free dynos and data services. We will be sending out a series of email communications to affected users.

Roughly 300 plugins use heroku services, many for free. If you are one of those free users, please make sure you make arrangements to either pay for the plan or replace your service. As of December 2022, if people report your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party breaks because of that shut-down, we will close your plugin until it’s corrected.

There’s always the probability you’re not going to want to (or be able to) migrate services. That’s okay too. If you want to close your plugin, you can do that yourself! I would recommend pushing a final version that warns people on day X this will stop working, if that’s your choice.

The one thing that’s really going to trip people up are those libraries though. A lot of 3rd party libraries make use of Heroku, and not all are going to update.

We’re going to do a sweep and let as many people know as we can, but we wanted this to be public since a lot of people miss emails and also if your plugin isn’t impacted but one you coordinate with is, well… you should know too 🙂

#heroku

Journal Entry: Removal of the Zamir Plugin

Around 17:30 UTC on March 23, 2022, I was notified of a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party in the WordPress ecosystem that contributors flagged as potentially violating the plugin directory guidelines. The initial conversation can be found in Slack. Following my review as the Executive Director, the plugin was removed from the directory about an hour later. This post is to provide information about what happened and anticipated next steps.

tl;dr: The Zamir plugin used a loophole in the plugin guidelines created to protect members of the WordPress community. There are no present guidelines that bar the “support” of political leaning or cause, which is what this plugin’s description claimed it was doing. Since Z is emerging as a new symbol of hate and violence, it was considered a grey area in initial checks and on further review was removed.


Does this plugin violate WordPress guidelines?

Yes! Many community members shared how the Z symbol has come to stand as a symbol in support of Russia’s ongoing war in Ukraine. As a reminder, WordPress guidelines call upon all community members–including extenders like plugin authors– to “be kind, helpful, and respectful.” A symbol that is connected to an ongoing war and humanitarian crisis is none of those things.  

What actions were taken?

With the help of WordPress contributors and community members, the plugin has since been removed from the plugin directory. While decisions to remove plugins are normally adjudicated in a slower, more collaborative investigation process—quick and decisive action was appropriate to prevent further harm to the community.

Thank you to @santanainniss for pulling together the timeline of the morning and to @ipstenu for working to resolve the issue. Additional thanks to @cbringmann @helen @angelasjin and @eidolonnight for their review. And thank you to our community of contributors for voicing their concerns.

Please don’t ‘test’ submitting other people’s plugins.

tl;dr: Never test vulnerabilities on someone else’s live site without their permission.

By now, a lot of you have read the post about the so-called “WordPress Plugin Confusion” whereby a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party hosted on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ can ‘override’ a plugin not hosted here, by using the same name/permalink. Someone even made a CVE for it.

Please stop ‘testing’ this vulnerability with us.

This is not a new issue by any means. Heck, this has been something people report on now and then for years. In the past, the plugin team coordinated a release of a plugin to intentionally do that and protect users from a significantly dangerous plugin. We’ve locked out permalinks to prevent abuse and so on.

Sadly, the post conflated a couple of issues, which have to do with social engineering and a misunderstanding of why we have those permalink-checks for trademarks. Also it’s entirely incorrect with this one claim:

and the whole approval process is automated

This could not be further from the truth. All new plugins submitted go through human review. When you submit a plugin, somebody reads your plugin code, your submitted slug and name, checks on the history of the plugin, checks that the developer isn’t a returned banned user, etc. The process is by no means “automated” and while it has some automated pre-flight checks, they’re really there to weed out things that would end with a pended review, to make the process faster for everyone. While we have some tools we run, they don’t actually approve or reject anything, they’re just fancy code-sniffers, customized to look for specific patterns or known bad behavior, outside of the overall quality like PHPCSPHP Code Sniffer PHP Code Sniffer, a popular tool for analyzing code quality. The WordPress Coding Standards rely on PHPCS. (you are using that, right?). Submitting things to test out what you think is an “automated” system is wasting the time of our volunteers and reviewers.

See, that trademark ‘blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience.’ isn’t actually there to protect trademarks for the owners. We have them to make our life easier and to protect you, the developers, from making some pretty common mistakes. Just for an example, we block ‘akismet’ not because we were asked to by Automattic, but because over 50 people a year tried to submit a copy of Akismet instead of uploading it to their own site.

As the post (properly) notes, you can’t submit a plugin with a permalink that’s already in use, be it on WordPress.org or if it has a notable user-base outside of WordPress.org. Even if a name gets by those checks, the review team can see if the permalink is being used and by (roughly) how many people. That’s a large part of why we have humans checking these things. A human can look at an email and a plugin and check for proper ownership.

By the way, as a number of people have complained about, this is why we require official plugins to be owned by demonstrably official accounts (like with an email address that uses the right domain, and so on). It’s not just to prevent trademark abuse, it’s to ensure that kind of thing is less likely to happen.

Now. Do you need to test this? No. All you’re doing is making things more stressful and more likely to be missed, which doesn’t solve a problem. Do you need to add your trademark to the blocked list? Again, no. Unless it’s being actively abused, or there’s a high-risk situation that it might be, it’s just adding more work for a low (to negligible) risk in the first place.

How DO you protect your own, non-org hosted plugins, from this?

Use the UPDATE URI flag.

We check for it on .org, and won’t allow you in with it (since… why?) but for plugins we don’t host, well that’s literally why it exists 🙂 Use it. Love it. But please, remember the first step in ethical hacking is never trying out a vulnerability on someone else’s site without their permission.

#reminder, #security, #trademarks

Reminder: Check Your Accounts’ Emails (and your Committers)

Hi Devs!

We’re getting nearer to WordPress 5.9, and that means the email will be headed out soon.

This is the perfect time to double check the email on your accounts, especially if it’s a group email/mailing list. Make sure external emails (like … us) can contact you without bounces or autoreplies.

You also should check everyone who has commit access to your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party! Did someone leave? It’s okay to remove their access, and in fact is great to do so for security 🙂

And as a regular reminder: Never share accounts! Every individual human should have their own individual account. That lets you (and us) keep tabs on who did what.

#reminder

https://make.wordpress.org/core/2021/09/27/changes-to-the-wordpress-core-php-test-suite/

Changes to the WordPress Core PHP Test Suite

Reminder: Trademarked Logos Cannot Be Used In Banners/Icons

tl;dr: Using someone else’s trademarked logo in your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party icons or banners is a trademark violation, and they have the right to have us remove your plugin at any time.

We’ve posted about this before, and it’s apparently time for a reminder. Logos for brands are generally trademarked. Those logos cannot be used in your plugins banners or icons unless you have their express permission.

Trademark infringement is the unauthorized use of someone else’s registered trademark. This means you are using their logos without permission. When we talk about misuse, it’s more clear to think about it in terms of physical products. Lets say you make electronic gizmos and they happen to work with MacOS. If you put Apple’s logo on your products, you would be infringing on their trademark. Basically you’re misrepresenting yourself in a way that implies or suggests that the trademark owner approves of your work when this is not true.

If you got an email from us (either a warning or a closure notice) about this sort of matter, please address it promptly. Check your banners and icons, and your display names, to make sure you aren’t in violation. Remove all trademarked logos from your plugin banners and icons (yes, even social media ones), and make sure it’s clear that your plugin is not an official plugin (unless it is, and then you don’t have to worry).

Some quick questions:

Why do trademark owners care?

Trademark owners who do not protect their trademark usage end up being unable to enforce it legally later on. So it’s in their best interests to monitor the use and prevent misuse. Also, customers often get confused about the origin of the plugins, and will complain to the wrong people if there’s an issue. Finally, you are essentially profiting from the goodwill that the trademark owner has generated.

Who actually complains to [company] about a 3rd party plugin!?

A lot of people, actually. A high number of people complain to companies and the companies come back to us and say we’re encouraging the behavior which causes confusion with users and a loss of trust in the trademark owners. After all, if your unofficial plugin breaks someone’s site, and they blame the trademark owner? Well that wasn’t fair at all.

Why are other people getting away with it?

They aren’t. They’re just living on borrowed time, as the saying goes.

We have getting close to 100k plugins. They are all monitored by humans (not automated for this one yet) and a human has to check if you had permission or not, if you’ve been warned or not, if your plugin merits a grace period or not, and if the trademark owner has officially demanded we close your plugin immediately. Plus a large number of people argue about this, which eats up time. We do things in batches to try and stay sane.

Also … we strongly recommend you never use that excuse. It makes you sound like ‘sour grapes’ or childish to argue that someone else didn’t get caught yet, so you should be allowed to keep breaking the rules. That just makes this process take longer for everyone.

I reported someone, but you didn’t do anything! Why not?

Unless it’s your trademark, we generally don’t do anything right away because, again, we have close to 100,000 plugins. The number of violations is high, and in order not to ‘play favorites’ we do them in the order we’ve got them. We don’t bump people higher (or lower) on the list just because someone complained or is our friend. That would be terribly unfair!

If it was your trademark, we probably did bump them to the top of the list. We do try to get the developers to fix things before we close (especially for larger plugins that would have a massive negative impact on the community), but this isn’t always possible.

Isn’t it fair-use to use social media logos for related plugins?

No. Besides the fact that ‘fair use’ doesn’t apply to trademarks, it’s a matter of how you’re using it. Social media companies usually give permission to use their logos on your website as a direct link to your presence on their ecosystem. So a bird links you to Twitter. However. That is not the same as using a logo for advertising which is what many of them consider banners and icons to be. Their argument is that WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ is not your site. We’ve argued about this, but some companies have slapped us with legal threats so there we are.

What about screenshots?

Some trademark owners demand we prevent that too, some don’t. I wish we had a clearer answer here, but just to grab an example, there is a certain social media company who doesn’t want to see you use the logos in screenshots. Meanwhile, there are other credit card companies who don’t mind. Keeping track of those is incredibly hard! We recommend you not use them in screenshots.

What if I redraw my own version of the logos?

Then you’re probably going to get a legal demand from the owner to stop because you broke their usage guidelines for the logo. We should note here, when you intentionally try to get around trademark law, you are effectively confessing guilt. You know what you’re supposed to be doing and you’re actively trying to get away with something? The trademark lawyers will be able to take you down in seconds.

How can I promote my plugin’s associations without violating?

First and foremost, the directory isn’t for promoting anything, it’s for listing. If you’re doing all this to basically be a big “Click Here!” method, you’re going about it the wrong way.

Now if you’re really asking “How can I improve my usage by getting people to click on my plugin?” then you start by making a great banner that is memorable.

Stop treating a banner or an icon as a billboard. You don’t need to show off what your plugin can do, you need to be memorable and noticeable. The best banners are the ones that stick in people’s minds, and the odds are not a single person remembers “Oh you’re the one with the logos in this order…”

But no, you don’t need all the examples of the possible social media uses on your plugin banner.

What about Display Names?

In general, you can use “For [Trademark]” in your display name. There are some vendors who are particular and won’t even let you do that. We do our best to try and warn you ahead of time, but sometimes vendors change things on us without notification. Most are pretty cool about working out a plan so we don’t have to close plugins, some are not. I wish I had a better answer there.

#guidelines, #trademarks

The WordPress 5.7 Email Has been Sent

The field guide is out and the email has been sent.

If you find your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party has been closed, it would be for one of the following reasons:

  • Email bounces
  • Auto replies continue after a warning
  • Email reply says the email address is no longer checked/in use
  • We have received the exact same out of office for 3 releases in a row

If your plugin is still open? Please re-read the field guide. It has some pretty cool stuff 🙂

WordPress 5.7 Field Guide

#email #field-guide #reminder