Gazzer (not his real name) had a somewhat decent point to make. He emailed plugins to complain about security:
You guys (WP) should do a better job of screening and/or even certifying the plugins that are listed in your directory.
I’m constantly receiving emails warning of security vulnerabilities associated with plugins.
Also, I’m spending way too much time dealing with plugins that wreak havoc with my site (using up server resources, and carrying viruses).
Maybe, you can experiment with a premium or “paid” plugin model.
If Apple can do it with apps. then you guys can do it with plugins.
Gazzer’s email
This is a pretty common complaint. And it comes from a misconception I fully understand.
We Don’t Do That
The Plugin Review Team does not review every single release of every plugin. Considering the magnitude of the backlog today (over 400 and climbing) I think you all can see why.
Reviewing a plugin takes time and it takes work and, if you’ve been reading this blog for a while, it takes mental fortitude not to scream “Just fucking enqueue your goddamn javascript you moron!” all the time.
Ahem.
I know that (at least at one point in time) the Theme Review Team did in fact review every release of every theme. I have often said that can work with themes because at their heart, they’re easier. Themes are themes. They ‘do’ the same thing in different ways.
Plugins can be anything, do anything, and do it in any way possible. That divide id bigger than the Grand Canyon.
We don’t screen or certify the plugins at all.
We review new plugins when they are created, and advise authors about problems before hand. However, there are 1000+ updates to plugins every single day. We do not have anywhere near the manpower to review every single change.
We are a hosting service. We host the plugins for authors. We do not verify them, we do not create them, and we do not own them. Each plugin is owned by its authors, and they are responsible for it.
Plugin Team reply
Gazzer didn’t like that.
Try a Plugin Store!
Gazzer felt we should address his suggestion and try a store.
Obviously, it easier to point out what you DON’T do as compared to looking at my suggestion and addressing it.
I mentioned, “Maybe, you can experiment with a premium or “paid” plugin model.”
Security vulnerabilities and poorly designed plugins are a major problem for some of us. Besides, if you create revenue from charging developers for plugins that some of us would be willing to pay for (especially certified for security and reliability) then it’s a win, win. However, if it’s easier to talk about what you can’t do or won’t do then nevermind.
I’ll continue to look elsewhere.
So we pointed out:
Plugin Review is a 100% volunteer org, no one gets paid
Even CodeCanyon, who does have a paid/premium library doesn’t check every release
No plans to do premium at this time (circa pre-Covid)
The plan hasn’t changed. If if does, I would agitate for backpay for a decade of service, though.
And By The Way …
Instead of complaining about that anymore, Gazzer went on to vent about (checks notes) updates!
Speaking of plugin and WP issues.. (see the screenshot).
Why should I have to deal with the unknown consequences of this crap! Below:
WTF!
What the fuck is your plugin add-ons aren’t tested up to the latest version of WooCommerce and might conflict, and Woo is kindly warning you.
Since we couldn’t figure out what was bad about that, we shrugged and didn’t reply. Gazzer sent a second reply with the exact same email, and we filed it away as well.
Gaz can probably be UN-banned
Of note, I think we could (and likely should if it hasn’t already) remove Gazzer’s ban. He was banned for simply not accepting the reality of life. If all you’re going to do is tell someone they’re wrong, over and over, they will stop listening to you. But in retrospect that’s a bit harsh.
At the same time, he doesn’t seem to care and has ‘moved on.’ In fact, he nuked his account and his Slack account.
Now.
Should WordPress.org have a paid/premium service? No. Absolutely not. That would ruin a lot of things, and reviews would become a play for money instead of fixing the internet.
Should someone have a service where they review plugins and give security reviews? A few exist, but one is a total asshole, three were bought out by major players, one thinks FUD sells better than actual checks, and the last one is Patchstack whom I love.
Ipstenu (Mika Epstein)
I’m Mika (aka Ipstenu) and I’m complicated. I’ve been on the net since the days of dedicated terminals and Novation CAT modems and solved Missionaries and Cannibals (or Goats and Cabbages) before I was six, and blog about WordPress and technical/computer things at Half Elf on Tech.
We use cookies to personalize content and ads, to provide social media features, and to analyze our traffic. We also share information about your use of our site with our social media, advertising, and analytics partners.
