We feel it’s time to write about our experiences with the repository of WordPress.org and also to get feedback and share experiences from others in the overall community.
This is a critical view of the plugin review process and how plugins get treated in the repository of WordPress.org. We believe Something is deeply wrong inside the WordPress plugin review process and the team. We will introduce you to our concerns, give proof via screenshots, and invite you to take part in the discussion.
The WordPress plugin repository
As a WordPress-driven company, it is most important to us to have our plugins visible to other WordPress users in order to get recognized and other people can find and use our products. It is similar to an app developer who needs to be in the App Store for Apple or Play Store if Android.
One of the most common business strategies for WordPress developers these days is the freemium model. You offer a free version of your plugin in the WordPress repository and a pro version to sell. Similar to apps, this is often done by subscriptions. That income is used to keep the plugins up to date. The market is so big that there are thousands of plugins, often for the same reason. Competing with each other is a welcomed standard for us.
The review process
To get into the repository, one must obviously follow the guidelines. That’s great and correct. Once you are approved, people can download and install your plugin directly from the WordPress admin backend plugin installer. In addition, the plugin is then also listed on the WordPress.org website. This is especially important for us and most developers because this way Google can find the plugin and it gets a good ranking in Google. The better the placement, the more people will find the plugin and the solutions you offer.
So far, so good. Sounds like a great ecosystem. What is the Problem?
There are several critical issues with the review team and I will go over them all in detail in the following sections
The complete repository is controlled by only two people
There are only two people working in the review team, and they function like gatekeepers to it. To us, it seems that they are not interested to let other people into the team to help with the review process, take some of the workload and speed up the process for everybody. We tried to help with the process and work as reviewers. I offered to pay one of our advanced developers to help them to save us all, other developers and companies, from the slow review process. But they rejected it, in fact, they did not respond to it. No „no“, no nothing. They just ignored us completely. Please see these screenshots from us trying to help.
The problem is: plugins get removed instantly for several reasons without given the chance to fix any issues
If you are a plugin developer, you will work on your plugin and maintenance it. You can always run into a security issue, which is absolutely normal. We are all humans. In case of a security issue, the review team removes the plugin and sends you a message. They do not give any moment to fix the issue. Not even 3 days. They just remove the plugin, and then you need a completely new review process before your corrected plugin can go live again.
A completely new review for one security fix can take weeks or months
The problem is that users of the plugin do not get any updates. Even when you are able to deliver a fix quickly, you cannot deliver the fixed version because the plugin needs to run through the lengthy review process from scratch again. So users will still be at significant risk during that time.
A great risk for plugin users
So, your plugin gets held back from the repository and is stuck in a review process covered by only two people. It can take several months to get it back to the repository. So, even if you fixed the security issue on the same day, all the users of your plugin will stay with the insecure version.
The risk for the businesses behind the plugins
During the time of each review process, you have no income from your plugin. On the contrary, you are stuck with costs. Especially for small companies and developers, this can be frustrating and can put their business at significant risk. If the plugin development needs to stop because of this, all the people who rely on it will be left behind. It not only damages developers or companies but it also dangerous is for the sites using your plugin.
It’s not only about security issues. Even a bounced email will remove all your plugins from the repository
Even if you react on the same day, the plugin will end up in a new review process for all your plugins. It can then take several months to get your plugins back to the repository. There was no help. Just unfriendly communication. Please see this story from the official Slack channel
No friendly communication
I have written to the review team telling them about the pressure and helpless situation, but obviously, they do not care at all. Instead, they behave unfriendly with a very negative tone.
We asked the WordPress.org community for help but never heard anything
We tried to contact Steward and Matt, so they become aware of the matter. But I never got any feedback. They did send me a short answer that they would look into it but never got back to me. It seems as if they did not and were not interested in doing so. Josepha Haden Chomphosy, the community Steward offered to take a look into the situation, but nothing came out of this either.
We tried our best to make the community aware internally long before we write this blog post.
But it looks like they have no interest, and it feels to me as if they do not value the plugin developers, trying to build a business around their plugins.
We are not treated equally
One of the situations that left us wondering for real was when we found out that some of our competitors are allowed to do what we are not allowed. There are plugins like WooCommerce or Form Builders that are doing the same coding as we do. The only difference is, our plugins get removed and others plugins do not and stay in the repository. How can this unbalance, not equal situation happen?
Let us focus on WooCommerce as it is part of Automattic for comparison. They are a great company and doing good work. We do not want to harm anyone, so we choose one of the big players for it.
For example, the review team told us repeatedly when reviewing our plugins that each variable must be escaped with the appropriate function. However, in WooCommerce you can find things like the following:
At the same time, they say the following to other devs. See this image from Slack
Is it possible that they have missed one or two sentences like these? Of course, it is possible. However, if you perform a search within the whole plugin you will get 106 results in 27 files:
And this is only taking that particular sentence into account. To me, the judgment seems not to be the same for everyone. I would have more proof for things like that, but I do not want to put anyone at risk. So I just give you one example to highlight that judgment from the review team seems not to be equal.
More food for thought
The last issues with which we got removed were found by some security companies. We had done some great content and optimized the plugin for search engines. With that, we jumped to the first page on Google. As soon as we were up to the first Google page, our plugin gets removed from the repository.
This happened several times and the security issue, and each time it was security companies to find fault with our successful plugin.
The question popping up in our minds is, why do plugins get removed when they are especially successful and then lose their racing and position?
And isn’t it a little suspicious that it is always competing companies outside our community finding those issues? Who has an interest in this situation?
With this post we hope to make the community aware of this misleading situation.
It might be a subjective point of view, but as soon as we grow with a plugin and get more active installs and a great position, we keep getting removed. So when we experience this, I am sure, other developers and companies are experiencing something similar.
Our last removal from the repository was due to a report sent by an outside agent to the review team.
A month after sending the fixes, we received the following message:
We waited one month to receive the response
One month in which your plugin is losing positions by not being indexed and none of your plugin users get any update and stay with an unsafe version. What is strange is that they ask the original reporter for clarification and if he finds some more issues, they give you two weeks to fix the issue. Why not get these two weeks from the beginning and remove all this unneeded blocking and frustrating process? With this message, they show that it is possible to get treated differently. So what is the point?
Is the community locked now by the big players?
WordPress is open-source software created by a great community. We need to make sure that it does not get hijacked by two people gatekeeping the review team or by other companies finding fault with successful plugins and then have the review team acting in their favour by keeping fixed plugins from quick delivery to the repository and to their users.
The thing is, this is harming developers and companies making a living from developing great content and useful plugins.
For sure, if there is an issue, we take responsibility for our code and are more than willing to fix any issues asap. But we get forced into a never-ending review process taking up months – without any income, any updates for the users, or any progress to build new features. It’s just frustrating and harmful.
The long review process is serving greatly any other competitors out there and is harmful to all developers in the WordPress community.
Is WordPress becoming a danger for sustainable business?
We at Themekraft have developers working with us to maintain the plugins in the repository. These developers have families, and they trust us to provide them with a stable situation. But how can we keep them working if our plugins get removed from the repository again and again?
How can we be sure that the plugin review team acts in our all interests?
When critical matters are in the hands of two people only, how can it be objective and how can we be sure that there is no corruption?
I hope that with this open letter, the situation gets visible to the community.
Something needs to change fast. Before we and other small companies step back from WordPress and the big players take over the whole market and the community that was built by us all, by the people.
We feel this is all supercritical and it is harming many parties. We loved the community. Furthermore, we as a company are taking an active part in it, right from the beginning. As am I, personally, as well. As part of the community, I have spoken on many WordCamps, created a WordPress Meetup, and also talked on WordCamp Europe.
We have great hope that this situation can be sorted out
With this open letter, we try to bring awareness to this situation in order to support and help each other. We believe that this is the standard with which we have to live. There must be better solutions that take in a more healthy way for all.
We hope to start an active discussion so that we can all get together and create processes with WordPress.org that are useful and make sense. We would love to get back to the friendly and kind way that has always been a part of WordPress.
Thanks for reading this post.
Please let us know what you think. We are looking forward to all feedback, ideas, and comments. If you would like to help spread this topic, feel free to share this post to get it out to the overall community.
We had a plugin review in 2020 and they removed the plugin for security reasons because the CKEditor in our plugin wasn’t up to date (that’s all lol). We fixed it quickly and they were actually really fast in reviewing and replying, but then the issues began with them telling us to escape everything and update libraries and so on, and it kept going on and on each time we submit our update. A developer of ours found it so silly and couldn’t see any security issue. They’re strict and they think they’re right about everything, but I suppose they have to follow their guidelines. We lost a lot of sales and permanent ranking because of them. It also ruined our plugin because of the escaping. It’s a big plugin from 2008 or so and it has a lot of code so it wasn’t easy to modify all of that in a short time.
It eventually got reinstated after a few months of back and forth.
They were rude throughout the whole process. I imagine they’re rude because they’re not paid (I think), they’re very few taking on a big workload, and aren’t trained for customer service. They should at least have some canned responses for intro and signature (Hi, user — Have a great day, user).
Every time I email them for a certain reason, I always anticipate frustration and rudeness from them. However, they’re very fast in replying. I can’t imagine they’re only 2 since they reply so fast. Unless they don’t have that much work or perhaps they’re paid a lot.
@Ramsey, I think this is a good point. If they did the complete review at once and tell us all the concerns would help a lot to get everything done in one round. Instead, they stop the review after finding an issue and continue the review first after we fixed the latest issue they found. This is not only frustration. It’s time-consuming and holding back the fix of the security issue which was actually the reason why the plugin got removed.
The problem is also that the plugin not only gets removed from the WordPress.org search. The plugin page is set to no index and this is killing the ranking in google.
I guess they do this to protect people from the security issue, but in fact, it is harmful to all parties. If they would let us update the repository with the security fix would make more sense. In this case, existing users get saved from the security issue in the fastest way.
For most of the escaping issues, you need to be a great hacker to make use of it. If you are so much into hacking, you can also write a crawler and search for plugins that are removed by a guideline violation.
For example, there is a list of all plugins here: https://plugins.svn.wordpress.org/. You only need to build a crawler running through this list to find plugins set to no index.
It would help a lot if the content stay live and not set to no index. It would be just easier if they give us some time to fix the security issues and then make the complete review at once. There is no need in my opinion to remove the plugin from the repository.
Hi Sven, I’m Bob, the CTO and co-founder of artbees.
I completely agree with every part of this article, and we also experienced the same and even worse treatment. I could share their emails about how they behaved almost disrespectfully, and tell us “who are you to compare yourself with WooCommerce?”?
In my professional career, I have never been treated this badly.
The review team has people from companies that many think are bullies in the WordPress community (I can only tell the detail privately).
Last year we completely abandoned our plugin with 90k+ installs after they asked us to get on queue for months and fix every simple PHPCS or other warnings (after the security issues discovered). But WooCommerce has thousands of them. But who am I to compare myself with WooCommerce right? we are only 40 people an they are hundreds!
Unfortunately, WordPress is no longer the positive community it once was.
I have had nothing but positive experiences working with the plugin review team. I just submitted a new, smaller plugin last week and had it reviewed and accepted within 4 days with a single back and forth to fix 2 esc* instances I had missed.
I also have a large, older plugin. Patchstack notified me (and I assume the review team) about a security issue. I fixed the issue but then a little bit later got shut down by the review team because they did a full analysis of the plugin and found some coding standard issues (lack of esc* functions). That’s fine, it’s the requirements. I worked with the review team and quickly got it back up within 36-48 hours. This is a full e-commerce plugin, *lots* of code, and still got it back up in a relatively short time period.
When trying to understand what really was required to meet standards I picked a couple of plugins that happened to be on a client project I already had open in my code editor to look at their coding standards for comparison. One was WooCommerce. I noticed they were not 100% following the standards I was being asked to follow. I asked the plugin review team about this and they openly admitted WooCommerce does get special treatment in some regards because they are known to have a *massive* team with *high levels of code review* that even go beyond what the plugin review team gets and I am personally OK with this as it makes sense to me. WC has a proven track record, I’m just some single dev.
If you have seen some of the abusive emails that volunteers like Ipstenu receive on an almost daily basis you would fully understand why some responses are what they are. These *volunteers* help protect the WordPress ecosystem and its image which in turn gives us all opportunities to make a living off it.
In reading that Slack channel discussion, I see Ipstenu clearly and kindly outlined the current situation to you. You did not like her response and attacked her by saying she lacks empathy. I recommend you consider how that comes across and why it may have led to how she responded for the rest of the discussion.
Hi Sven, I’m author of free warp-imagick plugin.
In February 22, without any warning, I got an email:
————————————————–
[WordPress Plugin Directory] Closure Notice – Guideline Violation: Warp iMagick Image Optimization. Resize & Compress images. Sharpen & Optimize images. Convert WebP.
Your plugin has been closed as it has been found to be in violation of the directory guidelines, found here:
https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/
https://developer.wordpress.org/plugins/wordpress-org/block-specific-plugin-guidelines/
https://wordpress.org/plugins/warp-imagick/
For the next 60 days, your plugin will simply say that it has been closed. After that time, it will change to indicate it was closed for a Guideline Violation. To avoid that being made public, you must correct the issues and pass a code review within 60 days.
What to do next
We understand that this is frustrating to hear, and that having your plugin closed is never a great day. To help restore your plugin as quickly as possible, you are required to do the following:
Complete all the corrections listed in the following section
Perform a full security and standards review on your own code
Increase the plugin version
Ensure the ‘tested up to’ version in your readme is the latest release of WordPress
Update the code in SVN
Reply to this email and request a re-review
If you feel this decision was made in error, you please reply to this email and explain why.
Plugins are closed immediately and the developer contacted when this happens, in part because we have an imperfect system of notifications. This means until your plugin is corrected to meet our guidelines, we will not reopen it.
When we re-review your code we will look at not just the changes, but the entire plugin, so there may be a delay.
Why this is a violation
There are two serious guideline infractions.
1) Your plugin readme has a ‘keyword’ section, which is considered keyword stuffing. Please remove that entire section
2) Your plugin display name is “Warp iMagick Image Optimization. Resize & Compress images. Sharpen & Optimize images. Convert WebP.” which is very long, and is not a name but a description. Give your plugin a NAME, and use that lengthy one as a short-description.
If you have any questions, please let us know.
————————————————–
1) I would be perfectly happy to accept removal of ‘keyword’ section because that section was not ‘keyword stuffing’, did not change my plugin ranking, it was just few links helping to me to check my plugin position on other search keywords and helping users to quick find alternative plugins if my plugin is not what they are searching for. Sending visitors to another plugin is definitely not good SEO practice.
2) She was actually complaining about plugin TITLE, a first line in README.txt which is allowed to contain up to 150 characters (excess is ignored). Rule about length of plugin TITLE does not exist. Plugin NAME is something else, it exists only in plugin-entry.php and it is also limited, but does not exists in README.txt. So it was clear to me that person who wrote that request is using lies and her intention is FAKE, not honest. Aim was not for the plugin to comply with rules but to stop plugin growth, promising closure to last at least 60 days, maybe forever. Lying person is not to be trusted. If she is lying now, she will be lying again about plugin code review, just to achieve her hidden undisclosed goals. Every plugin update was tested to comply with WordPress PHP coding standards, passing https://plugintests.com/plugins/wporg/warp-imagick and vulnerability database. Plugin was endorsed by a2hosting and automatically installed for new customers of WP sites plans. I was not aware of it while plugin was in WP repository. As soon as closure started, in the plugin comments I made her email publicly available. She didn’t like it, My comment was removed, users comments against closure were removed.
Plugin is free, no commercial version was offered. Plugin growth, happy users and star rankings were my motivation. Warp-iMmagick plugin was 2 years stagnating with about 1K downloads. When I started experimenting with plugin TITLE (README.txt), number of downloads has grown to 20K within 6 months. Making TITLE short as “NAME” (actually meaning plugin-slug) will cripple and stop plugin growth, any advantage of having plugin in WP repository would vanish. Anyways, plugin TITLE length was not longest compared to other plugins. I proposed shortened TITLE, but my complaint/proposal was not acceptable. My proposal was considered as questioning goddess authority and as refusal to comply with goddess order. Plugin was permanently closed, my wp profile closed/banned and I was “expelled from WordPress community” as if she is a owner or a god of “WordPress community”. What an arrogant ……
List of other plugins TITLES I found searching ‘images’. All have in TITLE more than only NAME:
Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce
Royal Elementor Addons (Header Footer Builder, Popups, Post Grid, Woocommerce Product Grid, Slider, Parallax Image & other Free Addons for Elementor)
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery
Membership, User Registration, Login Form & User Profile – ProfilePress (Formerly WP User Avatar)
Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO)
All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic
Bulk edit image alt tag, caption & description – WordPress Media Library Helper by Codexin
ElementsKit Elementor addons (Header & Footer Builder, Mega Menu Builder, Layout Library)
Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier)
WP Offload Media Lite for Amazon S3, DigitalOcean Spaces, and Google Cloud Storage
Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
Rank Math SEO – Best SEO Plugin For WordPress To Increase Your SEO Traffic
Better Images – Sharpen, compress, optimize and resize image after upload
Warp iMagick – Compress Sharpen Optimize Image Convert WebP Resize Upload (PROPOSED)
WebP Converter for Media – Convert WebP and AVIF & Optimize Images
Instant Images – One Click Unsplash, Pixabay and Pexels Uploads
Smush – Lazy Load Images, Optimize & Compress Images
Jetpack – WP Security, Backup, Speed, & Growth
TinyPNG – JPEG, PNG & WebP image compression
As you can see from above, this plugin is just one of MANY other plugins using TITLE within allowed length, and even does not have longest TITLE length. Nevertheless, plugin is closed and punished for the title length.
Alleged guideline violation is just pretense. It is based on quickly made up rule by someone who even does not know what he is talking about. Doesn’t have clue about SEO, doesn’t even know what is plugin NAME (see plugin entry.php file) nor what is plugin TITLE (explained above). How can someone so much ignorant be allowed to initiate closing and judge other people’s plugins?
See section 18. from “plugin rules”.
https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/#18-we-reserve-the-right-to-maintain-the-plugin-directory-to-the-best-of-our-ability
That person is allowed, by the rules she created, to take from you an ownership of your plugin and give it to someone else 🙁
I can’t recommend anyone to publish plugin in WordPress repository under such conditions and authority.
BTW
She is not a contributing volunteer, contributor is her employer DreamHost which has contributed 25% of her paid hours.
See ‘Case Study’ here: https://wordpress.org/five-for-the-future/
She is also sponsored by another private company: XVP
See ‘Contributions’ sponsored here: https://profiles.wordpress.org/ipstenu/
She took over plugin team since 2014.
https://make.wordpress.org/updates/2014/11/07/plugins-update-for-november-6-2014/
After year 2014. no other plugin team members can be found posting in Team Updates
https://make.wordpress.org/updates/
“Becoming a reviewer” section was “not accepting new reviewers due to technical issues” since.
https://web.archive.org/web/20181001123226/https://make.wordpress.org/plugins/handbook/get-involved/
Section was recently removed.
Good luck.
BTW, Plugin is now on GitHub
https://github.com/ddur/Warp-iMagick/
https://warp-imagick.pagespeed.club/
I completely understand WordPress Plugin Volunteers’ efforts to maintain the best ecosystem. At the same time, the backlog is really hurting us, and our plugin was suddenly pulled off the shelf, and even after submitting the plugin with the recommended fix, we haven’t heard back from the plugin team. We have no idea what is seriously wrong and no idea when our review will be finished. Leaving a plugin developer in this state is not acceptable and demonstrates a lack of a proper process in place.
Personally I’m convinced that most if not all people “freelly” contributing to both the TRT as well as the PRT are paid developers, either direct employees of Automattic or part-time / freelancing for them. So of corpse they mostly get free rein in whatever they do, as long as their employer is happy.
And well, there would have been options (eg. ClassicPress) to avoid this, but everyone was so happy to jump the Gutenberg band wagon and let “them” continue to do whatever they want. The WP “community” as such is as slow as a snail and quite similar able to fight against potential threats (ie. at best hiding in their shell until the threat has either moved away or swallowed them whole).
So, you all just get what you earned – by doing nothing. As usual.
cu, w0lf.
Hello Sven,
I feel terrible reading the story. I submitted my plugin a month ago and did not receive any feedback. I think that leaning solely on WordPress.org is too risky and I would like to find an alternative way to publish my plugin as a backup plan.
How about your plugins now? Did you find a better way to deal with their process or did you self-hosted your plugins? I would like to learn from your experience. Thank you very much.