We feel it’s time to write about our experiences with the repository of WordPress.org and also to get feedback and share experiences from others in the overall community.
This is a critical view of the plugin review process and how plugins get treated in the repository of WordPress.org. We believe Something is deeply wrong inside the WordPress plugin review process and the team. We will introduce you to our concerns, give proof via screenshots, and invite you to take part in the discussion.
The WordPress plugin repository
As a WordPress-driven company, it is most important to us to have our plugins visible to other WordPress users in order to get recognized and other people can find and use our products. It is similar to an app developer who needs to be in the App Store for Apple or Play Store if Android.
One of the most common business strategies for WordPress developers these days is the freemium model. You offer a free version of your plugin in the WordPress repository and a pro version to sell. Similar to apps, this is often done by subscriptions. That income is used to keep the plugins up to date. The market is so big that there are thousands of plugins, often for the same reason. Competing with each other is a welcomed standard for us.
The review process
To get into the repository, one must obviously follow the guidelines. That’s great and correct. Once you are approved, people can download and install your plugin directly from the WordPress admin backend plugin installer. In addition, the plugin is then also listed on the WordPress.org website. This is especially important for us and most developers because this way Google can find the plugin and it gets a good ranking in Google. The better the placement, the more people will find the plugin and the solutions you offer.
So far, so good. Sounds like a great ecosystem. What is the Problem?
There are several critical issues with the review team and I will go over them all in detail in the following sections
The complete repository is controlled by only two people
There are only two people working in the review team, and they function like gatekeepers to it. To us, it seems that they are not interested to let other people into the team to help with the review process, take some of the workload and speed up the process for everybody. We tried to help with the process and work as reviewers. I offered to pay one of our advanced developers to help them to save us all, other developers and companies, from the slow review process. But they rejected it, in fact, they did not respond to it. No „no“, no nothing. They just ignored us completely. Please see these screenshots from us trying to help.
The problem is: plugins get removed instantly for several reasons without given the chance to fix any issues
If you are a plugin developer, you will work on your plugin and maintenance it. You can always run into a security issue, which is absolutely normal. We are all humans. In case of a security issue, the review team removes the plugin and sends you a message. They do not give any moment to fix the issue. Not even 3 days. They just remove the plugin, and then you need a completely new review process before your corrected plugin can go live again.
A completely new review for one security fix can take weeks or months
The problem is that users of the plugin do not get any updates. Even when you are able to deliver a fix quickly, you cannot deliver the fixed version because the plugin needs to run through the lengthy review process from scratch again. So users will still be at significant risk during that time.
A great risk for plugin users
So, your plugin gets held back from the repository and is stuck in a review process covered by only two people. It can take several months to get it back to the repository. So, even if you fixed the security issue on the same day, all the users of your plugin will stay with the insecure version.
The risk for the businesses behind the plugins
During the time of each review process, you have no income from your plugin. On the contrary, you are stuck with costs. Especially for small companies and developers, this can be frustrating and can put their business at significant risk. If the plugin development needs to stop because of this, all the people who rely on it will be left behind. It not only damages developers or companies but it also dangerous is for the sites using your plugin.
It’s not only about security issues. Even a bounced email will remove all your plugins from the repository
Even if you react on the same day, the plugin will end up in a new review process for all your plugins. It can then take several months to get your plugins back to the repository. There was no help. Just unfriendly communication. Please see this story from the official Slack channel
No friendly communication
I have written to the review team telling them about the pressure and helpless situation, but obviously, they do not care at all. Instead, they behave unfriendly with a very negative tone.
We asked the WordPress.org community for help but never heard anything
We tried to contact Steward and Matt, so they become aware of the matter. But I never got any feedback. They did send me a short answer that they would look into it but never got back to me. It seems as if they did not and were not interested in doing so. Josepha Haden Chomphosy, the community Steward offered to take a look into the situation, but nothing came out of this either.
We tried our best to make the community aware internally long before we write this blog post.
But it looks like they have no interest, and it feels to me as if they do not value the plugin developers, trying to build a business around their plugins.
We are not treated equally
One of the situations that left us wondering for real was when we found out that some of our competitors are allowed to do what we are not allowed. There are plugins like WooCommerce or Form Builders that are doing the same coding as we do. The only difference is, our plugins get removed and others plugins do not and stay in the repository. How can this unbalance, not equal situation happen?
Let us focus on WooCommerce as it is part of Automattic for comparison. They are a great company and doing good work. We do not want to harm anyone, so we choose one of the big players for it.
For example, the review team told us repeatedly when reviewing our plugins that each variable must be escaped with the appropriate function. However, in WooCommerce you can find things like the following:
At the same time, they say the following to other devs. See this image from Slack
Is it possible that they have missed one or two sentences like these? Of course, it is possible. However, if you perform a search within the whole plugin you will get 106 results in 27 files:
And this is only taking that particular sentence into account. To me, the judgment seems not to be the same for everyone. I would have more proof for things like that, but I do not want to put anyone at risk. So I just give you one example to highlight that judgment from the review team seems not to be equal.
More food for thought
The last issues with which we got removed were found by some security companies. We had done some great content and optimized the plugin for search engines. With that, we jumped to the first page on Google. As soon as we were up to the first Google page, our plugin gets removed from the repository.
This happened several times and the security issue, and each time it was security companies to find fault with our successful plugin.
The question popping up in our minds is, why do plugins get removed when they are especially successful and then lose their racing and position?
And isn’t it a little suspicious that it is always competing companies outside our community finding those issues? Who has an interest in this situation?
With this post we hope to make the community aware of this misleading situation.
It might be a subjective point of view, but as soon as we grow with a plugin and get more active installs and a great position, we keep getting removed. So when we experience this, I am sure, other developers and companies are experiencing something similar.
Our last removal from the repository was due to a report sent by an outside agent to the review team.
A month after sending the fixes, we received the following message:
We waited one month to receive the response
One month in which your plugin is losing positions by not being indexed and none of your plugin users get any update and stay with an unsafe version. What is strange is that they ask the original reporter for clarification and if he finds some more issues, they give you two weeks to fix the issue. Why not get these two weeks from the beginning and remove all this unneeded blocking and frustrating process? With this message, they show that it is possible to get treated differently. So what is the point?
Is the community locked now by the big players?
WordPress is open-source software created by a great community. We need to make sure that it does not get hijacked by two people gatekeeping the review team or by other companies finding fault with successful plugins and then have the review team acting in their favour by keeping fixed plugins from quick delivery to the repository and to their users.
The thing is, this is harming developers and companies making a living from developing great content and useful plugins.
For sure, if there is an issue, we take responsibility for our code and are more than willing to fix any issues asap. But we get forced into a never-ending review process taking up months – without any income, any updates for the users, or any progress to build new features. It’s just frustrating and harmful.
The long review process is serving greatly any other competitors out there and is harmful to all developers in the WordPress community.
Is WordPress becoming a danger for sustainable business?
We at Themekraft have developers working with us to maintain the plugins in the repository. These developers have families, and they trust us to provide them with a stable situation. But how can we keep them working if our plugins get removed from the repository again and again?
How can we be sure that the plugin review team acts in our all interests?
When critical matters are in the hands of two people only, how can it be objective and how can we be sure that there is no corruption?
I hope that with this open letter, the situation gets visible to the community.
Something needs to change fast. Before we and other small companies step back from WordPress and the big players take over the whole market and the community that was built by us all, by the people.
We feel this is all supercritical and it is harming many parties. We loved the community. Furthermore, we as a company are taking an active part in it, right from the beginning. As am I, personally, as well. As part of the community, I have spoken on many WordCamps, created a WordPress Meetup, and also talked on WordCamp Europe.
We have great hope that this situation can be sorted out
With this open letter, we try to bring awareness to this situation in order to support and help each other. We believe that this is the standard with which we have to live. There must be better solutions that take in a more healthy way for all.
We hope to start an active discussion so that we can all get together and create processes with WordPress.org that are useful and make sense. We would love to get back to the friendly and kind way that has always been a part of WordPress.
Thanks for reading this post.
Please let us know what you think. We are looking forward to all feedback, ideas, and comments. If you would like to help spread this topic, feel free to share this post to get it out to the overall community.