Back in May, I—quite literally—had a rude awakening. My plugin update process for my three dozen client sites that I maintained failed in the early morning hours.
I have this process heavily automated, relying on scripts to automatically run Composer every day and install plugin updates before I wake up in the morning. I then review the updates on test environments before pushing the updates to the production environments. This automation and reliance on Composer is what allows a one-person microagency like mine effectively manage dozens of WordPress websites, keeping them updated and secure with plugin updates nearly as soon as they come up. But on that day in May, every single site I manage had their updates fail.
Why? Because a plugin I use to restrict administration access by geography, iQ Block Country, had been pulled from the WordPress plugin repository shortly before, and subsequently became unavailable from WordPress Packagist, the Composer-enabled mirror for plugins in the repository. According to a notice on the plugin’s repository page, the plugin was closed due to security issues. At first, the notice indicated that the closure was temporary, however that temporary wording is no longer there.
Since then, the developer has indicated that he’s working on addressing the security issues and has even submitted the plugin back to the repository. Yet it still sits, weeks later, with the revisions seemingly unreviewed.
This isn’t an isolated incident. This morning, it happened to another plugin, image-slider-widget, again for unspecified reasons, but likely due to security issues, and it has happened to multiple plugins on my clients’ websites this year.
It’s a guess, but many of these security issues are likely to do with escaping and sanitizing of data. Yes, that’s necessary to do, and developers should definitely be guided to make these revisions when they’re discovered by the plugin review team. However, the snail’s pace at which the review team is operating is generating real hardships for those of us who make our livelihoods on WordPress. Every time a plugin is pulled from the repository (and thus WordPress Packagist) we are faced with a decision: find an alternative to the plugin in question (with potentially major ramifications in terms of recoding or reconfiguring on our websites), find a workaround to keep using the plugin in question as-is, or remove the plugin altogether. None of these options are particularly palatable, especially for a plugin that is used across dozens of websites.
For those of us who are not active plugin developers (I have a few plugins in the repository, but they’re all old side-projects; I haven’t submitted anything in quite some time), the process by which these plugins are being removed is opaque; as noted above, the notice on the plugin page doesn’t give a whole lot of detail. Is there a grace period for developers to make changes once notified, or are the plugins pulled immediately? When the requested changes are made, are their reviews getting shunted to the back of the line, or do they get any sort of priority in the review process?
I can already anticipate the response from the WordPress leadership: If this is that big of a deal, then join the plugin review team and help alleviate the backlog. But aside from the fact that we all have our own lives and obligations, and some of us are barely keeping pace with the responsibilities we already have on our plates, it’s a known fact that just throwing new resources at a problem isn’t the way to solve a problem caused by lack of resources in the first place. Training new members on the plugin review team takes time, and it would take time to make any new members of that team actually productive. Meanwhile, the existing members of the team are being pulled away from the task they are already overwhelmed with, reviewing plugins. This is to say nothing of the fact that contributing to WordPress has become nearly an impenetrable fortress to begin with, as my proposed (minor!) change to core, which has been languishing with no progress for ten months, would illustrate.
No, the real problem is pulling plugins for minor infractions when the resources are not sufficient to return them quickly to the repository once the concerns have been met. I’ve been managing my clients’ websites with this automated process for several years now, but these problems only started relatively recently. Is there a crackdown going on in the WordPress plugin repository that general users aren’t aware of? And if so, why start a crackdown like this when you know you lack the resources to address the issue properly?
This is a problem the plugin review team has created, but it’s having ramifications across the WordPress community, with the 40+% of websites throughout the Internet running WordPress and the thousands of individuals and businesses that work with WordPress every day.