WordPress Plugin directory - Gone!
As with many of my projects, my Wordpress XML Sitemap Plugin started as something for one of my own websites as there were some serious limitations with using other plugins for effective SEO. Even today XML Sitemap offerings for Wordpress are limited.
Since then my plugin went from strength to strength gathering more users. In early 2021 I re-wrote a large part of the plugin to improve maintainability and extensibility as it had become a bit “organic”. When I was last tracking usage we had over 100,000 websites using our plugin, which is great for something I put together for only 1 or 2!
The Plugin Directory “process” problem
In recent times the Wordpress “plugin team” have taken a more active interest in plugins, rightly so, as one of the top ways Wordpress websites get hacked is via plugin vulnerabilities. I’m well aware of this as I run several websites.
However, the way Wordpress have started “policing” their plugin directory is not conductive to the maintenance of a free open source plugin community. Frankly it is tiresome at best, belligerent at worst and not something I have the time to deal with.
Their “nit pick” approach, without categorization or gradation is unhelpful. It’s a terrible “process” and I use the word loosely having been involved in numerous security audits before.
To be clear, I have always responded to critical bugs and security concerns as quickly as possible and continue to do so. At this time I am not aware of any, but, the back and forth with their team and constant threats to delete the plugin unless I act on their every email is frankly ridiculous.
Many of their emails are are around trivialities and without proper consideration for context. For example there is an issue with this function, can you see what it is?
$allowString isn’t escaped.
Technically a valid point, but not a serious or exploitable issue in this context, but respond to their email or else.
If they did the job properly and carried out an audit that would actually be helpful, but they don’t, you fix one “issue”, make a release, and then a week later they say, “oh you missed something” and so it goes on.
I’ve had months of this crap on a handful of trivial issues and I’ve had enough of it.
As I say, critical and high severity issues get fixed as immediately as possible. Everything else goes on the backlog and gets released in the next version. I don’t have a development and testing team running sprints every week. It’s literally just me and a few helpful contributors who weigh in from time to time. Sometimes it can be months between releases.
Don’t worry, the plugin is still here!
As a result of this time drain, and pitiful “process”, I have taken the decision to remove my plugin from the Wordpress Plugin Directory and make it available for direct download from my website instead.
I will still maintain and support it, just not on the plugin directory.
I know this is a bit of a ball-ache for people who maintain websites, and I will try to make this as painless as possible, but if you have a complaint, please take it up with Wordpress and tell them to sort their processes out.
I also hope to publish the source code on GitHub at some point so that people can get involved and communicate this way, but in the mean time, you can contact me via the XML Sitemap Generator website or join the telegram group.
I don’t always respond immediately and can’t promise to respond to everyone, in particular for feature requests, but I do keep a note for future releases.
Security audits don’t come cheap so if people don’t donate enough (and they don’t) then it wont happen. It is good practice to review 3rd party code yourself before including in a website anyway, unless there is a 3rd party audit you can depend on.
If someone did want to donate to pay for an audit, or better still carry out the audit so I can respond to any issues and publish the results, I would be open to this.
The future of Wordpress plugins?
It’s interesting to think about what this means for the future of Wordpress Plugins in general.
Wordpress do not allow you to commercially sell your plugin from their directory, let alone provide any support for it as app stores do. They require that plugins are free and open source, while at the same time requiring development and support regime to deal with their every whim.
These two things just aren’t compatible.
While some developers have found ways to work around Wordpress rules to commercialize their plugin, I can see plugins disappearing and other great ideas never being realized which is a sad thing for the open source community, but then there are other platforms and mechanisms out there.