Francisco Torres 4:39 am on June 29, 2024  

Password Reset Required for Plugin Authors

As a follow-up on the Andrew Wilder (NerdPress) and Chloe Chamberland (WordFence) reports that uncovered a limited number of compromised plugins, the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review team would like to provide more details about the case.

We identified that some plugin authors were reusing passwords exposed in data breaches elsewhere. The compromised accounts were not the result of an exploit on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/. Instead, the attackers used recycled passwords to add malicious code to a few plugins on the WordPress.org Plugin Directory.

First, out of an abundance of caution, additional plugin releases have been paused, and all new plugin commits temporarily need approval by the team. This way, we have the opportunity to confirm that the attackers cannot add malicious code to more plugins.

Update: Plugin releases are no longer paused. The SVNSVN Short for "SubVersioN", it's the code management system used to maintain the plugins hosted on WordPress.org. It's similar to git. repository works as usual.

We have begun to force reset passwords for all plugin authors, as well as other users whose information was found by security researchers in data breaches. This will affect some users’ ability to interact with WordPress.org or perform commits until their password is reset.

Information about password deactivations

You will receive an email from the Plugin Directory when it is time for you to reset your password. There is no need to take action before you’re notified.

Your password was deactivated if you are a plugin author or committer. If you have an existing open session on WordPress.org, you will be logged out and need to reset your password.

To reset your password and regain access to your account, follow these steps:

  1. Go to login.wordpress.org
  2. Click on the link “Lost password?”
  3. Enter your WordPress.org username
  4. Click the “Get new password” button
  5. Open your email and click the link to set a new password

Once you have reset your password, we encourage you to enable 2FA for your accounts and follow the recently outlined best practices. If you encounter any issues, please contact forum-password-resets@wordpress.org. We will never ask you for your password via email.

chriscct7 5:33 pm on June 26, 2024  

Keeping Your Plugin Committer Accounts Secure

On June 23 and 24, 2024, five WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ user accounts were compromised by an attacker trying username and password combinations that had been previously compromised in data breaches on other websites. The attacker used access to these 5 accounts to issue malicious updates to 5 plugins those users had committer access to.

The affected plugins have had security updates issued by the Plugins Team to protect user security.

The Plugins Team would like to use this opportunity to spread awareness around best practices for WordPress.org accounts, particularly those with pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party committer and owner level access.

As a reminder, Plugin Owners can set a WordPress.org user to have a special permission role for their plugin which include:
Owner: a plugin has one Owner which grants that user the ability to perform destructive actions such as to permanently close or transfer the plugin, as well as the ability to issue plugin updates and manage support for that plugin on WordPress.org. For company owned plugins, this should be a company branded WordPress.org account that only the company’s owner, CEO or CTO (or a single person in a similar role) has access to, which uses an email address only that individual has access to (ie not support@{companyname}.com)
Committer: this role grants the user the ability to manage support for that plugin on WordPress.org as well as the ability to issue new plugin versions by updating the plugin’s code in SVNSVN Short for "SubVersioN", it's the code management system used to maintain the plugins hosted on WordPress.org. It's similar to git..
Support Rep: this role grants the user the ability to manage support for that plugin on WordPress.org only.

You can also acknowledge users who contributed to the plugin without giving that user any special abilities for the plugin on WordPress.org by using your plugin’s readme.txt to mark them as a Contributor.

Limit the Number of and Audit Your Plugin’s Committers Regularly

As we’ve mentioned in the past, plugin commit access, which is the ability to issue updates on behalf of your plugin should only be given to developers, and more specifically, only the developers who are actively responsible for issuing plugin updates for your plugins.

Committer accounts should not be shared by more than one user, and should not use an email address that more than one person has access to. We’ve seen developers in the past use emails such as a support@ for their wp.org account with Committer or Owner access, which would mean anyone with access to your support tool can click on reset password, get the password, change it, and blow up your plugin (or permanently close it). Obviously that’s a major security issue (and could also be a Guidelines violation that gets your plugin pulled from the repository if it sends back an auto-responder email).

Additionally, the Plugins Team sends emails to all committers for a plugin if we ever need clarification on Guideline issues with your plugin or have a reported security vulnerability for your plugin. So the best practice is to limit the number of committer users you have on a plugin to the minimum number of developers possible, and have those developers ensure that emails from plugins@wordpress.org do not go to spam in their email client.

Users who do not need commit level access should instead be given Support Rep access, which allows them to respond to and manage support topics for your plugins on WordPress.org. This account level does not allow those users to issue plugin updates.

We recommend routinely auditing the committers for each of your WordPress plugins on a regular basis, removing commit access (or downgrading them to Support Rep access) when they don’t need active commit access. The owner of the plugin can manage the committers for the plugin on the Advanced tab of the plugin’s WordPress.org page.

Enable Release Confirmation For Your Plugins

In April, 2021, the Plugins Directory introduced opt-in support for Release Confirmations.

Release Confirmations, when opted-in for a WordPress.org plugin, allows for a second factor of security against the ability for an unauthorized user to issue plugin updates.

After opting in, a plugin committer wishing to issue a new version of the plugin would commit and tag the plugin update in SVN as normal. Once the tag has been pushed to the WordPress Plugins Directory, the Directory then emails a unique tokenized link to all plugin committers for that plugin which brings the committers to a special dashboard that allows them to confirm the new release. Only once the version is confirmed will the update then be issued.

For additional security, the Plugin Directory also supports the ability to require 2 plugin committers to confirm the release in order to issue the update — if you’re interested in requiring that for your plugin, please email plugins@wordpress.org with your request.

You can see which that you have Committer (or Owner) access to have Release Confirmations enabled on the Release Confirmations dashboard.

Use Secure Passwords and 2FA

If you are the owner or a committer of a WordPress plugin, it is imperative you use a unique password that is complex and not re-used on any other website.

As mentioned in WordPress’s Password Best Practices guide, we recommend using a password that is:
– is at least 20 characters (preferably substantially more)
– uses lowercase and uppercase letters as well as numbers
– contains special characters such as `!”#$%&'()*+,-./:;?@[]^_{}|~
– does not contain names, words or years that are easily linked to you

This password should not be used on any other site.

To make it easy to use secure, complex passwords, we recommend using a password manager to generate and store this password in. This helps avoid the temptation of password re-use and makes it easy to generate unique, complex passwords for each website that you use.

We also strongly recommend all accounts on WordPress.org setup and use two-factor authentication (2FA) which has been supported since May, 2023. This helps keep your WordPress.org account secure by requiring a second piece of evidence to login to your account such as a rotating 6 digit TOTP code using an authenticator app or a hardware key. To setup 2FA for your WordPress.org account, follow this step-by-step-guide.

Felipe Santos 1:08 am on June 3, 2024  

How should we shape the future of the Plugin Review team?

The deadline has been extended from June 17 to July 2 due to several contributors being occupied with WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. Europe and unable to provide feedback on this post within the initial deadline.

Since we began restructuring the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review team with our advisors and new team members, we’ve had to make some tough collective decisions. These decisions, while based on strong intuition from our contributions, could have more alignment with the whole community.

This post aims to discuss and explore some important goals to improve our effectiveness and efficiency. This is a proposal, not a final set of goals.

We hope to receive community feedback, which will help us reach a general understanding. If possible, when commenting and adding suggestions around specific goals, please also provide the reasons behind your suggestions.

Comments will be open for feedback until July 2, 2024. Thank you for your contribution to the Plugin Review team!

1. Review timeframes

The plugin review process consists of two main queues (not including the security queues). First, we have an initial review queue, during which we check the issues and assign a specific reviewer to the plugin review. Then, if everything is good, we will approve the plugin, or it will go to a subsequent review queue assigned to the initial reviewer to continue the conversation until it reaches a satisfactory level.

We need to have different timeline goals for each of these steps.

  • For the initial reply to plugin submissions, it would likely make sense to happen within seven days. This timeframe can be considered at three levels: the regular level would be up to 7 days, the warning level would be between 7 and 14 days, and the critical level for more than 14 days. The idea behind the regular level being up to one week is that some team members contribute more during weekends, and we need to allow enough time for this to compensate for the increase in submissions during the week.
  • If the plugin is not initially approved, we propose that the assigned team member have a follow-up reply within 10 days as a goal on the subsequent review queue. We need to consider that some team members are distributing their pledged time over one day per week, so it might not be viable to lower this number as we try to keep the same reviewer handling the entire review process for a specific plugin.

If we can’t meet the expected timeframes, we must implement contingency plans. When we reach the warning level, we will ask team members who are involved in other team projects to reprioritize and focus on reviews as much as possible. If the situation worsens and we reach a critical level, we propose to create urgent calls to add new team members and explore even deeper actions to reverse this as soon as possible. We would love suggestions on other contingency plans.

Suggested monthly goal: 95% of initial reviews completed within 7 days and 90% of subsequent reviews completed within 10 days.

2. Improving initial submission quality

The team’s work is primarily focused on providing a safe and reliable experience while following some basic standards and guidelines. 

One of the team goals is to make Plugin Check (also known as PCP) a big part of the submission process, and we expect this to improve the quality (and speed) of the whole process. Having more AI-based tools also has some potential, even if we don’t yet know exactly how, but we’re open to suggestions.

Apart from that, we would like to improve our interactions with plugin authors by consolidating information and providing practical tips through small videos (like Instagram/TikTok) on common issues such as sanitizing and escaping.

This means that part of our goal is to invest in this direction and ask some of our contributors to dedicate time to it.

Right now, it takes an average of about three interactions per review when looking at the last six months, so it would be ideal to change that closer to two interactions per review.

Suggested monthly goal: Improve the quality of applications so that there are only two interactions (one initial review and one subsequent follow-up review) as average per application.

3. Keeping track of popular plugins

The team has historically only reviewed the initial version of plugins by default, then only checked based on specific reports or specific cases.

This means some plugins with many active installations haven’t had a full review from our team in a really long time. 

The team would like to start dedicating resources to scheduled reviews whenever a plugin achieves 20k active installations. Of course, this is more challenging while there is still a backlog, but it is one of the plans we consider throughout a plugin’s journey on the WP.org directory.

Suggested monthly goal: Complete scheduled additional reviews for all of the plugins with over 20k active installations at least once every two years.

4. Distribution of contribution

Ideally, no single person should be responsible for the majority of active reviews. We need to avoid overloading a few individuals and relying on only a few people to keep the work going. 

A health number might be not more than 25% of reviews, as this distribution ensures consistency and protects us if someone steps out temporarily or permanently.

This means we will explore internally (and even add new team members if needed) until we accomplish this goal.

Suggested monthly goal: Ensure no team member handles more than 25% of active reviews at any time.

Francisco Torres 7:07 pm on March 5, 2024  

WordCamp Asia 2024: Plugin’s team table on contributor day

With WordCamp Asia 2024 coming soon, we need to get ready for contributor dayContributor Day Contributor Days are standalone days, frequently held before or after WordCamps but they can also happen at any time. They are events where people get together to work on various areas of https://make.wordpress.org/ There are many teams that people can participate in, each with a different focus. https://2017.us.wordcamp.org/contributor-day/ https://make.wordpress.org/support/handbook/getting-started/getting-started-at-a-contributor-day/.!

To ensure a smooth experience on the day, we recommend installing a local development environment on your laptop in advance. The conference venue’s Wi-Fi may not always be optimal, especially when many people are using it simultaneously. Achieving this prerequisite over a stable and fast connection is much simpler.

Here’s the checklist:

  1. Latest Local WordPress Setup: You can use tools like MAMP, XAMPP, Local by Flywheel, Docker, or WP-Now.
  2. Latest Stable Version of Node.js and npm: You can find it here: Node.js (LTS version is the one used by coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. and GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. https://wordpress.org/gutenberg/).
  3. Code Editor: Consider using VSCode or Sublime.4. GitGit Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. Most modern plugin and theme development is being done with this version control system. https://git-scm.com/.: its optional but good to have

We eagerly anticipate your presence at the event!

Thanks to @kafleg for your help drafting this post.

Felipe Santos 5:01 pm on December 2, 2023  

Join the Plugin Review team!

The application period is now closed. We appreciate the interest of everyone who applied. Expect to hear from our team by January 31, 2024 February 17, 2024.

Edit: We had more than 70 applications, which delayed the whole process, so we will publish the announcement in a few weeks.

We’re happy to announce the reopening of applications for the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review team!

Our team is looking for new members who believe in our mission of guiding plugin authors in responsibly transforming their innovative ideas into reality and ensuring a great WordPress plugin experience for end users.

Given the significant level of access and responsibility within the community, we plan to add only three new members in this round. This path helps us address long-term challenges associated with team expansion.

Our goals

The primary goal of adding new members is really to improve the state of our plugin review queue — our hiring and onboarding procedures have been undergoing restructuring, and we had to finish the onboarding for new team members before restarting the process.

Besides improving the queue, we’re focused on creating a diverse and inclusive team. If you feel underrepresented in the community, we want you to know that we not only accept you, we embrace you!

We believe that having a team with different experiences and backgrounds is important for more creativity and inclusivity in the WordPress world. If you belong to a group that’s not well-represented in tech, your unique view is really important and wanted in our team.

Main tasks and expectations

Your tasks would look like this:

  • Dive into plugin reviews, ensuring they meet our high standards. This is crucial for maintaining the quality and security of WordPress plugins.
  • Review the mailbox for questions and requests from plugin authors and users.
  • Work with the team on process improvement — we’re always looking to do things better.
  • Get involved in developing tools that help us and the WordPress community, like the Plugin Check Plugin (PCP).

We also expect you to pledge at least 4 hours per week to be part of the team.

We would like team members to have a deep understanding of PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php., JavaScriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/./ReactReact React is a JavaScript library that makes it easy to reason about, construct, and maintain stateless and stateful user interfaces. https://reactjs.org/. (for the blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. editor), a solid understanding of the WordPress coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress./plugin architecture, and skills in SQL/database management. We have some folks focused on security issues, but general web security practices are relevant as well.

However, it’s important to highlight that the ability to contribute to the team in different ways is valued, so not having a specific skill shouldn’t be a blocker.

Timeline

Our onboarding timeline:

  • November 2023: Finalization of new aspects of our process.
  • December 2023: The application form reopens for 30 days.
  • January 2024: Announcement of three new team members, chosen for their alignment with our team’s needs.

We plan to close the application form on 31 December 2023.

Apply now

You can apply using the button below:

[The application form is now closed.]

PS: If you have already applied in the last 12 months and would like to apply again, please share any new relevant skills and contributions to the community that make you a better fit now.

Questions or Feedback

Feel free to ask questions or share any feedback in the comments or email plugins at wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/.

Special thanks to @annezazu, @coachbirgit, @chanthaboune, @properlypurple, @jordesign, the DEIB working group, and all the members of our team — we appreciate the great feedback on restructuring our hiring and onboarding.

Edit: We clarified the technical expectations a bit more.

Francisco Torres 4:17 pm on October 30, 2023  

Plugin updates to SVN issues

tl;dr – There was a delay when updating plugins in the repository, everything seems to work fine again.

We have been receiving reports from pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party authors indicating that updates to their plugins made to SVNSVN Short for "SubVersioN", it's the code management system used to maintain the plugins hosted on WordPress.org. It's similar to git. are not reflecting the changes on the plugin page.

We understand that this situation is frustrating for plugin authors, as it’s challenging to determine whether the problem lies with an incorrect “Stable tag”, an incorrect “Version”, a mess with the folders or a combination of all of these.

Besides those cases, as far as we know, this seems to be a technical issue in the repository, so it’s on metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. team.

We have already escalated this issue to them and are waiting for it. Please wait patiently with us.

We will update this post as soon as we have more information. To help us manage other tasks within the repository, please refrain from sending us emails about this matter, as the updates provided here will contain all available information.

Updates:

  • October 30, 2023, at 7:26 UTC: First report of the issue by a plugin author.
  • October 30, 2023, at 10:45 UTC: Issue escalated.
  • October 30, 2023, at 20:50 UTC: Meta team has detected the process in charge and is manually triggering it. They are still working on make the automation work again. In the meantime, expect delays of several hours when updating a plugin to see changes on the plugin page.
  • October 30, 2023, at 21:00 UTC. This appears to fixed, and we will keep monitoring the situation.

Fortunately, this issue is not affecting the initial plugin reviews, which will allow us to continue working to reduce the backlog.

Alvaro Gómez 4:09 pm on September 19, 2023
Tags:   

Update: Turning the Tide

Currently there are 1,241 plugins awaiting review.

We are painstakingly aware of this. We check that number every day and realise how this delay is affecting pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party authors. We are sharing an update to let you know what we are doing, not just to fix the current situation, but also to prevent a similar scenario in the future.

New Team Members

We have three new people in the team: Gustavo Bordoni, Gagan Deep Singh & Rob Rawley (thank you!) and we are still reviewing submissions. The experience we have gained onboarding two rounds of new team members, added to the fact that we now have a system in place, means that it will be a lot easier to repeat this process in the future.

Since we have 40+ submissions at this point, we are planning to close the “Apply to join the team” form at the end of September. If you are planning to apply to join the team, please do so before Oct 1st. We would like to extend our gratitude to all those how have taken a step forward and volunteered to join the team.

Self-reviews

We have also started emailing plugin authors whose plugins are currently in the queue and asked them to self-check their plugins to ensure they meet basic security standards. We find ourselves correcting the same three or four errors on +95% of plugins and this is not a good use of our time. Once authors confirm that their plugins meet these basic requirements, we will proceed with the review.

We want to thank those of you who are receiving these emails for your collaboration, as it will allow us to tackle the current backlog a lot faster.

Plugin Check plugin

In the same vein, we are just about to release have just released a Plugin Check plugin (PCP) to the WP.org as a regular plugin. This plugin will allow authors to self-review their plugins automatically and will provide them with feedback and links to fix common errors.

Once the PCP is merged with this other plugin that the Performance team has been working on, it will provide checks for a lot of other things. When this is completed, we will be in a better spot to take in feedback and make improvements.

In the short term, we are going to ask authors to test their plugins using the PCP before submitting them, but our goal is to integrate the plugin as part of the submission process and run automated checks.

The Plugin Check plugin is about to be released has been released as a regular repo plugin. Running it will become requirement soon, please take a look now.

Security Reports

We have made significant progress with the security reports backlog, and we are hoping to clear that queue in a matter of days. This will mean more hands available to focus on new plugin reviews and other tasks. We have also made some progress regarding the methods and formats in which researchers submit their reports which, in turns reduces the amount of time required to process these reports.

Bailing Water Vs Fixing the Leak

If you indulge me to share a sailing metaphor: When your boat has a leak, it is more effective to prioritize fixing the source of the leak rather than solely focusing on bailing out water, even though to external observers, it might appear as if no progress is being made. Bailing water can provide temporary relief and may give the appearance of actively addressing the issue, but it is essentially a band-aid solution that requires continuous effort.

During the last 6 months, the Plugin review team has worked on documenting its processes, training new members and improving its tools. Now, thanks to your patience and support, the tide is about to turn.

#update

Francisco Torres 2:28 pm on July 24, 2023
Tags:   

Tackling team challenges together

TLDR: New team reps selected; strategies for working through the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party backlog; solid show of interest in joining the team.

The last few months since Mika announced she was stepping down from the team have been very exciting (and busy!) for all the new team members (@davidperez, @eherman24, @frantorres, @lukecarbis, @martatorre and @pacomarchante), and we wanted to share an update with you. 

The first couple of weeks were a bit nerve-wracking. We were daunted by the complexity of the task, the responsibility it entails, and the sheer volume of plugins that needed to be reviewed. But over time, we’ve become more comfortable with the processes and routines of plugin review.  We are very grateful we got all the support we needed from Mika, @otto42, @dd32, @zoonini, @mrfoxtalbot, and other contributors during this period. 

We’re also pleased to announce that after some discussion, Francisco Torres & Paco Marchante will be the new team reps. 

The challenges

When you start working on plugin reviews it suddenly strikes you how tremendously efficient Mika was at doing this. In the last year alone, She reviewed 5297 new plugins (that’s around 100 plugins per week). You have to take into account that most of the plugins the team receives require a back-and-forth of several emails before the plugin can be approved.

Fortunately, the team is quickly picking up its pace at reviewing plugins. At first, it would take us 2 hours to review each plugin, then 1 hour, and now we are down to 10-20 minutes for an initial review. It is important to remember that reviewing plugins is not just looking at the code, we also need to check for other things such as trademark violations and other guidelines regarding compliance.

Aside from plugin reviews, the team takes care of several other tasks: we review reports of guideline violations, reply to requests about closing or reassigning ownership of plugins, respond to questions in the #pluginreview SlackSlack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. channel, work with the security team to address vulnerabilities, and send out (and monitor) pre-release emails to ensure all plugin authors are still reachable at their regular email address. We have spent a lot of time documenting and streamlining these tasks.

Solving these challenges

The first challenge we found during our onboarding was the fact that a lot of processes were not clearly documented. We asked A LOT of questions during this process and ensured that all the answers Mika shared with us were added to the team’s internal docs. This effort should make it a lot easier for new contributors to join the team down the road.

We have also improved our internal tools to catch the most common coding mistakes and have built our predefined responses into the output provided by this tool. We still review this content manually before sending out replies, but by merging the two tasks into one (reviewing the code and drafting the message) we have been able to cut down review time considerably.

Another thing we decided to do was speed up our first reviews. As it turns out, about half of all plugin authors don’t reply to the initial review email with feedback on what they need to fix. In order to tackle the backlog faster, we’re now spending less time on initial reviews. We begin checking issues that take us less time, and then as soon as we spot one or two issues with the plugin that would prevent it from being approved, we email the plugin author to ask them to fix the initial issues. If the author gets back to us with those first fixes, then we proceed with an in-depth review.

20+ Submissions

When the team was announced, an application form was created for those considering joining the team. We are excited to announce that we have received more than 20 submissions from generous contributors wanting to help. We are currently reviewing them and our goal is to expand the team in the near future.

To recap, we are making our best effort to reduce the current backlog by improving our tools and expanding the team. Our goal is to lower the waiting period significantly over the next few months. We sincerely want to thank you all for your patience and understanding during this transition period. 

#update

Ipstenu (Mika Epstein) 6:51 pm on June 29, 2023
Tags: ,   

Plugin Review Team Update: The next phase begins

tl;dr My time on the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review team is ending. Meet the new members, and check out the application to join the team.

The time has come. As outlined in several other posts over the last few months (March, May), I’m stepping down from the Plugin Review team. It’s been a fun and wild ride for the last decade as the rep, and before that as someone who annoyed Otto until he made me learn how to properly review.

After several months of onboarding, I’m excited to welcome six new and enthusiastic team members: David Pérez, Evan Herman, Francisco Torres, Luke Carbis, Marta Torre, and Paco Marchante. These sponsored volunteers – a group of experienced WordPress developers from around the globe – are contributing over 50 hours a week to the project. 

Plugin Review across the WordPress project is a big task. We know we hit a pretty rough backlog, and even as the new team members start to catch up and shorten the queue, more folks are needed to help. If you have at least five hours a week to devote to the team and would like to join in the Plugin Review effort, you’re welcome to submit an application

Given the nature of the work the team does, joining this team is a little different than some of the others: each new member will go through a vetting process by current team members before being selected. Some of the things the team is looking for are: a solid track record as a plugin developer; the ability to communicate clearly, kindly and constructively – both with other developers and users; interest in improving tools and processes; and excellent collaborative and conflict-management skills. 

If you think this describes you, check out the submission form.

Stay tuned for more team news soon, including the announcement of the new team repTeam Rep A Team Rep is a person who represents the Make WordPress team to the rest of the project, make sure issues are raised and addressed as needed, and coordinates cross-team efforts..

@zoonini contributed to this post.

#onboarding, #update

Ipstenu (Mika Epstein) 3:24 pm on May 17, 2023
Tags: , ,   

Plugin Review Team Update

tl;dr An update on the team which is a lot of onboarding, making tools work for multiple people at once, and more documentation than you can shake a stick at.

As much of the WordPress community knows by now, I will be stepping down soon, after over a dozen years (wow) of being part of the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review Team, including ten years as team repTeam Rep A Team Rep is a person who represents the Make WordPress team to the rest of the project, make sure issues are raised and addressed as needed, and coordinates cross-team efforts..

During this transitional period, the Plugin Review team has been working on onboarding new members – and at the same time, on documenting the onboarding process itself. 

New team members

Given the need for the new team members to get up and running relatively quickly, the plugin review team invited contributors who have experience with plugins and code to join the team, thanks to recommendations from many community members. These contributors were vetted for good standing in the WordPress project, confirmed that they had the required skill set to review plugins and would respect the required level of security and confidentiality needed, and agreed to help refine the onboarding process to the Plugin Review team. 

There are now five new plugin team members at various stages of the onboarding process. Since the team is still in transition, we wanted to give people a chance to finish their onboarding and decide if the Plugin Review team is a good fit for them. This will avoid putting volunteers in the spotlight before they commit to this important and challenging role. 

Once plugin team members are fully onboarded, their names will be shared in the Plugin Review handbook.  

Documentation and onboarding 

The current team, alongside new members, has been collaboratively reviewing all existing public and private plugin documentation, making sure everything is clear, filling in any gaps that exist, and adding information about undocumented tools and processes.

At the same time, the team compiled an onboarding checklist, which is being used to help new members get up and running. While the first new team members go through the onboarding process and start handling initial tasks – such as looking at the bounced emails queue and reviewing their first plugins – they will also help to improve  the onboarding checklist and process documentation. Their experience will be very valuable in paving the path for future team members, making it easier to expand the team and delegate tasks more efficiently.

Tooling 

In addition to training new members, documenting processes, and developing a sustainable onboarding plan, folks from the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. team have been working on tooling enhancements to help make plugin reviews more efficient and “portable.” For example, the home-grown scanner script that’s been used by me until now is being converted to a flexible web-based version, which will be simpler to maintain for multiple reviewers.

Other enhancements include:

Next steps

The Plugin Review team is focused on making the onboarding process smooth, documenting its workflows, improving its collaboration tools, and helping new members get familiar with all the necessary tasks.

We hope that all these improvements in tools and workflows will make it easier to recruit more people and scale up the team. This should in turn reduce the time plugin authors need to wait to have their plugins reviewed and approved.

So, what’s next?

Once the team is ready, we’ll make another post to announce the new members, propose a plan for vetting and onboarding additional members in the future, and open applications to join the team.

Massive thanks to the following people, who helped write this post: @angelasjin, @mrfoxtalbot, @sereedmedia, and @zoonini.

#notice, #onboarding, #update