Vladimir Prelovac, author of many excellent WordPress plugins recently published his thoughts on where he sees WordPress headed in the future. Not only that, he also provides a critique on how things are currently being handled by the WordPress team as it relates to the WordPress core. While I agree with some of the points Vladimir has made, there is one thing that was mentioned that I hinted to back in January on another post (Uninstalling Conundrum Part 2) and that is, a plugin validation team.
I admire the PHPbb3 team for executing this concept brilliantly. Here is what they do. First, for any modification to be added to their mod database, it has to go through a minor code audit. This audit is used to look for security flaws as well as bugs inside of the code. This means that users can feel safe knowing that the mods they download from the database are free of security vulnerabilities and are safe to use on their own forum. Despite the fact that the validation process can be a time consuming one, the benefits far outweigh the negative aspects of the process.
I would like to see something like what the PHPbb team does for their mods, done for WordPress plugins and the plugin repository. Vladimir’s take on this issue is that a team is needed to validate WordPress plugins as a means of security because of the potential dangers in having a plugin author account becoming compromised. My opinion on the matter is the same today as it was in January:
So what I’m proposing is that, the WordPress team should get together along with the community and develop a series of coding guidelines. These are the guidelines that third party plugins would have to abide by, in order to be housed within the official WordPress plugin database. This is the only way WordPress would be able to somewhat control the quality of plugins that are coded and released to the public. Granted, you’re not going to solve the problem completely as people will still be able to code plugins for WordPress and release them via their own website, but then, end users of WordPress should think twice about those particular plugins and realize that the only safe route to go should be through the official source of plugins that being the WordPress.org plugin database.
So while Vladimir covers security, my reasoning is more along the lines of quality assurance/control. Based on a comment made my Matt himself, there are a few things that they do automatically to ensure that nothing malicious is entered into the repository. However, Matt appears to be in agreement now, that a team of volunteers will be needed to validate plugin code and also keep an eye on plugin changesets.
Even though I love WordPress and there are many of us out there, who is going to review plugin code for hours on end as a means of contributing to the project? Is this something you would be interested in doing? What about the proposed restrictions to the plugin repository. Do you feel as if that is needed to ensure that the plugins that are hosted their are of top notch quality and free from security vulnerabilities?