WordPress

Should There Be A WordPress Plugin Validation Team

Vladimir Prelovac, author of many excellent WordPress plugins recently published his thoughts on where he sees WordPress headed in the future. Not only that, he also provides a critique on how things are currently being handled by the WordPress team as it relates to the WordPress core. While I agree with some of the points Vladimir has made, there is one thing that was mentioned that I hinted to back in January on another post (Uninstalling Conundrum Part 2) and that is, a plugin validation team.

I admire the PHPbb3 team for executing this concept brilliantly. Here is what they do. First, for any modification to be added to their mod database, it has to go through a minor code audit. This audit is used to look for security flaws as well as bugs inside of the code. This means that users can feel safe knowing that the mods they download from the database are free of security vulnerabilities and are safe to use on their own forum. Despite the fact that the validation process can be a time consuming one, the benefits far outweigh the negative aspects of the process.

I would like to see something like what the PHPbb team does for their mods, done for WordPress plugins and the plugin repository. Vladimir’s take on this issue is that a team is needed to validate WordPress plugins as a means of security because of the potential dangers in having a plugin author account becoming compromised. My opinion on the matter is the same today as it was in January:

So what I’m proposing is that, the WordPress team should get together along with the community and develop a series of coding guidelines. These are the guidelines that third party plugins would have to abide by, in order to be housed within the official WordPress plugin database. This is the only way WordPress would be able to somewhat control the quality of plugins that are coded and released to the public. Granted, you’re not going to solve the problem completely as people will still be able to code plugins for WordPress and release them via their own website, but then, end users of WordPress should think twice about those particular plugins and realize that the only safe route to go should be through the official source of plugins that being the WordPress.org plugin database.

So while Vladimir covers security, my reasoning is more along the lines of quality assurance/control. Based on a comment made my Matt himself, there are a few things that they do automatically to ensure that nothing malicious is entered into the repository. However, Matt appears to be in agreement now, that a team of volunteers will be needed to validate plugin code and also keep an eye on plugin changesets.

Even though I love WordPress and there are many of us out there, who is going to review plugin code for hours on end as a means of contributing to the project? Is this something you would be interested in doing? What about the proposed restrictions to the plugin repository. Do you feel as if that is needed to ensure that the plugins that are hosted their are of top notch quality and free from security vulnerabilities?

Author: jeffc

5 thoughts on “Should There Be A WordPress Plugin Validation Team

  1. Very true Viper, which was one of my last questions in the post. Perhaps only something like this could be done if the plugin repository was in the same shape as the old theme repository where as, the new repository would be built and all of the plugins within the old one would serve as the archive and the new repository would have these types of restrictions/guidelines in place. However, since that is not the case, perhaps implementing something like this is an impossibility.

  2. In a perfect work, we’d all love this but let’s face it — this is like asking people to read War And Peace daily.

    For example, I released a 3500 line plugin a week or two ago. Who’s gonna wanna read through that (besides me), especially each time I update it?

  3. I love the idea of a group that does nothing but test out plugins as every new version of WP is released, but I just can’t see it ever happening. Here’s why: every day a dozen new WP plugins are released. So, who’s going to make the list of which ones are or aren’t going to be tested prior to a new release? Do you cap it at the top 100 most downloaded plugins? The top 500? 1000? What’s the magic number? If you cap it at 500, who’s to say that #501 isn’t a more crucial app, but to a smaller number of bloggers?

    A great idea that I just don’t see ever becoming a reality.

  4. This is definitely something that would be beneficial to the community, but I see downsides in the restrictions. Perhaps the plugins could simply be flagged as verified by the team, and the repository can be sorted accordingly. It would work out great, just don’t let it interfere with how things are now. I would be willing to validate plugins as I’m sure many others would as well!

Comments are closed.