Image David Perez 4:25 pm on October 29, 2025  

The Plugin Check Plugin now creates automatic security reports after each plugin update

As an important part of the internet, the WordPress community, actively thinks about the security of the ecosystem. Community members, developers, specialized companies, and independent researchers all play a role in maintaining the security of the environment.

In the Plugins Team, we’re passionate not only with improving the tools we already work with, but also with making them public so the community can use them when developing and building plugins.

That’s why the Plugins Team, Performance Team, and MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. Team launched the Plugin Check plugin, a tool that runs checks on your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party and generates a report so developers can apply proper security measures and improve the plugin overall.

On September 17th of 2024, we introduced automatic detection of issues for new plugins that fail to meet the minimum required checks. This feature provides developers with guidance on how to resolve these issues before the Plugins Team conducts a manual review.

This has helped improve the quality of plugin submissions before they even reach a human reviewer. Thanks to AI support during manual reviews using our Internal Scanner, plus the team’s effort to complete more reviews, the queue hasn’t grown despite receiving more than double the number of plugins compared to last year.

We are now running Plugin Check for ALL plugins updates, new and already approved.

Since Monday, October 27th, thanks to the Meta team, we’ve implemented automatic detection on wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ for issues related to security, compatibility and compliance.

Right now, this information is available internally for the team, who will evaluate it and send reports to authors as needed. During this phase, we will observe how PCPs behave during updates and we will improve as we see fit.

Once we’ve evaluated the performance of PCP with plugin updates, the goal is to deliver via email a security report to authors right after they update their plugin. Our aim is to promote and maintain good development practices across the entire WordPress ecosystem.

To wrap up: this week marks a small but meaningful step forward in improving the security of plugins hosted on wordpress.org. We look forward to the community taking this opportunity to double-check their plugins when sending an update – or even before.

This post was written by David Perez and reviewed by Francisco Torres.

Image David Perez 5:28 pm on August 31, 2025  

Stats of Plugins Team after WordCamp US

After WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. US, we have prepared some insights about our team and we wanted to share it with the community.

These are the insights from the Plugins Team:

  • We now have 60,187 plugins published in the directory.
  • Today, we received as many new plugins and completed as many reviews as we did in the entire last year.
  • We have received 7,670 new submissions this year, which is 87.3% more than in the same period last year.
  • Since the start of the year, we have had an average of 235 new submissions per week. In the same period last year, there were 124 new plugins.
  • The queue is less than one week, even though we have received many more submissions.
  • On average, we spend 6.19 review cycles to approve a pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party, which is 11.2% fewer reviews per plugin compared to last year.
  • 85.3% of first reviews made this year were initiated by an automated system that uses algorithms and AI to perform the first review of the plugin, requiring only minimal input from human reviewers, saving us time.
  • 64.2% of plugin authors successfully engaged with the review process, which is 17.1% higher than the year before.
  • Out of the plugin authors that followed the review process, 60.27% were approved.

In summary, although the number of submitted plugins is increasing, the team’s effort remains steady, thanks in part to AI automation in certain areas. Our goal is to continue improving by implementing AI in more checks, as well as introducing proactive scanning of the current Plugins Directory.

All this data was prepared on the 31th of August.

Written by @davidperez, reviewed by @frantorres

Image Dion Hulse 3:12 am on August 11, 2025  

Plugin Rollout: Phased Releases

Through #8009-meta we’ve started work on adding Phased / Staged pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party releases to plugins utilising Release Confirmation.

What is phased releases? In short, this allows for your plugin update to be released to a smaller subset of sites prior to full release to all sites.

Why would you want to use it? Sometimes plugin updates can inadvertently break user workflows or run into conflicts with other plugins. Often these issues are not known until after a plugin update is released, and lots of users have already installed the update, this allows for a short timeframe where hopefully engaged users will report issues to you sooner.

How? Initially this has been limited to plugins using Release confirmations. This means a plugin has to explicitly opt-in to using this feature at the time of the plugin’s update release.
To start with, only one strategy is offered, Delay Auto-updates for 24 hours – This disables the WordPress plugin automatic updates for the first 24 hours of a plugin release. Site Administrators can still click on “Update” to install the latest version, as it’s hoped that these users would spot any issues that result from using the updated version.

Release Confirmation showing a rollout strategy selection.
Example of the Rollout Strategy selection included in Release Confirmations.

Technical Limitations

  1. To ease the potential of user confusion, this has been initially launched focusing on disabling automatic updates, rather than disabling the update entirely for a WordPress site.
  2. Currently WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ can only instruct WordPress 6.6+ sites not to automatically update the plugin.
  3. Currently WordPress.org can track the number of plugin updates (Through the Active installs / Active versions statistics), but can’t differentiate between a user-initiated/manual update and an automatic update.
  4. It’s up to 3rd-party update tooling to respect the WordPress 6.6+ flag to disable automatic updates, it’s unknown whether any of these tools respect it. Anything that runs the WordPress Automatic updater should support it.

What will future iterations bring?

What functionality is offered here will heavily depend upon author feedback in using the feature, or what would encourage them to do so. Examples of what this could be include..

  • Strategies that rollout updates to a percentage of sites. For example, 1% per hour, or gradually increasing to 20% over 3 days and the final 80% on day 4.
  • Improvements to find out if there’s been any issues reported in the update. For example:
    • Are plugin reviews overly negative?
    • Have any PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. https://www.php.net/manual/en/preface.php. Warnings/Fatal errors been reported automatically (not implemented)
    • Have WordPress updates been rolling back to their previous version (in the cases of fatal errors)
  • Statistics of how many sites have updated to the new version. Could be a rounded number (like the existing Active Installs) or simply a percentage (like the Active Versions chart). Eg: Plugin: 100k Active installs; Latest version: 80k+ or 80%.

Questions for Plugin Authors

  • Do you plan to use this feature? If not, What would convince you to?
  • What improvements would you like to see?
    For example: What strategies? What additional information? What would tell you your plugin update is a success?
  • Would you like to see manual/user-initiated update availability also disabled?

Thank you to the handful of plugin authors who have already made use of this feature.

Edits: An image of the UIUI UI is an acronym for User Interface - the layout of the page the user interacts with. Think ‘how are they doing that’ and less about what they are doing. added a few hours later.

Image David Perez 4:01 pm on July 28, 2025  

Requiring the README to be written in English

Every day, we review a significant number of plugins, and since last year, we have been receiving many more requests each week. In addition, our team is made up of a diverse group with different languages and alphabets.

For this reason, our team uses English as the official language within the community and for communication with authors during the review process.

As part of the pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party review, we also check the readme.txt file, which contains all the important information about the plugin, such as its name, version, description, authors, and other relevant details. This file is essential for the management and documentation of the plugin, both for developers and users. It also serves as the basis for the plugin’s page published in the directory, which is also visible on wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org//plugins/.

The plugin directory supports translations using English as the base language. Each plugin can be translated through translate.wordpress.org, offering versions in different languages for both the plugin information and the user interface. For more information, you can refer to the GlotPress documentation.

From now on, we will ask authors to provide the plugin information in readme.txt in English.

The main reasons for this are:

  • It facilitates reviews and effective communication with the team.
  • English serves as the base for translating your plugin into different languages. This ensures your plugin can be translated once it’s published.
  • It unifies the Plugin Directory interface, avoiding the creation of sections in different languages and alphabets.

This decision has been agreed upon by the team with the goal of serving the general interest and making it easier to translate plugins.

Post writen by @davidperez, reviewed by @rabmalin and @frantorres

Image David Perez 7:30 am on July 12, 2025  

Team Name Change to “Plugins Team”

Since the team transition that took place in June 2023, the goals of the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review Team have continued to grow. This change has been internally agreed upon, and we’re excited about the new name.

Here’s a quick summary of our main focus areas:

Review of New Plugin Submissions to the Directory

This has remained our primary task and takes up most of our time. We’re now receiving over 87% more weekly plugin submissions. Our goal is to keep the queue as short as possible and ensure a balanced workload across the team.

Improvement of Internal Tools

The Scanner tool has undergone major upgrades, now performing over 220 automated checks on plugins. This makes the review process more efficient and reliable. We’ve also introduced AI checks for plugin names, helping ensure clear and trademark-compliant naming from the start.

Creation and Improvement of Community Tools

Since Plugin Check Plugin was introduced to the community, it’s become increasingly integrated into workflows, helping plugin authors self-review their plugins and boosting the overall quality and security of the WordPress ecosystem.

The team is now actively contributing to its development, adding new checks, and we’re proposing to use it during plugin updates and commits as well.

Improvement of the Plugin Directory

We’ll be working closely with the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. team to help review open tickets and propose new features we believe will improve plugin reliability and security.

We’ve come to feel that the name “Plugin Review Team” no longer reflects everything we do. That’s why we’re proposing a simplified name: “Plugins Team.” Interestingly, the Themes Team made a similar change some time ago.

So we propose updating the name across various community spaces:

  • Page Title: https://make.wordpress.org/plugins/
  • Mentions across wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ websites
  • Community references: Moving forward, we kindly ask the community to refer to us as the Plugins Team.

We believe this small change is well deserved, given all the efforts the team has made to improve the WordPress plugin ecosystem. We’re looking forward to continuing to grow and evolve.

Post written by @davidperez, reviewed by @frantorres and @rabmalin

Image Jonathan Desrosiers 1:58 am on June 25, 2025
Tags: ,   

X-post: A Little (Late) Spring Cleaning

X-comment from +make.wordpress.org/project: Comment on A Little (Late) Spring Cleaning

Image Isotta Peira 1:06 pm on June 23, 2025
Tags: ,   

X-post: The Incident Response Team is looking for new members

X-comment from +make.wordpress.org/community: Comment on The Incident Response Team is looking for new members

Image Jonathan Desrosiers 11:49 am on June 4, 2025
Tags: ,   

X-post: Criteria for Creating or Migrating Repositories under the WordPress GitHub Organization

X-comment from +make.wordpress.org/project: Comment on Criteria for Creating or Migrating Repositories under the WordPress GitHub Organization

Image Francisco Torres 9:36 am on May 29, 2025
Tags:   

Plugins Team at WCEU 25 | Contributor Day

WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. Europe 2025 is coming soon and we will have several tables dedicated to the plugins team in the contributor dayContributor Day Contributor Days are standalone days, frequently held before or after WordCamps but they can also happen at any time. They are events where people get together to work on various areas of https://make.wordpress.org/ There are many teams that people can participate in, each with a different focus. https://2017.us.wordcamp.org/contributor-day/ https://make.wordpress.org/support/handbook/getting-started/getting-started-at-a-contributor-day/.!

A big part of the team will be at Basel and we are ready to carry out different activities according to the interests of the community present there.

Our main topics for the contributor are:

PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Check Plugin

Learn how it works and how to contribute to the project that is helping plugin authors to check their plugins for different kinds of possible issues.

Prepare for the event in advance:

Documentation

Help out contributing to the documentation by detecting areas not covered by the current documentation and contribute suggesting changes to it.

Prepare for the event in advance:

Handbook

Learn about the best practices for developing plugins for WordPress.

Prepare for the event in advance: Gather your questions!

General talk

Talk among the community about questions regarding the directory, how the team works, guidelines, etc.

Prepare for the event in advance: Get familiar with the Plugin Directory Guidelines.

We are looking forward to seeing you there!

#contributor-day

Image Francisco Torres 7:19 pm on May 26, 2025  

Announcing the Next Plugin Review Team Reps

We’re happy to announce that @davidperez and @frantorres are stepping in as the next team reps for the WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review Team!

Plugin team reps help coordinate the team’s duty, coordinate communication with the community, and ensure important updates and community activities stay on track.

Over the past two years, the new team has made important progress — incorporating new members, reducing the plugin queue, creating and improving tools, streamlining the reviews and refining processes — thanks to the collective effort of everyone involved.

Looking ahead, the team is preparing to tackle new challenges, which we believe will include: the impact of AI, further tool enhancements, proactive reviews, and improving documentation.

A big thank you to the entire team for their dedication, to the contributions through the “Five for the future” program and to all plugin authors for keeping their plugins secure, compatible, and compliant. Together, we are evolving the WordPress plugin ecosystem!