We actually have very good procedures for delisting plugins, and we always inform plugin authors beforehand and give them a chance to fix the issues.
In this particular case, we gave the authors ample time to address the problem, they did not, and eventually we had little other choice but to require them to comply with our guidelines.
The guidelines are perfectly clear. We announced the change on the public site months ago: https://make.wordpress.org/plugins/2018/04/12/legal-compliance-added-to-guidelines/
We also updated the handbook with detained information about the problem: https://developer.wordpress.org/plugins/wordpress-org/compliance-disclaimers/
And all authors who were not complying with the guideline were emailed about it. Most made the necessary wording changes. Since it was just a minor change to the wording in the readme file, we didn’t see it as a big problem. Here we are, months later, and this is the result of inaction.
Sorry, but realistically, if you’re not going to keep your plugin up to date with the guidelines for the plugin directory, then we’ll eventually have to not list the plugin anymore.
To everybody else: most of the time when a plugin is delisted, it is not for a security issue. Taking pre-emptive measures like removing the plugin just because it was delisted is never really necessary.
In any case, the plugin is listed again because they made the changes requested. Simple and easy.
The issue is not the relationship between WordPress and plugin authors. The issue is how WordPress handles the information provided to the users.
– there is no advanced warning to users that a plugin is soon to be delisted (unless the author complies with the rules)
– there is no communication to users who downloaded the plugin from the WordPress repository that the plugin has been delisted. There is a plugin that can provide this sort of information, but why should we need a plugin to get it?
– there is no listing anywhere at WordPress of delisted plugins with the reasons for the delisting
– there is no communication on the support forum about why a plugin is delisted, even though numerous users complain about the lack of that information
I recognize that making any information of this sort available would require resources that might otherwise be available for improving and fixing WordPress. I just hope that the people concerned will not discount the value to users of transparency of plugin management throughout the plugin life-cycle.
It would also be nice if the plugin authors themselves were to ensure such communication, too. Some authors are good about informing users of impending life-cycle changes; unfortunately, others feel little obligation to support their users. Be that as it may, the plugin repository is a huge strength of WordPress. It behooves WordPress to keep in mind its principal stakeholders, the users, when managing that repository.
Maybe this is not the right place to make suggestions about how to manage the plugin repository.
You had very good points @josiah-s-carberry
Even if it’s not the best place for such suggestions but I belive what happened here exposed the issues we have with the repository
I was personally shocked what happened, and for the reason it happened especially.
Users were totally confused whether it was our decision to remove the plugin, a security issue or any other reason.
Regards,
Bartosz Arendt
I’d also like to chime in and say that more info would be nice if/when plugins are removed so that users of the plugins can make informed decisions as to whether or not to keep using them. I admit, I was also a bit shocked and suffered a mild panic attack when Worfence sends me an email saying I have a critical issue with my website:
Critical Problems:
* The Plugin “Cookie Notice” has been removed from wordpress.org. (full stop)
Key word here is ‘critical’. By dictionary definition it means: (of a situation or problem) having the potential to become disastrous; at a point of crisis.
I don’t ignore such messages, so I dropped the other things I was doing to look into why this happened, and like has been said, very little info was available. If the impending removal/non-compliance with WordPress guidelines had been going on for months, it then begs the big question: Why were the users of this plugin not informed in due course?
Now as to who supplies the reasons for plugin removals, be it impending or after removal, and exactly how, when and the details in those reasons supplied still needs to be determined.
On a side note I am sometimes embarrassed to be European as I think they’ve taken things a bit far with this whole GDPR brouhaha which is causing a lot of very unnecessary stress largely due to a lack of clear, concise information in plain language.
-
This reply was modified 5 years, 4 months ago by
Sean. Reason: Spelling
-
This reply was modified 5 years, 4 months ago by Sean.
-
This reply was modified 5 years, 4 months ago by Sean.
@sean-h
I have to say I agree, though my issue with ‘critical’ is primarily with WordFence – while I do look more closely at their alerts containing the word ‘critical’ I long since stopped interpreting them as potentially disastrous… just something to look into with a somewhat greater degree of urgency π As for GDPR, I spent a lot of time trying to stop my clients from panicking, and preventing them from unnecessarily deleting half their contact databases!
@otto42
I do like the idea of some kind of listing of de-listed plugins, with SOME indication of why though – even an indication of the length of time from first contact with the developer to the actual de-listing taking place would give some measure of how serious the issue is. Given the amount of work that clearly already goes in to contacting the developer, following up, etc, adding a plugin to a repository ‘removed’ list would, I imagine, be pretty marginal, and very helpful to users.
@dfactory
Thanks for now making the changes, and getting the plugin restored. I guess only you can know why you didn’t see/respond to WordPress notifications, but I guess there’s a lesson here for plugin authors – it’s one thing for developers who casually throw out something they developed for their own use, in case anyone else finds it useful, but when a plugin is part of a stable of products, and actively promoted…
Anyway thanks for the plugin – I’m happy to still have it on my sites… better go run some updates now π
Thanks all.
@wwwolf I think you are right. Wordfence’s choice of words might need to be adjusted, they may have cried…um….’wolf’ a few too many times now and genuine problems may well be ignored, until the worst has happened.
Moral of the story: choose your words carefully when making certain claims, this includes Wordfence stating that a problem is critical when in fact it isn’t. Perhaps if you have a GDPR/Cookie Notice plugin you could say something like ‘Aids with GDPR compliance’, ‘Comprehensive GDPR compliance helper tool’ etc, because to outright state your plugin is 100% compliant might be taken literally and cause people to think their sites are just by installing it, which I think we all (hopefully) realise is not the case.
@sean-h This comes back to my point that we should not have to depend on third party plugins to get information about what has been delisted and why.
Granted that Wordfence can provide a lot of value to users, but it is not quite an objective bystander, since they make their living from people who believe their web sites are in trouble. By that is probably an issue to raise directly with its authors.
By the way, I am surprised to here that other users of Wordfence did indeed receive an email informing them of the delisting issue. I certainly did not, making me concerned about the reliability of what Wordfence is doing.
@josiah-s-carberry:
Granted that Wordfence can provide a lot of value to users, but it is not quite an objective bystander, since they make their living from people who believe their web sites are in trouble.
Well, you have to take their advice with a grain of salt. Like with every 3rd party π But still – the wordfence scans helped me a lot of times to deal with nasty stuff (comment links which forwarded to malicious websites, weak passwords, the great WAF etc.)
By the way, I am surprised to here that other users of Wordfence did indeed receive an email informing them of the delisting issue. I certainly did not, making me concerned about the reliability of what Wordfence is doing.
This (the notice) depends on different factors.
a) when wordfence is crawling your site – before the scan you can not get any notice for new issues – because. Well, they are not there unless the scan reveals the “problem”
b) do you have cron jobs set correctly (because if not, wordfence will not scan correctly)
c) email settings and spamfolder…
So there are a lot of parameters to consider here.
