Starting October 1, 2024, WordPress has rolled out significant security updates for new plugin submissions in the Plugin Directory, aimed at strengthening platform security, improving plugin quality, and reducing the manual workload for the Plugin Review Team. Developers submitting new plugins must now enable two-factor authentication (2FA) and use the new Plugin Check tool—a pre-submission tool that detects and flags common errors. These new requirements reflect WordPress’s dedication to enhancing both user and developer experience through stronger security practices and efficient submission processes.
Security-Driven Updates for Plugin Authors
WordPress introduced these changes through Security Review Lead Chris Christoff, emphasizing their aim to bolster the security of plugin author accounts and simplify the review process. The requirement for 2FA was initially announced in September by Dion Hulse, an Automattic-sponsored developer. Hulse encouraged plugin authors to activate 2FA, review committer access levels, and use SVN passwords and Release Confirmation to maximize account security.
With 2FA now mandatory, plugin owners and committers must have this additional security layer in place to submit a plugin. This update ensures that account access is secured against unauthorized entry, benefiting not only plugin authors but also the overall security of the WordPress Plugin Directory. Plugin authors who haven’t yet enabled 2FA on their WordPress.org accounts can find instructions and additional information in WordPress’s guides for configuring Two-Factor Authentication and securing committer accounts. Furthermore, authors are encouraged to regularly audit account access to prevent inactive or unnecessary access to their repositories.
Plugin Check Tool: Raising Plugin Quality Standards
The newly introduced Plugin Check tool now screens every new plugin submission for common issues before manual review. If Plugin Check detects an error—such as mismatched versions between the plugin header and the readme file, incorrect text domains, or invalid “Tested To” values—the submission is automatically flagged, and the developer must correct the errors before resubmitting. This pre-submission step reduces common manual review tasks, helping the Plugin Review Team focus on unique or complex issues. For developers, Plugin Check provides a streamlined and automated way to ensure that their plugins meet WordPress’s quality standards early in the submission process.
David Perez of the Plugin Review Team explained that Plugin Check significantly benefits developers by allowing them to address common errors promptly. “Plugin Check has a direct impact on submission times,” said Perez. “It empowers developers to catch errors early, making the review process faster and more efficient for everyone.” By identifying issues before a plugin even reaches the review queue, Plugin Check offers developers a critical checkpoint that ensures higher-quality plugins and a smoother review experience. The tool uses a combination of PHP_CodeSniffer for static analysis and dynamic checks, enabling a comprehensive assessment that simulates the plugin’s live activation environment.
In addition to checking for immediate errors, Plugin Check provides developers with feedback on best practices, such as using correct internationalization functions, maintaining accessibility, and ensuring performance and security standards. Although Plugin Check enhances the pre-submission process, it does not replace the need for a manual review, which remains an essential part of ensuring plugin safety and compatibility within the ecosystem.
Future Plans: Expanding Plugin Check to Existing Plugins
Currently, Plugin Check only applies to new submissions, but the WordPress Plugin Team plans to expand its coverage to existing plugins over time. This approach has already been tested in cases where plugins were previously removed due to security vulnerabilities. For re-listing, these plugins are now required to pass Plugin Check’s Security category, a practice that has shown promising results in improving plugin security standards across the directory. A future roadmap detailing Plugin Check’s broader implementation will soon be published, enabling developers and contributors to see the long-term vision for plugin security and quality within the WordPress ecosystem.
Developers are encouraged to incorporate Plugin Check into their active workflows, allowing for seamless error detection and code optimization during the development phase rather than post-submission. This proactive approach aligns with WordPress’s mission to uphold high standards for plugin quality and security. For those interested in contributing, Plugin Check’s open-source nature allows developers to suggest and implement improvements via its GitHub repository, fostering a collaborative approach to advancing the plugin review process.