The WordPress Plugin Directory has rolled out two important updates that will play a crucial role in optimizing the plugin submission process and also in enhancing the security of the plugin directory. The two new changes involve mandatory 2FA for plugin authors and the implementation of the Plugin Check plugin in the submission process.
Two-Factor Authentication Becomes Mandatory
The transition of making Two-factor authentication (2FA), from an opt-in to mandatory for all plugin owners and committers from Oct 1 was announced a month ago. Now Chris Christoff (Security Review Lead) has announced the implementation is in effect,” Two Factor Authentication (2FA) is now required on all plugin owner and committer accounts, as of today, October 1, 2024. This means that it must be enabled on a WordPress.org account that would like to submit a new plugin into the Plugin Directory. “
He has also urged to combine 2FA with the recently introduced SVN Password as well as ensuring that the committer access is properly assigned, “We encourage all plugin owners and committers to turn on 2FA for their WordPress.org accounts if you have not already, as well as using the new SVN password feature. Please also audit your plugins for committers who may not need commit access anymore, and familiarize yourself with the Release Confirmation feature.”
If you have any queries related to setting up 2FA, SVN Password, or configuring the committer access and release confirmation features, the team has already published the required guides for it.
The Plugin Check Plugin is Now a Part of the Submission Process
The second change that was rolled out was in terms of the plugin submission process. The Plugin Check plugin is now a part of the submission process, something the team has been working on for a long time. If the tool detects any errors, the submission will not move forward until those issues have been resolved, ” when you submit a new plugin to the Plugins Directory, it will first be run through Plugin Check’s Plugin Repo category. If the new plugin has an error level item in this category, the submission will be blocked from being submitted for review, until it is fixed.”
This implementation will greatly reduce the initial queue as well as allow plugin authors to spot and resolve common issues, “The Plugin Repo category in Plugin Check catches recurring issues like mismatched versions between the plugin header and the readme.txt file, plugins using the wrong text domain, and using the wrong ‘Tested To’ values in the readme file”
As iterated earlier the Plugin Check plugin is not to be seen as a substitute for the manual review process, “To be clear, the addition of Plugin Check as a pre-check will not replace manual review of all plugins, or change any of those processes, but instead it allows us to save time”.
Chris Christoff has also cautioned about the potential for false positives during the initial stages of implementation, assuring that any issues will be addressed promptly in the early days, “We’ve run Plugin Check behind-the-scenes on lots of plugins to refine its detection, but as with any new process, there may be some false positives. These will be fixed in the first few days, and we thank everyone in advance for their patience.”
The future goals of this implementation will be to add more checks and extend its checks to existing plugins rather than being limited to new submissions. The team is also planning to publish a roadmap for the Plugin Check plugin on GitHub Repo.
The Community Response
Josepha Haden Chomphosy tweeted,” This was years in the making and is a huge deal. Congratulations (and big thanks) to everyone who contributed!.”
Pooja Derashri supports this implementation and tweeted, “ Great move; that will reduce the time of review and approval!.” WP Product Talk also favors this move, “ Amazing and very welcome news for all Plugin businesses!.”
Luis Molina appreciated the Plugin Review team for all their hard work and effort that went into this, “ The work and effort of this Plugin Team is admirable.”