The WordPress Plugins Team, along with the Meta Team, has introduced a new feature for the Plugin Check Plugin (PCP) that automatically generates security reports for all plugin updates, further strengthening the platform’s ongoing commitment to safety and code quality within its ecosystem.
Whatďż˝??s New With Plugin Check Plugin
The Plugin Check Plugin, developed by the Plugins Team in collaboration with the Performance and Meta Teams, was created to help developers identify issues and improve their plugins even before a manual review is done.
An earlier update in September 2024 added automated issue detection for new plugin submissions that did not meet minimum requirements, as highlighted, “ On September 17th of 2024, we introduced automatic detection of issues for new plugins that fail to meet the minimum required checks. This feature provides developers with guidance on how to resolve these issues before the Plugins Team conducts a manual review.”
As of October 27, the Plugin Check Plugin now scans all plugin updates, for both, new and approved plugin updates, and generates an automatic report. This new implementation automatically identifies potential problems related to security, compatibility, and compliance, as stated by David Perez, “ We are now running Plugin Check for ALL plugins updates, new and already approved. Since Monday, October 27th, thanks to the Meta team, we’ve implemented automatic detection on wordpress.org for issues related to security, compatibility and compliance.”
Announcing the update on X, David Pérez, described it as a big step for plugin security, “Big step for plugin security in WordPress.org: Plugin Check now scans ALL updates and produces security reports. Pilot phase is internal; email reports to authors are planned next.”
Currently, the security reports generated by Plugin Check Plugin are only available to the internal team, who will notify plugin authors when necessary, as highlighted, “ Right now, this information is available internally for the team, who will evaluate it and send reports to authors as needed.”
Once the initial phase is complete, the team plans to send the security reports to plugin developers via email, “ Once we’ve evaluated the performance of PCP with plugin updates, the goal is to deliver via email a security report to authors right after they update their plugin.”
Community Response
WordPress co-founder Matt Mullenweg praised the update, commenting, “So excited for this progress. Where this ends up will be a massive upgrade for the security of the web.”
Steve Jones, CTO at Equalize Digital, also expressed support for the new feature, “ This is a welcome change and a good way to privately handle security issues, as making them public in some way would be a security risk itself.”
Amber Hinds, Founder & CEO at Equalize Digital, suggested adding public badges or data plugin pages to help users. She also highlighted whether future updates with security issues will be rejected, “ I’d be interested in seeing public badges or data on plugin pages at some point that make this more transparent for users when comparing plugins……Does the plugin team see a future where updates will be rejected for some of the most serious security issues? That would really add to the trust factor if you knew that dot org won’t allow issues to be served to users’ sites.”
Sharing his thoughts on X, Jeff Chandler highlighted that plugin updates had undergone less review than new plugins, but that is no longer the case, “ WordPress plugin updates didn’t get as much scrutiny as ones that were in the queue to be added to the directory. That’s no longer the case. This has been a long time coming.”