📆 This is the October 2023 edition of “This Month in WordPress with CodeinWP.”
Hey there, WordPress family. We are back with another batch of WordPress news and events from the last ~30 days.
In the biggest bit of news, there was some of the most heated #wpdrama we’ve seen in a long time, with well-known WordPress personalities duking it out on Twitter (or is it “X”?) over the WordPress.com plugin directory and WordPress governance in general.
Beyond that, we have a couple articles about the WordPress.org plugin directory, THESIS is expiring its lifetime license, and you can vote in Template Monster’s 2023 awards.
Let’s get to all the WordPress news from the past month.
October 2023 WordPress News with CodeinWP
Strong debate about WordPress.com cloning the plugin repo
In the last month, the biggest bit of WordPress news was some #wpdrama about WordPress.com publicly* cloning the WordPress.org plugin repository and, in some cases, outranking the .org plugin listing pages.
*I believe that WordPress.com had already had the cloned repository for quite some time, but it’s only recently that they made the plugin listing pages indexable by Google.
It might not have been the most diplomatic way to address the issue, which John agreed on (see tweet b).
But as he also said, the point still stands.
This started a snowball rolling that included Matt Mullenweg jumping in, Matt blocking a prominent WordPress contributor, a WordPress Code of Conduct report, and lots of thoughts from the community.
While the impetus for all of the drama was the WordPress.com plugin directory outranking the WordPress.org directory in search and causing confusion for users, it seems to have spilled over into a much broader debate about WordPress governance in general.
Drama aside, there does seem to be a potential fix here (at least for the search rankings issue), despite some of the comments about being unable to control Google.
Since the WordPress.com plugin listing pages cloned the text descriptions from the WordPress.org listing pages, it seems to be a use case for the rel=”canonical” tag.
This would tell Google that the original version of the plugin listing is at the WordPress.org directory, which seems like a factual statement.
So where do we stand at the end of September?
Well, WordPress.com has not added canonical links pointing to WordPress.org, so you still might run into the issue of WordPress.com plugin pages outranking WordPress.org plugin pages in some instances.
However, WordPress.com has added a message for logged-out users that tells them they can also download the plugin for their self-hosted WordPress installs. This addresses another issue that developers had, which is that the WordPress.com plugin listing pages made it seem like the only way to install the plugin was for users to purchase the WordPress.com Business plan.
Patchstack reports 358 plugins to the Plugin Review Team for unpatched vulnerabilities
If you’re not familiar with Patchstack, it’s a WordPress security plugin/service that also does a lot of its own security research and testing to detect issues in plugins.
If the Patchstack team finds a vulnerability, they normally reach out quietly to the developer to inform them of the problem. Once the developer has had time to release a patch for the issue and users have had time to update, Patchstack then responsibly discloses the vulnerability to the public.
That’s how it should work (and how it often does work).
But the Patchstack team has also built up a large library of 404 plugin vulnerabilities where the plugin developer has not patched the plugin, either because Patchstack was not able to contact the developer or because the developer just flat-out abandoned the plugin.
These 404 vulnerabilities were spread across 358 unique plugins, as some plugins had multiple number of them.
While Patchstack did not disclose these vulnerabilities publicly (because doing so would endanger sites using those plugins), having 350+ vulnerable plugins out there floating around is obviously not a good thing.
Collectively, the plugins in Patchstack’s list were used on over 1.6 million sites, so it’s no trivial matter.
As a final resort, Patchstack reported all the plugins/vulnerabilities to the WordPress.org Plugins Team. Since then, the Plugins Team has closed 289 plugins whose developers did not respond, while 109 of the plugins were eventually patched.
To try to prevent problems like this in the future, the Patchstack team is advocating for a few changes:
- Encourage developers to add their contact information to the readme.txt or SECURITY.md files of their plugins.
- Create a WordPress dashboard alert that notifies site owners when a plugin or theme is removed from the WordPress.org directory for security issues. Currently, there’s no way for site owners to notice unless they actually check the plugin listing, which most WordPress users probably won’t do.
Both of those seem like worthwhile changes to make.
You may also be interested in:
- 35 Best WordPress Articles of 2022: A Curated List of the Most Impactful Stories of the Year
- #WCEU WordCamp Europe 2018 – What Went Down? 🗞️ July 2018 WordPress News w/ CodeinWP
- WordPress 6.2 Released, Gutenberg Phase 3 Features, WordPress Site Building Challenge 🗞️ April 2023 WordPress News w/ CodeinWP
That sums up our October 2023 WordPress news roundup. Anything we missed?
Don’t forget to join our crash course on speeding up your WordPress site. Learn more below:
Layout and presentation by Karol K.