30 Sep

The Temporary and Permanent Closures of Plugins on the WordPress Plugin Directory Don’t Mean What You Probably Think

Recently the team running the Theme Directory on the WordPress website was re-organized to create five sub-teams, by comparison the team running the Plugin Directory only has six people in total. The undersized plugin team seems very much intentional, as the stated reason for not allowing anyone else to join them team doesn’t add up and from our experience they are unable handle people having different opinions than them, much less work with others to fix problems they are causing. Of the six people, it isn’t even clear how much more than two of them even are involved. Whether it is two or six people handling so much, the results are not likely to be very good. That seems to be the case for recently changed wording shown on the pages for plugins that have been closed on the Plugin Directory.

In a support forum topic about a vulnerability being exploited in a plugin that was closed after we noticed a hacker probing for it this was written:

I just noticed on the plugin page –
It says in red background –
“This plugin has been closed as of September 16, 2019 and is not available for download. This closure is temporary, pending a full review.”

That is recent and it is interesting that it is a temporary closure and there will be a review. Perhaps someone is aware of a serious problem. Does anyone know more about this?

Later in that topic a moderator wrote something that indicated a different situation:

Given that the author has formally abandoned this plugin and the plugins team has removed it from the repository, I strongly advise that you simply delete it from any sites on which it’s used and find another plugin. Perhaps, Advanced Custom Fields?

That would indicate that the closure is not temporary.

The original poster seems to believe otherwise:

Well it’s not quite removed from the repository. The message on the plugin page is that the closure is temporary. But we’ll probably know soon enough if it will be removed.

What is going on there isn’t clear as can be seen with a couple of other plugins, both of which were closed on August 30. The plugin DW Mega Menu appeared to have been closed due to the results of a security review we had done of it. The plugin showed this message when first closed:

This plugin has been closed as of August 30, 2019 and is not available for download. This closure is temporary, pending a full review.

The plugin Ovic Addon Toolkit appeared to have been closed due to a security vulnerability we found in it. With that plugin the message indicated that the closure was permanent:

This plugin has been closed as of August 30, 2019 and is not available for download. This closure is permanent.

If you were going to guess which one of those is still closed and which one isn’t, you would probably guess the opposite of what has happened, as the second plugin was re-opened shortly after being closed and first is still closed and the closure is still listed as temporary.

Our best guess as to what might be going on here is that temporary and permanent refers to whether the closer is sure that the closure is correct, as opposed to what you could easily read it as. The confusion though seems like something that if you had a more open process someone would have pointed out, instead of being allowed to cause confusion for WordPress community at large.