Meta Team for WordPress releases a new plugin author feature

Last month, the Meta Team for WordPress.org released a new plugin author feature in the official directory.

At first glance, this change might appear to be a fairly small one, in that it merely allows the authors of plugins to opt into confirming plugin updates for WordPress via email confirmation.

But in reality, however, it will have major impacts on the way that thousands (if not millions) of businesses run their websites. Since more businesses rely upon WordPress for their online content needs than any other web development system, chances are good that your own online business may rely on WordPress as well.

And if that’s the case, you’ll definitely want to read on. 

In this article, we’ll take a look at what exactly this change is, the issues it seeks to solve, and the impacts it is most likely to have. 

What is the update?

The recent update can be described simply enough. Dion Hulse opened the original ticket six weeks ago, complete with a proposal and several questions. WordPress 5.5 introduced automatic updates for plugin and theme authors.

While auto-updates are completely opt-in for end-users, Hulse wanted to make sure that WordPress.org was on top of any potential disasters that may arise from the new system, such as accidental or even malicious plugin releases.

It’s for this reason that WordPress has relied upon continuous integration methods, or where software products and updates are delivered to consumers in a painless fashion by having new codes inserted into an existing project.

“I’d like to propose that we add an extra optional step into the release flow for plugins, not intended on adding friction, but intending to ensure that plugin releases only get made when they’re intended to,” Hulse wrote. “A simple email confirmation.”

As you will know if you have created your own WordPress theme, keeping on top of updates to themes and plugins can be a nightmare. Even the most conscientious maintainer can quickly become overwhelmed with update requests and bug fixes, and keeping track of all of these can be equally difficult.

Unfortunately, hackers know this as well, and can sometimes take advantage of WP plugin updates to gain unauthorized access to sites. 

What is the issue?

This problem (hackers taking advantage of WordPress plugins to inject malicious code into sites) is exactly the issue that the recent update seeks to address.

Statistics on just how much malware is delivered via this method are difficult to come by, for a good reason: the authors of plugins don’t want to admit that it is their code that has left their users exposed.

More technically, the new feature will add one more step for coders looking to publish updates to popular plugins, which in itself should improve the quality of code that is shipped.

At the moment, the WordPress community can suffer from an unfortunate form of “group think”: because up to 75% of WP developers use JavaScript, errors in code are less likely to be spotted because everyone is using everyone else’s’ code snippets, including in some of the best free WordPress themes.

Circumstantial evidence, however, suggests that WordPress has become a major target for ransomware, and that poor plugin update security is now a common security risk.

It’s long been known that outdated or poorly maintained WordPress plugins and themes represent a major risk to the average WordPress user, and this new update seeks to address a parallel issue before it gets out of hand.

This situation can lead to problems because almost no-one is coming to WP plugin code fresh. Even if a developer looks at the code of a recent update to a community-maintained WordPress theme, they are unlikely to check this to any degree of detail, because they will have seen much of the code before.

This is not an accusation, I should stress, but merely an observation that repetition breeds complacency.

What is the impact of the update?

If this kind of update were released for almost any other platform, it would most likely not make the news.

The fact that it has and has further led to much speculation about what it means for the workflows of developers, is a clear indication of the almost total dominance of WordPress in the web hosting and design industry as a whole.

To be precise, in 2020 WordPress accounts for 32% of all websites in the world, or a grand total of around 75 million websites altogether. This is what makes updates, and even small changes to the security protocols of plugins, international news.

It also means that any updates or new security features that WordPress adds are going to set a precedent for other web development platforms as well, such as Joomla (WordPress’s nearest competitor).

Specifically, the release of the new plugin from WordPress is likely to have two major impacts.

The first is that it promises to reduce the amount of malware hosted on the average WordPress site, and instantly make the new email confirmation system a major component in how site owners seek to block ransomware, and then to remove it if they become infected.

More importantly, however, the announcement sets a critical precedent. Given the dominance of WordPress, it’s not surprising that other web hosts and platforms pay close attention to their every move, and often replicate what they do immediately.

In other words, this means that the kind of email confirmation for plugin updates that WordPress is now implementing is likely to become an industry-standard before too long.

What does this mean for you?

For site owners, this update will honestly not be very visible. Unless you are the owner (or a maintainer) of a plugin, it’s unlikely that you will notice at all. 

What you will notice, hopefully, is a general and gradual increase in the security of your site, whether you host it on .com or .org, and no matter how many plugins you use.

Overall though, this update is certainly a welcome development for WordPress users, but it also sets a valuable precedent for other web platforms to increase their own security measures in the near future.

This post was written by Nahla Davies, a software developer and tech writer. Before devoting her work full time to technical writing, she managed—among other intriguing things—to serve as a lead programmer at an Inc. 5,000 experiential branding organization whose clients include Samsung, Time Warner, Netflix, and Sony.