Dear WordPress Plugin Volunteers,
I am writing to you today to express my sincere gratitude and admiration for your hard work and dedication in reviewing new plugins and ensuring the security of WordPress websites.
I have personal experience both side of the above, security review of a legacy plugin and submissions of new plugins. The old legacy plugin was of course more difficult but in both cases the communication has been swift and efficient. The latest new plugin actually went through with the only issue was me submitting from my forum support account rather than my ‘spectator’ plugin owner account. ( I’ll explain the accounts in another post )
Later I will write some more posts about how I think a plugin developer can ease the process, based mainly on my experience with legacy security issues, but this letter is not about me …
As a user of WordPress, its various plugins and a developer of a few, I have come to rely on the vast library of available plugins to enhance my website’s functionality and appearance. However, I am also aware of the risks associated with installing and using plugins that have not been thoroughly reviewed and vetted.
This is where you, the WordPress Plugin Volunteers, come in. Your tireless efforts in reviewing new plugins submitted to the WordPress repository have helped ensure that only the safest and most reliable plugins are made available to users.
Furthermore, your ongoing commitment to reviewing security fixes for existing plugins has undoubtedly prevented countless websites from falling victim to malicious attacks and hacking attempts.
Recently there have been criticisms of a ‘backlog’ in the review process however I am in awe of the time and effort that you dedicate to this volunteer work, and I am sure that many other WordPress users feel the same way.
However, this ‘backlog’ seems to have been correctly addressed and simply has evaporated.
Never the less, I still think plugin developers can do more to ensure smooth, if not rapid, reviews. Again I will write some more in the near future, on what I think, as a plugin developer, helps.
However, I am also aware that your work is sometimes undermined by the actions of certain plugin vulnerability firms. Some companies, not many, maybe one, that identifies plugin vulnerabilities, feel it is OK to defy industry ethics and zero day researched vulnerabilities, putting the whole community at risk.
I personally have dealt several plugin security firms, and firms like Patch Stack have operated with the highest industry ethics, however high standard is spoiled by at least one plugin vulnerability firm that I have deal with that seem both unethical in revealing zero-day but also simply unpleasant to deal with.
This approach not only undermines the work of the WordPress Plugin Volunteers but also puts the security of WordPress websites at risk. By withholding revealing vulnerabilities, these firms prevent plugin developers from fixing the issues before they are exploited, leaving websites vulnerable to attack.
In contrast, the open and transparent approach taken by the WordPress Plugin Volunteers is truly commendable. By openly reviewing plugins and closing plugins with serious security issues found, you help ensure that the WordPress community is informed and empowered to take action to protect their websites.
In conclusion, I want to once again express my sincere appreciation for the hard work and dedication of the WordPress Plugin Volunteers. Your efforts are invaluable to the WordPress community, and I hope that you continue to inspire others to contribute their time and expertise to this vital project.