2 Comments


  1. And how do plugin developers get their plugins back into the repository if they’ve been pulled due to a security bug but later fixed?

    AdRotate was pulled, fixed but the developer has been having a hell of a time getting it back in the repository.

    I don’t know the guy, I use his plugin and it’s a shame Arnan has run into a dead-end. His dealings with WordPress.org remind me of how it is to deal with Google. I must admit that me myself when I’ve had an issue with something like the Intense Debate plugin I got an email from Matt himself apologizing. Personal reply or boilerplate letter it doesn’t matter as it was still a quick response and I’m grateful for WordPress.org for being responsive.

    You can read about Arnan trying to get back into the plugin directory here:


  2. @Baron – When a plugin is pulled for a security exploit, like AdRotate was, there is a specific sequence of events that is supposed to take place.
    1. The plugin is de-listed from the repository, to prevent further downloads of an insecure plugin.
    2. If the exploit is accidental or not obviously malicious, the developer is notified via email. The email comes from a valid address (plugins at wporg) and can be replied to.
    3. The plugin developer presumably fixes the exploit or tells us that it is an invalid exploit, updates the plugin in SVN, and emails back saying so.
    4. We check it out, and either provide advice or re-enable the plugin.

    Now, it seems that the developers of that plugin aren’t really paying too much attention to their emails. They were emailed, at their email address attached to the username in WordPress.org, which owns their plugin. They either did not receive the email or chose to not respond to it.

    There is no reasonable case in which somebody would need to post to the forums, as they claim, in order to figure out who to reply to. They were emailed when the plugin was closed. If they didn’t get it, then maybe they should update the email address on their WordPress.org user account to a valid email address to ensure they stay informed.

    Also note that this is not the first time they’ve been through this dance; they have had security issues before and they should have figured it out by now.

Comments are closed.