Cancel

Jyolsna

WordPress Enforces Plugin Check and 2FA for New Plugin Submissions

Security Review Lead Chris Christoff has announced two new changes for the WordPress Plugin Directory, effective from October 1, 2024. These changes aim to enhance plugin directory security and promote best practices among plugin developers.

Mandatory Two-Factor Authentication

As of October 1, 2024, all plugin owners and committers must enable Two-Factor Authentication (2FA) to submit new plugins to the WordPress Plugin Directory. This change was announced by Automattic-sponsored developer Dion Hulse last month.

Plugin owners are encouraged to enable 2FA, review committers’ access levels, and use additional security features like the SVN password option and Release Confirmation. Detailed guides on Configuring Two-Factor Authentication and Keeping Your Plugin Committer Accounts Secure are also available.

Plugin Check Tool

From now on, any new plugin submitted to the Plugin Directory will first go through a pre-submission check using the Plugin Check tool. If any errors are found, the submission will be blocked until they are fixed.

This new step aims to reduce the review queue by enabling plugin authors to catch common issues before submitting their plugins for manual review. Plugin Check helps by identifying frequent issues, such as mismatched versions between the plugin header and the readme.txt file, incorrect text domains, and erroneous “Tested To” values in the readme. Although Plugin Check adds a layer of automation, it will not replace the manual review of plugins.

David Perez from the Plugin Review Team recommended making Plugin Check a part of the development workflow as “In addition to things relevant for the review process, the tool flags violations or concerns around plugin development best practices, from basic requirements like correct usage of internationalization functions to accessibility, performance, and security best practices. It does so using both static checks using PHP_CodeSniffer and dynamic checks, where it actually activates your plugin to test it “live”.”

The Plugins Team is working to expand Plugin Check’s coverage to existing plugins. A roadmap detailing this broader application will be released in the coming months. Contributors can help improve the tool via its GitHub Repo.

The WordPress community has responded positively to these updates. Josepha Haden Chomphosy tweeted “This was years in the making and is a huge deal. Congratulations (and big thanks) to everyone who contributed!”

These two measures are expected to help the WordPress Plugin Team improve the security of the platform while reducing the backlog of plugins awaiting approval.

Category: ,
Tags:

SHARE THIS:

LIKE THIS

2 Comments

2 Comments

  • Author
    Posts
    • Lucien
      October 6, 2024 at 12:18 PMView in Forum

      Thank you so much for the valuable insights in your article. The implementation of Two-Factor Authentication and the Plugin Check tool is a game-changer for WordPress plugin security, and your detailed explanation helped me understand these updates clearly. This information will definitely assist me in improving my own plugin development practices!

      Reply
    • Peter Shaw
      January 2, 2025 at 10:31 PMView in Forum

      The plugin check plugin is a useful tool but it’s report often has false positives and other misleading errors.

      I hope the review team just use it as an evaluation tool (and atill review the code manually) rather than demanding 100% compliance with the plugins results.

      Reply
  • Author
    Posts

View in Forum

  • The topic ‘WordPress Enforces Plugin Check and 2FA for New Plugin Submissions’ is closed to new replies.

You may also like

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Get updates from WP Tavern

Subscribe now to receive email updates directly in your inbox.

Continue reading