Today at WordCamp Lancaster Ryan Duff gave a talk on “Choosing WordPress Themes And Plugins: A Guide To Making Good Decisions.” It jogged my mind about an incident on the WordPress.org plugins database I observed last year. This incident, though minor, illustrates the significant limitations with that place.

Two years ago–to the day–I called the WordPress.org plugins database a “swamp” and I stand by that. Ryan noted that there’s no canonical right way to select plugins and themes. You have to mitigate risk as much as possible. That means you have to look at a plugin in the round. WordPress.org gives you some tools for that: ratings, reviews, installation base, support forums. You can evaluate the social credit of the developer. You can review the code yourself, if you’re so inclined and have the technical background.

Here at Lafayette we use a plugin called Category Posts Widget. It’s pretty simple: it creates a widget which will display recent posts from a given category. Its original author released version 3.3 in August 2011 and then never updated it again. We’d been running it since 2010 or earlier. If we’d stumbled on it 2013 we’d have seen it was outdated and passed, but if a plugin keeps working you never really notice it’s been abandoned unless you have a regular review process (which we don’t).

In September 2014 a new author took ownership of the plugin and released an update, 4.0, which was of course automatically available for site owners. As we manage our multisites with git we have a code import process using svn2git, so we generally know how significant the changes are. Every plugin page on WordPress.org has a changelog, and the changes for this update sounded pretty routine:

  • Added CSS file for post styling
  • Now compaitable [sic] with latest versions of WordPress

Okay that sounds pretty helpful and…hey, check out the diff on those changes:

 cat-posts.php | 504 ++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 279 insertions(+), 225 deletions(-)

Wait, what? That plugin was only 262 lines long! What the hell?

At the risk of a tired metaphor this was a wolf in sheep’s clothing. The new author had inserted a completely new plugin with no upgrade path under the guise of an update. While it provided the same functionality, you would have to manually update your widgets. If, like us, you maintain multiple multisite installations with hundreds of sites, this simply isn’t an option. This support forum discussion gives a taste of the anguish for downstream users.

We dodged a bullet because of our internal code review process, but there are few external indications on WordPress.org about what happened:

  • As of today, the plugin has 80,000+ active installs. That no doubt includes those clients who, like us, stayed on version 3.3. In November, when WordPress still counted downloads and not installations, it had 300,000+ downloads.
  • It stands at 3.9 of 5 stars, with 8 5-star reviews and 3 1-star reviews. Tellingly, most of these reviews are from after the 4.0 update, and apparently from new users who weren’t burned by the update. Only one of the 1-star reviews flags the upgrade issue.
  • The author has 3 plugins, though if you dig in you notice he isn’t very active in the WordPress community and his other two plugins aren’t widely used. His plugins page shows 317,000 downloads, which sounds great until you realize almost all of those predate his involvement.

Nothing in the WordPress.org environment flags that the new author usurped the plugin, assumed the social credit generated by the previous author, and then pushed through a breaking update which raised hell on downstream production sites. Discussion after the fact showed that he either didn’t care or didn’t understand how serious this was. The offer to submit pull requests to GitHub was better than nothing…except that months later there’s been no activity and no pull requests have been accepted.

I’m not sure how you fix this. On the face of it, a new a developer assuming responsibility for an abandoned but popular plugin (or theme) is a Good Thing so outlawing it isn’t a solution. Maybe if WordPress.org tracked activation history and author history, so you could drill down and get stats? Alternatively, some way to flag when a plugin has a breaking change. But for now,