WordPress plugins are kind of fully vetted before going into the WordPress repository, but not completely.
The Plugin Review team conducts a manual review for every single WordPress plugin submitted to the repository.
A similar process exists for the Theme Review team. However, themes are designed for “presentation purposes”, following a set of predictable rules:
- A style.css file
- A bunch of template files (predefined by the template hierarchy)
- Basic features for basic template use (most functional ones are prohibited in the repo)
- Additional CSS assets
- Usually known libraries (both CSS and JS) for grids, jQuery add-ons, things like that
I had reviewed a hundred themes back in the day. 80% of them are similar.
The file/folder structure is almost identical.
There is a comprehensive process that goes through a sample set of data, covering known edge cases:
- Large images overlapping the area
- Long headlines
- Archive pages
- Pagination
- Supporting all reasonable HTML tags like tables or <pre>
- Child pages
Plugins are completely unique (and random at times.)
The team is small, just a handful of people who are employed elsewhere (they have “day jobs”, so to speak.)
And they tend to receive dozens of plugins on a daily basis.
Some may seem simple – 300 lines of code, straightforward use of filters and actions, all good.
What about:
- Caching plugins?
- eCommerce?
- Membership?
- Social media?
- 3rd party integrations by random SaaS?
It gets ugly, quickly.
What Makes The Review Process Complicated
So the team performs a general security review, confirming the leading best practices (code quality and using appropriate hooks). Things can, however, fall through the cracks.
More importantly…
Updates are not reviewed.
A plugin author can push multiple updates on a daily basis. With tens of thousands of available plugins in the repository, this would require an army of hundreds of full-time developers performing code reviews and actual usability tests.
This gets significantly more complicated when you consider the endless suite of use cases (combinations of dozens of plugins with a random premium theme on a $2/mo hosting plan with different content types).
This is what makes the review process complicated.
For the most part, things look fine. Every now and then, a security vulnerability may be disclosed. Performance and instability (regression) problems are observed quite a lot, too.