Are WordPress Plugins Fully Vetted Before Going Into The WordPress Repository?

WordPress plugins are kind of fully vetted before going into the WordPress repository, but not completely.

The Plugin Review team conducts a manual review for every single WordPress plugin submitted to the repository.

similar process exists for the Theme Review team. However, themes are designed for “presentation purposes”, following a set of predictable rules:

  • A style.css file
  • A bunch of template files (predefined by the template hierarchy)
  • Basic features for basic template use (most functional ones are prohibited in the repo)
  • Additional CSS assets
  • Usually known libraries (both CSS and JS) for grids, jQuery add-ons, things like that

I had reviewed a hundred themes back in the day. 80% of them are similar.

The file/folder structure is almost identical.

There is a comprehensive process that goes through a sample set of data, covering known edge cases:

  • Large images overlapping the area
  • Long headlines
  • Archive pages
  • Pagination
  • Supporting all reasonable HTML tags like tables or <pre>
  • Child pages

Plugins are completely unique (and random at times.)

The team is small, just a handful of people who are employed elsewhere (they have “day jobs”, so to speak.)

And they tend to receive dozens of plugins on a daily basis.

Some may seem simple – 300 lines of code, straightforward use of filters and actions, all good.

What about:

  • Caching plugins?
  • eCommerce?
  • Membership?
  • Social media?
  • 3rd party integrations by random SaaS?

It gets ugly, quickly.

What Makes The Review Process Complicated

So the team performs a general security review, confirming the leading best practices (code quality and using appropriate hooks). Things can, however, fall through the cracks.

More importantly…

Updates are not reviewed.

A plugin author can push multiple updates on a daily basis. With tens of thousands of available plugins in the repository, this would require an army of hundreds of full-time developers performing code reviews and actual usability tests.

This gets significantly more complicated when you consider the endless suite of use cases (combinations of dozens of plugins with a random premium theme on a $2/mo hosting plan with different content types).

This is what makes the review process complicated.

For the most part, things look fine. Every now and then, a security vulnerability may be disclosed. Performance and instability (regression) problems are observed quite a lot, too.