Reminder: We will check your website

tl;dr: If you put a website as the official developer or pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org and it does not exist (or is under construction), your review will be pended.

We know that sounds really weird, but yes, we’re saying if you tell us that your domain is XYZ and that domain doesn’t exist, or isn’t public, your review is going to be paused until you finish the site.

The primary reason for that is because those URLs will be seen by all your users, and if a user sees a great looking plugin with an incomplete website, they will not trust you. That’s actually something that scammers do on the regular, and you’ve made yourself look like that.

So to protect you from an undeserved bad-rep, we check your domains.

The secondary reason is, if you’re a service, we really do need that live so we can review the website and ensure it and the plugin are compatible with our guidelines.

Can I just remove the URL from the code?

Most of the time, yes.

However if you’re a service and the service runs through that website, then not only will you be required to make the site public, but you will also need to include a terms of use and/or privacy page on your site.

I made a typo! What do I do?

Reply to the email with “Ooops, I typoed, the real URL is …” We’ll ask you to update the code and your account, so your users don’t get confused, and all will be well.

What if the site isn’t mine, it’s the service owner’s?

Then you used the wrong account to submit the plugin. Remember ALL official plugins have to be owned by the official company. If you were hired to make a plugin for BoogieDownBlues (a fake company) and the domain is boogiedownblues.com then the account that submits the plugin has to use that domain for their email.

That protects you and them from any legal action later on.

My site is nearly done, can I have a pass?

No. Again, we’re trying to protect you from being seen as an untrustworthy developer. Also we want to make sure your site isn’t violating rules.

What if I need to have the plugin before I can have the site?

This generally happens with service plugins, and if that’s the case, we will tell you no. The site has to exist so we can validate the service.

Do I need an about page and all that?

You do not, but we do recommend it. People prefer to know there are real humans behind things.

Can I make a simple, placeholder?

Maybe. It depends on what you put on the placeholder page and (again) if you’re a service. If the placeholder says ‘Coming soon!’ then no.

What about Lorem Ipsum pages?

If your domain is filled with placeholder, we consider it to be incomplete and will point out the problem. Same goes for clearly fake addresses and those about pages that all have the same face.

Why does it matter if my personal site exists?

Because you told us (and by extension all your users) “this is who I am!” If your personal site is ‘coming soon’ or has a placeholder, no one can make a judgement on you save to say you’re a dev who can’t make a website. And yes, that is patently unfair, we know, but that’s what people will think. Heck, they complain to us every time we miss it. We would rather you not start in a bad place.

Why was I told not to use trademarks in my URL?

Because using a trademark in the domain name violates trademark law.

Using a company’s trademark in a URL as a domain name in whole (or in part like wordpress-example.com) may constitute a violation of the company’s trademark rights.  See Brookfield Communications, Inc. v. West Coast Entertainment Corp., 174 F.3d 1036 (9th Cir. 1999). 

What you can do instead is have example.com/trademark/ — that is generally allowed.

Keep in mind, some organizations (like WordPress) will allow the ‘short’ versions so wpexample.com would be fine. Others (like WooCommerce) have more restrictions, and actually prohibit wooexample.com

Always check the trademark guidelines first!

#reminder

X-post: WordCamp US Contributor Day 2022 Recap

X-comment from +make.wordpress.org/updates: Comment on WordCamp US Contributor Day 2022 Recap

Heroku Free Tier Being Retired

tl;dr: Heroku’s free plan is going away. Please update your services and make sure all your 3rd party libraries are up to date.

From their recent post:

Starting October 26, 2022, we will begin deleting inactive accounts and associated storage for accounts that have been inactive for over a year. Starting November 28, 2022, we plan to stop offering free product plans and plan to start shutting down free dynos and data services. We will be sending out a series of email communications to affected users.

Roughly 300 plugins use heroku services, many for free. If you are one of those free users, please make sure you make arrangements to either pay for the plan or replace your service. As of December 2022, if people report your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party breaks because of that shut-down, we will close your plugin until it’s corrected.

There’s always the probability you’re not going to want to (or be able to) migrate services. That’s okay too. If you want to close your plugin, you can do that yourself! I would recommend pushing a final version that warns people on day X this will stop working, if that’s your choice.

The one thing that’s really going to trip people up are those libraries though. A lot of 3rd party libraries make use of Heroku, and not all are going to update.

We’re going to do a sweep and let as many people know as we can, but we wanted this to be public since a lot of people miss emails and also if your plugin isn’t impacted but one you coordinate with is, well… you should know too 🙂

#heroku

Top reasons not to use setlocale() for character encoding conversion

Many WordPress plugins use the setlocale() function.

While it’s generally safe to use setlocale() to get various information about a specific locale, it’s essential to understand that using setlocale() to perform string manipulations has significant disadvantages.

The goal of this article is to raise awareness about those disadvantages.

Disadvantages

So, what are they?

  1. Firstly, setlocale() is not thread-safe. If you run WordPress on shared hosting, you may experience sudden changes in locale settings, as though your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party never called setlocale().
  2. String functions that rely on setlocale() to detect the current locale don’t process some characters correctly, even if the correct locale is set with setlocale().

Take a look at this 3vl4.org example.

The expected output of the script is Ž, but the actual output is Ů.

Recommendations

These are some recommendations on using setlocale() that could make using it safer:

  1. Don’t use setlocale() to process strings in different encodings unless absolutely unavoidable.
  2. Don’t use setlocale() with LC_ALL. Instead, specify the exact categoryCategory The 'category' taxonomy lets you group posts / content together that share a common bond. Categories are pre-defined and broad ranging. of functions you need (e.g., LC_MONETARY, LC_NUMERIC).
  3. If you need to change the current locale, you must change it back to the previous value in order to preserve thread-sanity. At this time, C should be used as the default locale setting.

#best-practices, #security

X-post: Contributor Teams: Submit WCUS 2022 Table Leads Signup Form by July 29

X-comment from +make.wordpress.org/community: Comment on Contributor Teams: Submit WCUS 2022 Table Leads Signup Form by July 29

Proposal for a WordPress plugin checker

For a long time, WordPress has had the theme check plugin, a tool which statically analyzes a given WordPress theme to determine if it follows certain theme development requirements and best practices.

This post proposes defining and implementing a similar tool for WordPress plugins that analyzes a given WordPress pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party and flags any violations of plugin development requirements and best practices with errors or warnings. It should cover various aspects of plugin development, from basic requirements like correct usage of internationalization functions to accessibilityAccessibility Accessibility (commonly shortened to a11y) refers to the design of products, devices, services, or environments for people with disabilities. The concept of accessible design ensures both “direct access” (i.e. unassisted) and “indirect access” meaning compatibility with a person’s assistive technology (for example, computer screen readers). (https://en.wikipedia.org/wiki/Accessibility), performance, and security best practices.

This post is based on an earlier proposal document that has been reviewed and discussed by the performance working group over the last several weeks (see original Slack message sharing the proposal).

Goal and use cases

The goal of the plugin checker would be largely equivalent to that of the existing theme checker, fulfilling similar purposes for plugins. Specifically, the primary goals would be to:

  • Provide plugin developers with feedback on requirements and best practices during development.
  • Provide the wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ plugin review team with an additional automated tool to identify certain problems or weaknesses in a plugin ahead of a manual review.
  • Provide technical site owners with a tool to assess plugins based on those requirements and best practices.

The plugin checker should be implemented as a plugin itself, allowing it to be used by similar environments to the theme checker. However, the scope of the plugin checker should preferably be slightly expanded so that it can better adapt to different environments to satisfy the following use cases:

  • It should support checking a plugin both from a WP Admin UIUI UI is an acronym for User Interface - the layout of the page the user interacts with. Think ‘how are they doing that’ and less about what they are doing. and from the command line (using WP-CLIWP-CLI WP-CLI is the Command Line Interface for WordPress, used to do administrative and development tasks in a programmatic way. The project page is http://wp-cli.org/ https://make.wordpress.org/cli/), so that it can be conveniently run during local development or for Continuous Integration, e.g. a GitHubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ action.
  • It should include checks that go beyond static code analysisStatic code analysis "...the analysis of computer software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing." - Wikipedia, such as runtime checks in which code from the plugin is actually executed, to allow for additional best practices to be covered.
  • It should allow for customization of which checks are run for a plugin, including allowing optional or experimental best practices checks to be opted in to, or excluding certain checks for more of a baseline audit.

Project breakdown

The idea is that this plugin checker plugin would be developed in a GitHub repository and eventually be published either as a plugin in the wordpress.org plugin repository, as a Composer package on Packagist, or both. An additional means of distribution could be to also publish it as a configurable GitHub action. From there, both developers and site owners would have access to it and could use it as they prefer.

Once the plugin is more established, opportunities for this new tool to be integrated into the wordpress.org plugin submission infrastructure should be explored in order to automate parts of the largely manual plugin review process and potentially catch additional problems. The customization of which checks to run is critical particularly for this purpose, as there is a good chance that the plugin repository would run a different set of checks than the default configuration, emphasizing the more foundational requirements for all plugins.

While the initial purpose of the plugin checker will be for plugin developers and site owners to use the plugin checker, all of the above use cases need to be considered during all stages of development of the tool.

Proposed approach

As outlined above, the plugin checker should be implemented as a plugin itself, primarily so that it is easy to install and usable within WP Admin UI for site owners or developers. In addition, it should provide a WP-CLI command so that plugin checks can also be conducted from the command line.

The tool’s static code analysis checks should rely on an internalized version of PHP_CodeSniffer, providing more flexibility and simplifying maintenance, as this is an established tool. There are already existing WordPress tools for automated plugin analysis, and several of them also use PHP_CodeSniffer, which would mean that the new tool could use some already established checks. In addition, usage of PHP_CodeSniffer would allow even environments that are not WordPress to run at least the static analysis checks.

While many plugin requirements can be checked through static code analysis, this method has its limitations, especially when it comes to certain accessibility and performance best practices. That is where having dynamic runtime checks available in addition to static code analysis will be critical. Dynamic runtime checks are different in that they actually run the plugin and thus can detect additional issues such as uncached or slow database queries. They can also more reliably identify problems around excessive scripts and stylesheets being enqueued.

One of the main complexities around plugins compared to themes is that plugins essentially have an almost unlimited feature set – they can do anything. This makes it impossible to predict their expected behavior. It also complicates defining a reliable set of rules and guidelines to check for. However, there are certain ways to at least to detect what a plugin does, for example when using certain WordPress APIs, such as to register post types or blocks. Such detection mechanisms would benefit from runtime checks as well; for example a plugin may not affect the homepage of the website in any way, but it could cause several issues just in posts of a certain post type. Dynamic checks allow for such problems to be identified.

In addition to static analysis and server-side runtime checks, it could also be beneficial to include client-side checks. Again, there are certain accessibility and performance best practices that could only be reliably detected through such checks. One complexity of client-side checks, though, is that they would only work in a browser environment, so it would be challenging to run them from the command line except in an environment where a headless browser is configured. This makes running such checks infeasible in certain environments. For this reason, the proposed approach for the plugin checker would be to start with a focus on static analysis checks and server-side runtime checks, but build the infrastructure in a way that client-side checks could potentially be added in the future.

For some additional context on the different types of checks, see the earlier proposal document.

Next steps

At this point, the performance team would like to gather feedback on this proposal from the wider community, especially from plugin developers, the plugin review team, and the metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. team. Please share your thoughts, questions, or concerns in the comments.

Once there is consensus on a path forward, the next step would be to design the infrastructure for the plugin checker plugin and start implementing it in a new WordPress GitHub repository. The performance team would be excited to take the lead on this project, but it is vital that additional contributors from other teams help with its development, especially when it comes to defining and implementing the different checks.

This is certainly an ambitious project, and it is not the first time that a plugin checker has come up. It also needs to be clarified that it will likely take a few months at least to get to a first version. However, we are optimistic that with a solid foundation and collaboration from the start, we can create a tool that will meet the requirements for reliable automated plugin checks.

Props to @shetheliving, @mehulkaklotar, @manuilov, and @ipstenu for review and proofreading.

#performance, #plugin-check, #proposal

X-post: Learn WordPress Development: Creating a Public Roadmap for Content Creation

X-post from +make.wordpress.org/training: Learn WordPress Development: Creating a Public Roadmap for Content Creation

X-post: Rollback Feature: Testing Call to Action

X-comment from +make.wordpress.org/core: Comment on Rollback Feature: Testing Call to Action

Google Drive is Flagging Plugins as ‘Viruses’

tl;dr Google, who already blocked anyone from emailing a zip with certain JS files inside (compressed/combined files), has moved to blocking them as ‘viruses’ entirely.

This week a new hassle popped up with anyone who uses Google Drive.

If you’re not the owner of a file, you may have seen a warning like this:

Warning: Sorry, this file is infected with a virus. Only the owner is allowed to download infected files.

Or maybe this when trying to download:

A virus was detected, so you can't download this file.

In both cases, it’s Google being weird and sadly it’s not something we can fix.

What this means is that you will want to transition away from using Google Drive to distribute your zips, for pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party reviews but also for regular sharing of a zip that has javascriptJavaScript JavaScript or JS is an object-oriented computer programming language commonly used to create interactive effects within web browsers. WordPress makes extensive use of JS for a better user experience. While PHP is executed on the server, JS executes within a user’s browser. https://www.javascript.com/.. They used to only do this for Gmail, so it’s somewhat understandable they’d expand this to Drive. Sadly they’re a little shortsighted on implementation and while they may get around to fixing this, they may decide not to care about it and keep blocking.

There are other services like Dropbox or Wetransfer, but also please remember you can always use code repositories like Gitlab or GithubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ (both of which will build zips for you, so you shouldn’t upload the zip itself to the repos).

We’re sorry about Google getting weird like this.

ETA: Guess what else uses Google to manage attachments? HelpScoutHelp Scout A 3rd party service we use to process emails for plugin reviews.. I have a ticket in to ask to disable that, because hiiiiii. But right now, we’re having a banner day.

#download, #google-drive, #virus

What’s The Deal with Invalid Reviews?

tl;dr: Don’t make reviews for your own pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party(s) using other people’s accounts. We will remove them and warn you first, and if it keeps happening, your plugin will be closed.

There have been a lot of reviews being removed for being invalid in ways beyond a ‘normal’ sockpuppetSockpuppet A false online identity, typically created by a person or group in order to promote their own opinions or views. Generally used to promote or down-vote plugins en masse..

We know this is messy and scary because any time we say ‘Do bad things, and your plugin(s) will be closed!’ is a terrifying prospect. We really do know that. We really don’t want to do it, which is why we warn people instead of just closing everyone who makes mistakes. Our goal is, and has always been, to make a place where users can download functional, safe, plugins that solve the problems faced by users.

At the same time, we know that developers want people to use their plugins, and one of the ways that happens is by being popular. And yes, one of the ways to become ‘popular’ is to get a lot of good reviews. Which is how we get here. Sometimes people leave reviews for their own plugins. Actually, a lot of the time.

We’re not talking about an individual developer using their developer account to leave a review on their own plugin. While that’s weird and pretty pointless in the long run, it’s not currently prohibited and we leave those alone unless you’ve been flagged for fake reviews in general. Instead we recommend you not review your own plugins since it doesn’t help you out. People generally assume you like your own plugin, so your users won’t learn anything from the review, and since you left it yourself, you won’t learn anything either, making it a net-loss.

The kinds of reviews we’re talking about is when someone (or a group of someones) makes multiple accounts with which to leave reviews about plugins. And this is a global issue. Fake reviews are a huge problem not just on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/. Amazon in particular is filled with fake reviews, and they’re getting harder and harder to spot. It’s an ongoing battle to spot them before they get ‘too bad.’ We aren’t perfect, and that’s why the first time we see someone leaving fake reviews, we warn them. What happens after that is usually pretty telling.

One big thing to keep in mind, reviews are for two purposes:

  1. Your users can see how other people feel about your plugins (and how you handle bad reviews)
  2. You can see how people really feel about you and your work

Both of those things, when they’re positive, can help your plugin become more popular. And of course, if they’re negative, it can hurt you. Which is why people work so hard to earn and merit positive reviews.

What is a fake/invalid review?

A fake review is a review made by someone who is not your actual user.

Sounds simple, right? If you write a review for someone else about your own product and hide who you are, that’s fake. The most common reason this happens is that an intern or a marketer gets the bright idea to share customer stories on the WordPress.org review system. The problem? They’re posting for the customer, which is making a fake review.

Another common way to make fake reviews is to use sockpuppets.

What’s a sockpuppet?

A sock puppet or sockpuppet is an online identity used for purposes of deception. The term references the manipulation of a simple hand puppet made from a sock, and was originally referred to a false identity assumed by someone to hide who they are and talk up themselves.

For example, if you make a second account and post a question about your plugin and then reply as your normal account? You’ve made a sockpuppet.

Sockpuppet accounts are very commonly used to leave positive reviews on plugins.

What’s an invalid review?

An invalid review is one that was made under duress or other promotional encouragement, or one that was made on behalf of a real person.

For example, if you offer a discount for your products if a user leaves a review, then you’ve actually just bribed them for a review, which makes it an invalid review. When people are compensated for a review, they generally leave better ones than they might if you just asked. Related to this, if you tell someone you won’t refund their money unless they leave a positive review, you’ve blackmailed them, and that too is invalid.

As another example, if someone leaves a great review for you via email or on your website, and you help them make a user account on WordPress.org (or make it for them) just to leave that review, you have invalidate their review. We have no way to be sure you didn’t alter the review, and your involvement could have altered the review content simply by being there.

Another kind of invalid review would be one made by someone with a personal, or professional, relationship to you. In other words, if you ask your parents or co-workers or people who share a co-working-location to leave a review, you’ve inadvertently asked them to make invalid reviews. This is a little touchy, since sometimes they are your users. The issue here is that people who know you are more include to leave favorable reviews, but also they can tell you to your face (virtual or otherwise) how they feel. You don’t actually need their review, and they can be more honest by talking to you via your existing connections.

A counter to this is sometimes your friends do legitimately use your plugin and see the note “Please review!” in wp-admin and leave you a review. Those are totally fine and rarely raise red flags.

How do you know the review isn’t real?

More or less the same way people know when a term paper is plagiarized.

There are significant tells in most reviews that give away the actual author. We also take into account things like the age of the user (that is, how long ago did they create their account), what their other actions were, where they logged in from, what their digital footprint is, what their email is, etc etc. Then we compare that to all the other reviews made for that plugin and for other plugins and themes around the same time.

Or, as we tell people, we have a complex set of heuristics, as well as researchers who are experts with tracking down users.

Why can’t you provide details?

Two reasons which sum up as privacy and security.

First, the more we let on about exactly how we do this, the more people will learn about how to get around them. It’s like spam. The more spammers know about how they’re caught, the more they work to get around those limits.

Second, and this is more important, some of that information is private. Telling people exactly who did the bad thing, how we know, and sharing IPs and emails, is a privacy violation. It would run afoul of GDPR related laws, which by the way is also the case in some states in the US (like California).

I reported a review/account as fake, why did someone tell me it wasn’t?

Because it wasn’t.

The majority of reviews reported as ‘fake’ come from developers reporting a brand new user whose only post in the forums is a negative review on their product.

This does not mean the account is fake. It doesn’t even mean the review is invalid. It means someone was angry enough to make an account and leave a review. That’s a pretty painful thing to get, I know, but just because someone doesn’t like your work doesn’t mean they or their comment is invalid.

We use our tools to check on the account and will remove anything that we can prove is fake, but a lot of the time it’s really just angry users.

I heard you track VPN usage, is that true?

No, we don’t track VPN usage, but we do take it’s use into consideration.

There’s nothing wrong with using a VPN. I’m writing this post on one. What’s wrong is people using VPNs to get around things like bans or to hide their accounts. That’s why flagging the use of a VPN (and which specific VPN it is) is a part of our process, but it’s not the ultimate be-all and end-all of things.

Keep in mind, there are certain VPNs utilized heavily by malicious actors. Some specifically exist to be used to generate fake reviews. If your company is using a VPN, make sure it’s a legit one (not one of those free, fly by night, ones).

What happens if my plugin is flagged for fake reviews?

First of all, you’ll get a warning. In general this is how everyone finds out about being flagged. We will make a note in your plugin as well as on the accounts used.

In that warning email, you will be told why you got flagged, that we saw the reviews and they’ve been removed, and that all suspect accounts have been suspended. We have read-receipts on our emails, so we know if/when someone read it. That means the situation persists, and no one read the email, we will close your plugins to force you to pay attention. If it keeps happening after that, you will find your plugins and account closed.

The email also explains that all we want is for the fake reviews to stop. Mistakes happen, please don’t do it again.

Why did some of my reviews vanish and I wasn’t warned?

That means either you noticed before you got the email or (more common) we figured out someone else was trying to frame you. We usually don’t tell you so as not to scare you. Removing invalid reviews is a regular occurrence for every single review-platform, and if we told you every time we removed a spam or fake review, you’d get real tired of it real fast.

Some valid reviews were removed, how do I get them back?

In most cases, you won’t.

We know that the reviews appear valid to you, but we can see things you cannot. Just for an example, a real user of yours wouldn’t use a VPN from Russia and a disposable email address to leave that glowing review which is identical to another review also left from Canada and a different VPN at the same time. Also some users think it’s a great idea to make fake accounts to promote you. We have no idea why they think that, but we will remove those and the user will be banned, so all their reviews become invalid.

There’s also a common trend where companies make reviews for people. They get a good testimonial and make a review using that. Sounds smart, but it’s still spamming.

What do I do if I get warned for fake reviews and I know I didn’t do it?

As horrible as this sounds… Are you sure? Double check. Do you work with anyone else? Do you share a co-working place with others? Do you and your company all use the same VPN? Did you ask a bunch of people at an in-person event to leave a review? Did your spouse tell you how cool your plugin was and leave a review? All those things can set up warning flags because they mimic suspicious actions.

If any of those sound familiar, fess up. Just tell us “Hey, I’m sorry, I asked my coworkers/spouse/family to leave reviews. I didn’t realize how that looks.”

If you’re still certain you didn’t do it, just tell us. “I don’t work with anyone else, and I know I didn’t do this.” We’ll check again. It’s possible that someone’s trying to attack you, and while we make every effort to be as certain as we can be that it’s not that, we’re not perfect any more than you.

We are very well aware how painful and scary the email is, and we’ve worked on the language to try and make sure it’s less so.

I got warned for fake reviews and it was my fault. Now what?

Apologize and don’t do it again. Seriously, that’s it. Mistakes happen, and it’s okay if you make one. Just don’t repeat it. We absolutely, totally, forgive honest mistakes.

We do remind you to make sure everyone who works with you on the plugin knows this. You are responsible for the actions your employees/coworkers/etc take on your behalf. If they spam, you are on the hook for their actions. Usually we see repeat infractions come from that.

I got emailed that one of my support reps was banned for fake reviews. Can I help them resolve this?

In most cases, yes. However you will be asked to formally take responsibility for all of that person’s actions on WordPress.org for as long as they represent your company. That means everything they do is your responsibility and if they violate any guidelines, you will be on the hook for that infraction.

In some cases, the person is permanently banned and that generally means it’s related to previous guideline issues. If that is the case, we will explain that, under no circumstances, are you to help this person regain access. We recognize that sometimes employees or staff go rogue, and we are attempting to insulate your from their behavior.

How can I be sure I won’t be accidentally flagged for fake reviews?

Glad you asked! Besides the obvious (don’t hire people to boost your review rating), you should be aware of the following:

  • Don’t ask people you work with (either the same company or share a coworking space) to leave reviews
  • Don’t ask people to leave a review in your physical presence
  • Don’t ask your family/friends to leave reviews
  • Don’t offer people a ‘reward’ for reviews (that’s bribery)
  • Don’t make accounts for people to leave reviews
  • Don’t require a review for anything (i.e. ‘You get a free X if you leave a review!’)
  • Use only reputable VPN services (if it’s free, don’t use them)
  • Make sure every person you work with, who uses the WP.org forums, has their OWN account

How do I get more valid reviews?

You can (and should) ask your users! Put a notice on your plugin settings page. Make a dismissable alert that asks people to review. Post on Twitter or your website. But really? It’s down to asking your users in a kind, and non spammy, way. Those people will leave the reviews you need.

Why I shouldn’t ask people I know to leave reviews?

I understand why people get confused about this one. Asking people for reviews is fine, but then to say asking people you know isn’t? Yeah that sounds weird. But the crux is to think about what a review is for in the first place.

A review is someone’s experience with your plugin. For good or ill, it’s them using the plugin and sharing their story.

If you’re asking people to leave reviews to learn about what they do and don’t like about your plugin, then there’s no point to asking folks you know since you can just … ask them. In turn, they can just tell you to your face how they feel. Also they’re generally more inclined to leave good reviews, though I will admit we’ve seen someone leave a 1-star review for their spouse.

Interestingly, that review was invalid, as the review was a personal attack on the developer.

Questions? Concerns?

Have a shout.

#guidelines, #reminder, #reviews