Security Review Lead Chris Christoff has announced two new changes for the WordPress Plugin Directory, effective from October 1, 2024. These changes aim to enhance plugin directory security and promote best practices among plugin developers.
Mandatory Two-Factor Authentication
As of October 1, 2024, all plugin owners and committers must enable Two-Factor Authentication (2FA) to submit new plugins to the WordPress Plugin Directory. This change was announced by Automattic-sponsored developer Dion Hulse last month.
Plugin owners are encouraged to enable 2FA, review committers’ access levels, and use additional security features like the SVN password option and Release Confirmation. Detailed guides on Configuring Two-Factor Authentication and Keeping Your Plugin Committer Accounts Secure are also available.
Plugin Check Tool
From now on, any new plugin submitted to the Plugin Directory will first go through a pre-submission check using the Plugin Check tool. If any errors are found, the submission will be blocked until they are fixed.
This new step aims to reduce the review queue by enabling plugin authors to catch common issues before submitting their plugins for manual review. Plugin Check helps by identifying frequent issues, such as mismatched versions between the plugin header and the readme.txt file, incorrect text domains, and erroneous “Tested To” values in the readme. Although Plugin Check adds a layer of automation, it will not replace the manual review of plugins.
David Perez from the Plugin Review Team recommended making Plugin Check a part of the development workflow as “In addition to things relevant for the review process, the tool flags violations or concerns around plugin development best practices, from basic requirements like correct usage of internationalization functions to accessibility, performance, and security best practices. It does so using both static checks using PHP_CodeSniffer and dynamic checks, where it actually activates your plugin to test it “live”.”