Plugin review team representative Mika Epstein announced changes for officially-recognized featured and beta plugins last Friday. Under the new rule, plugin owners will no longer be able to directly change ownership to someone else or add/remove commit access. The purpose is to prevent bad actors from pushing malicious code or premium upsells.
Plugin owners can still manually add and remove support reps for their plugins in the directory. However, they must email the plugin review team to change ownership or commit access.
Epstein wrote in the announcement:
This change was made due to the high profile nature of those plugins, and the potential for abuse if a plugin is given to someone who turns out to be malicious. We hope that it will prevent issues like a featured plugin being turned into a premium-upsell plugin.
The behind-the-scenes details were left out of the post. Presumably, the plugin review team would double-check requested changes or block them if something seemed awry.
Featured plugins via WordPress admin.
Active installs range from a few dozen to over 5 million for the two groups. However, the number does not matter, as pointed out by Epstein in the announcement. “If a 2-user plugin is made a Featured Plugin, then it will have this limitation.”
There are nine featured and 15 beta plugins. Many of the latter have low install counts, and some have not been updated for over half a decade. Some house cleaning is likely in order.
The limited number of featured plugins is not likely in any danger of changing hands. Most are owned by the WordPress project itself or Automattic.
The announcement almost feels like much has not changed. However, the assurance that bad actors have more hurdles to jump when acquiring featured and beta plugins is welcome.
The real danger with ownership changes lies with the other 59,000+ plugins in the directory. They have no such added protections.
Nearly a year ago, I started receiving reports that the Dark Mode plugin seemed to be doing something fishy. Once a proposed featured plugin, it went from being a simple tool for switching the WordPress admin color scheme to a copy of the premium Iceberg editor project.
This new rule change would not have gone into effect for Dark Mode had it existed a year ago. It never made it to the officially-sanctioned point of becoming a featured or beta plugin.
There is a 17-month-old ticket for notifying users of ownership changes, but there are limits to what is possible with such a system. For example, a company acquisition would not necessarily reflect changes on WordPress.org.
There have been clear and documented cases of developers and agencies acquiring a plugin and repurposing it. Dark Mode had only a few thousand users when new owners changed it. In the case of WP User Avatar, many of its 400,000 users had to deal with the aftermath of an overnight switch to a full-fledge membership solution. I have little doubt that the plugin review team catches cases of a more malicious nature.
It would be a management nightmare for the plugin review team to require manual approval every time a plugin owner decided to update the committers list. However, changing this for featured and beta plugins is at least a step in the right direction.