Draft Plugin Infraction/Vulnerability Process

Based on feedback in the plugin guidelines thread, I think a new page for the plugin guidelines section would be useful:

Plugins which are published in the directory, but are then found guilty of an infraction of the rules or if a security vulnerability is reported will be subject to the following process:

  • The plugin developer will receive an email with details of the breach or vulnerability.
  • The developer will have 7 days to reply and/or update the plugin to correct the issue.
  • Failure to respond or correct the issue within 7 days will result in suspension of the plugin.

ClassicPress reserves the right to suspend a plugin with a serious vulnerability and/or security issue without prior notice to prevent users from downloading a vulnerable plugin.

Failure to have a working email address on your developer profile, meaning messages from moderators are missed will result in plugin suspension.

1 Like

Honestly, we should verify this every now and then. Every 6-12 months when they login to their developer account we send a verification email. I wonder if we could even leverage the Forums bounce score to see whether we should email them a verification not.


WP sends an email about upcoming releases. And any bounces from that get their plugins closed because they have to be able to communicate with the author. It’s the best way they have to get their attention.


Didn’t know about that, that’s a great way to ensure emails are working. One suggestion I would add, if possible later down the road, we should ask developers to provide a alternate email address that’s different from the primary email address to help with account recovery and serve as a backup contact method in the event first email bounces. Bounces can happen for many reasons (soft bounces because inbox is temporarily full, hard bounce because GoDaddy deleted MX records, etc.). So instead of immediate ban because of a bounce, we should send bounce alert to the alternate email.

A little broader suggestion would be to allow developers to specify additional notification emails. Maybe multiple team members want to receive important notifications.

Suggestion for the future.