I believe the following should be disclosed by any developer who wishes to contribute code to an official repo:
I acknowledge that these items are often an essential part of plugin functionality.
However, I firmly believe in informed consent.
Before downloading and activating a plugin from an official repo, a potential user should be made aware of any of the following:
- Any new chron job being registered.
I found a plugin that offered invaluable functionality on the WordPress official repo.
However, upon reading the plugin code, it became apparent that the plugin registers a chron job which is scheduled to run automatically on a weekly basis and which sends specific information about the site to the plugin developer.
The user is provided with the option to opt-out. However, even upon opt-out itself, certain information about the site is still being sent to the plugin developer.
This should actually be opt-in based on new privacy legislation.
Furthermore, the plugin description in the repo should contain information on exactly what information is collected and how it is used so potential users can make an informed choice BEFORE installing.
I have found another plugin in the official WordPress repo where a typical use case would result in sensitive customer data being available in machine readable format to search engines.
It is actually possible to take mitigating action for this typical use case, but chances of a plugin user realizing that there is a potential problem in the first place is pretty much slim to none.
Even a security expert is likely to miss it, because it isn’t a clear case of “bad code” that is un-escaped or whatever, the problem is that the typical use case will allow remote execution of a db query (which, due to the functional nature of the plugin, is highly likely to potentially contain highly sensitive customer data) without the site owner even being aware of the risk.
If a potential user’s attention is specifically drawn to each and every new chron job being registered, they can test it and take steps to make sure that the risks associated with it are in fact adequately mitigated.
I have found a number of plugins in the official WordPress repository that do this.
I firmly believe that any plugin should disclose to potential users BEFORE installation what information it is collecting about the site and the customers of the site so the site owner can make an informed privacy choice not to use it or take adequate mitigating steps.
- Any compulsory exit survey.
I have found more than one plugin in the official WordPress repository which contain compulsory exit surveys before before the plugin can be deactivated.
That leaves nearly all users with two unappealing choices - either share site information with the plugin developer so you can get rid of a plugin that you don’t want, or find and clean up any changes the plugin made to your db.