WPTavern: WP-SpamShield Plugin Removed from WordPress.org, Author Plans to Pull All Plugins from the Directory
Two weeks ago, the author of WP-SPamShield and the author of the Plugin Organizer plugin exchanged contentious remarks in a support forum thread where each accused the other of targeting each others’ plugins. This resulted in both parties adding code that disabled the others’ plugins, and both were asked by the Plugin Team to remove the code.
WP-SpamShield’s author, Scott Allen, has published an account of his interactions with the Plugin Team with updates for users who are monitoring the status of the plugin. Although the team rarely discloses why a plugin was removed, representative Mika Epstein responded to Allen when he said he had not received an answer about what guideline the plugin had violated:
Sorry, I thought it was clear that it’s issues regarding the forum guidelines and rule #9:
Intentionally attempting to exploit loopholes in the guidelines.
To whit, you were asked to make a change and did so incompletely. If this was not intentional, then I apologize.
I’ve sent you a followup email, trying to clarify what we would accept as solutions to the issue (I came up with 3 options, but I’m open to hearing more).
I understand why you’re angry and we will respect any decision you make regarding this. Nothing that has happened thus far is insurmountable or permanent.
In the post Allen published, he said his experiences with the Plugin Team over the past 10 years have caused him to decide to move his plugins off of WordPress.org. When I contacted him to see if he plans to update his code according to the Plugin Team’s suggestions, he said he doesn’t agree with the solutions the team is offering, nor their assessment of the situation.
“They really were not solutions,” Allen said. “It was just rehashing the same issues we’d already discussed. Unfortunately, neither Otto nor Mika have the security expertise to be making the dictates they were making, so there were no realistic solutions.”
Allen also claimed that Epstein’s report about him making a change and it being incomplete was not accurate and that the Plugin Team did not seem to be on the same page:
We literally did exactly what they asked and made the changes. Two weeks ago Mika had emailed me and indicated things were good. (No code updates since then.) Then two weeks of silence, and then angry email from Otto out of the blue yesterday telling us it was booted. The issue he brought up was different code.
The two of them cannot make up their minds on what is acceptable, and what is not. The arbitrary removal was the last straw though. WordPress.org is the only venue that would do that. We repeatedly asked them what rule we broke, to no answer. Only after I called Mika out on the forum did she come up with something – Rule 9 – exploiting a loophole in the rules. Seriously? It’s impossible for developers to comply with rules that are constantly changing.
Allen confirmed that his team at Red Sand Media Group plans to pull all seven of its plugins from WordPress.org as the result of the incident but will continue maintaining and hosting them elsewhere.
“Developers cannot operate like that,” Allen said. “People depend on us. While it might hurt a bit in the short term, in the long term, we have to do it. There really need to be some major reforms to the way plugins are handled.”
WP-SpamShield was installed on more than 100,000 WordPress sites before it was removed. There is currently no standard way to notify users why a plugin was removed from the directory, but the original dispute between the WP-SpamShield and Plugin Organizer authors is public, as well as a few exchanges between Allen and the Plugin Team. Allen said he is still working out the details of how to notify users that his plugins will be hosted elsewhere from now on.
“We’ll come up with a good plan in the next few days,” he said. “Some people have been notified already because WordFence let them know yesterday that WPSS was removed. (They knew before I did.)”
Samuel “Otto” Wood said the Plugin Team is still willing to put Allen’s plugins back up if he removes the code in question and that the team is not offended by a plugin developer being angry over a decision. At this time Allen appears to be unwilling to comply with the team’s most recent requests.
In the meantime, users who know that WP-SpamShield was been removed are waiting to hear if they need to begin looking for a replacement. Allen said that users shouldn’t need to replace the plugin, since the it will continue to work as before. However, some users are not comfortable installing free plugins hosted outside of WordPress.org. Allen’s team is figuring out a plan for how they will deliver updates to the plugin and will post more information for users on the Red Sand Marketing blog.