WordPress Plugin Directory’s New Search Algorithm Still Failing To Show Plugin When Searched For By Its Name

Earlier this week the refreshed version of the Plugin Directory section of wordpress.org went live. One of the touted features of it is an improved search algorithm, but the new algorithm clearly still needs some work as it still is having problems showing plugins when they are searched for by name.

While that used to be the case for one of our plugins, changes made during the open beta fixed that. Unfortunately it isn’t the case for another plugin we happened to be doing a search for the other day, BuddyPress Docs.

Here are the first page of results:

It doesn’t show up there and a lot of results don’t look like they could be considered more relevant for the query.

The plugin finally shows up more than half way through the second page of results (22 plugins in all are shown before it):

The New WordPress Plugin Directory Gives Prominent Placement to False Claims About Plugins

If you visit a page on the WordPress Plugin Directory currently there is a message asking you to “Test out the new Plugin Directory and let us know what you think.”. The new Plugin Directory still seems to be a work in progress, for example, until very recently if you did a search for our plugin “Plugin Vulnerabilities” by its name it wouldn’t show up on the first page of results (the rest of the results didn’t look relevant either). What looks to be a more permanent change with new version is that reviews of plugins will be featured prominently on the main page for each plugin. That could be useful, but also allows for inaccurate or outright false information to receive prominent placement.

Reviews do not always provide useful information, for example with security plugins what we see is that there are a lot of claims made about the supposed security that they provide that don’t appear to be based on actual evidence. It looks like the testing we have done over at our Plugin Vulnerabilities service is just about the only time anyone has actually tested to see if they provide any protection against real world threats. The results of that has been that most of them provide no protection against any of the vulnerabilities tested and the ones that provided any protection were almost always easily bypassable (that may be in why providers focus so much on making up threats and then claiming they protect against them).

While inaccurate positive reviews are problematic, something else we looked at recently over at blog for the Plugin Vulnerabilities has the potential be much troubling when giving such prominently placement, baseless claims that plugins contain exploits that lead to website being hacked. With both plugins we discussed not only was there no evidence provided to support the claim, but when we looked over the plugins we didn’t find code that even look to have the possibility of allowing the claimed exploit.

Unfortunately in the new Plugin Directory both plugins currently have those claims prominently on the main page for the plugin:

In both cases we left replies mentioning that we didn’t find anything that looks like it could have allowed this, so adding a mention that there are replies to the review might improve this bad situation to some extent.

WordPress.org Support Forum Disappearing Our Replies

As part of the work we do for our Plugin Vulnerabilities service we monitor the WordPress.org support forum for threads about security issues in plugins, to help make sure that we can provide the best data on plugin vulnerabilities to our customers. That also causes us to run across an assortment of related topics. When we can provide some insight we also will reply to threads we run acrros. In the past few days we have been finding some of our recent replies have started to disappear (if you were to go to the relevant threads you wouldn’t even known they had been there) without explanation. We really don’t know why that might be, the more concerning possibility is that they didn’t like that in one thread we had corrected some inaccurate information in regards to the state of handling of plugin vulnerabilities by the Plugin Directory, but since there is no explanation we have no idea what the cause iss. These disappearance don’t just impact us, it has also caused others to be left without useful information.

Take for instances a thread we responded to yesterday. Someone started a thread looking for help identifying an arbitrary file upload vulnerability in some software running on their website. Seeing as arbitrary file upload vulnerabilities are probably the most serious vulnerability out there in plugins, since it is the most likely to be exploited of commonly found vulnerabilities, we thought it would be a good idea to see if we could find any in the plugins they indicated they were using since we would want to make sure that is in the data our Plugin Vulnerabilities service. In checking over the plugins we couldn’t find any of that type of vulnerability.

While we were already looking over things we thought we might as well see if we could take a look at the Suffusion theme they were using as well. The theme used to be available on the wordpress.org Theme Directory, but was removed a month ago. Since it still remains in the underlying repository we were able to get a copy of the last version, 4.4.9, of that and found that was in all likely hood the source of the issue the original poster was having, as the AJAX accessible function suffusion_admin_upload_file() in the theme allows anyone logged to upload files through the WordPress function wp_handle_upload(). That function only allows certain types of files to be uploaded, so it wouldn’t be an arbitrary file upload vulnerability, but the logging included with their post showed that files that were uploaded are types that are allowed by that. Notably the logging included with the post did not show any .php files being uploaded, which is what an arbitrary file upload vulnerability would normally be used to upload. The request for doing the uploads through theme would be handled through a POST request to /wp-admin/admin-ajax.php, several of which are shown in the logging that was included in the post.

We posted reply explaining that and it then quickly disappeared. In the meantime the only other person that responded was a forum moderator, who was sending the original poster off in the wrong direction by telling them to contact their web host about server issues. None of the evidence provided looks to match a server issue to us, so we are not sure why they would suggest that. Making the whole thing more aggravating, after we had already posted what the actual cause was (and then having it disappear) the forum moderator posted that beyond what they told the person about focusing on a server issue, “There is little else anyone can say.”, which clearly isn’t true.

A Good Example of What is Wrong With The Management of the WordPress.org Plugin Directory

Through the work we do for our Plugin Vulnerabilities service we spend a lot of time on the Plugin Directory, dealing with issues in plugins on it (mostly security issues), and interacting with the people running it. Our experience is that things are not really handled well by the people running it. Something we ran across today seems like a good example of the poor state of the people managing it, which we thought would be good to share to help expose the bad state of things.

Since we have several plugins in the Plugin Directory, prior to the release of a new version of WordPress we get an email asking us to test our plugins with compatibility with the new version of WordPress and then update them to indicate they are compatible with the new version. Here is the email we got prior to 4.5 (the plugin listed as only being tested up to 3.6 is due to the fact that the plugin’s functionality was integrated into the next version of WordPress):

Hello, WhiteFirDesign!

WordPress 4.5 is scheduled to be released on April 12. Are your plugins ready?

After testing your plugins and ensuring compatibility, it only takes a few moments to change the readme “Tested up to:” value to 4.5. This information provides peace of mind to users and helps encourage them to update to the latest version.

Here are the current “tested” values for each of your plugins:

* https://wordpress.org/plugins/automatic-plugin-updates/ (tested up to 4.5)
* https://wordpress.org/plugins/https-updates/ (tested up to 3.6)
* https://wordpress.org/plugins/no-longer-in-directory/ (tested up to 4.4)
* https://wordpress.org/plugins/plugin-vulnerabilities/ (tested up to 4.5)

For each plugin that is compatible, you don’t need to release a new version — just change the stable version’s readme value.

Looking to get more familiar with 4.5? Check out this roundup post on the core development blog: https://make.wordpress.org/core/2016/03/30/wordpress-4-5-field-guide/

Thank you for all you do for the WordPress community, and we hope you will enjoy 4.5 as much as we do.
WordPress core contributors

So clearly the Plugin Directory wants people to be testing their plugins for compatibility and then updating the compatibility information.

Based on that you would think that the person described as the “WordPress.org Tech Dude”, who is involved in managing the Plugin Directory, would be setting an example by making sure to do that, but as we noticed today that isn’t the case. For one of their plugins PHP Code Widget, which has 100,000+ active installs, it is still only listed as being compatible up to WordPress 4.4. WordPress 4.5 was released in April and WordPress 4.6 getting closer to release, with the third beta released a week ago.

It isn’t a situation where the plugin is no longer supported, hasn’t been tested, or the developer just forgot to update the compatibility. As a couple of forum threads show, the developer is instead just refusing to update the compatibility listing. If that sounds strange to you, you are no alone, but that is inline with the type of attitude we have seen when dealing with those people.