[wp-meta] [Making WordPress.org] #5868: Improve checks on non-viable plugin names to prevent abuse

Making WordPress.org noreply at wordpress.org
Tue Aug 17 20:36:51 UTC 2021

#5868: Improve checks on non-viable plugin names to prevent abuse
 Reporter:  Ipstenu           |      Owner:  (none)
     Type:  enhancement       |     Status:  new
 Priority:  normal            |  Milestone:
Component:  Plugin Directory  |   Keywords:
 Currently the plugin directory code has a very basic check for disallowed
 terms in plugin names, including a number of restricted terms as
 determined by trademark owners. This has the flaw of 'lumping together'
 reasons why a plugin name is not permitted, causing confusion to the

 This check ONLY happens on initial submission.

 The code is found in

 First we check for reserved slugs (aka permalinks that if used could break
 the .org system in weird ways):


 Then we check for trademarked terms (and this is where our trouble


 If you read down that list, you'll see we not only prohibit terms like
 'wordpress' but also 'wordpess' and 'wpress' and (sadly) 'wp-'

 This is due to people getting 'clever' when they receive the error
 messages and trying to work around the block.

 However. The additional reason we flag 'wp-' is that a high percentage of
 people use it and don't realize that they _can't_ use "WordPress" later on
 in their display name. So they'll submit "WP PluginName" and, after
 approval, change it to "WordPress PluginName" which is clearly not okay.
 This results in subsequent plugin closures due to valid trademark

 On the other hand, we don't block "wc-" and at least once a day we're
 forced to pend a plugin review to make it clear that they cannot use "WC"
 in lieu of WooCommerce in names, and please don't replace it.

 Both methods have flaws. Both methods result in people violating
 trademarks down the road. Neither actually seem to make a dent on people
 using trademarked logos in banners and icons, though that make be a lost

 The only real way to block the misuse once approved would be via SVN
 commit hooks, however there may not be an easy way to flag the allowed
 list (see
 handler.php#L522 for an example of how we check on submit).

 A possible middle ground would be to have a list of 'probably going to be
 abused' terms (like wp- or wc-) and change the automated 'your submission
 has been received' email (and the output on the page) to make it clear:

 "Your plugin begins with a term that can be commonly misused. Please
 remember that while the use of [term] is permitted in your plugin names,
 it should not be the FIRST term of your display name. If later on you
 change your plugin name to infringe on trademarks, your plugin will be
 closed without prior notice."

 (Needs work - I don't know that it's clear that 'if you make your plugin
 start with WordPress, you're gonna have a bad time' is what we mean...
 maybe an array of the slug term and the actual name we're trying to

 And that doesn't really touch on how to prevent abuse after approval :( We
 use SVN so that would need someone with amazing SVN chops to dig into.

 At this point, my brilliance fails me so I ask for help coming up with
 something that can stem the tide. My ultimate goal is to never have to
 close another plugin for trademark abuse again, because no one would
 violate them.

Ticket URL: <https://meta.trac.wordpress.org/ticket/5868>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list