Making WordPress.org

Opened 5 weeks ago

#5937 new enhancement

Extend the possibility for leaving a plugin or theme review

Reported by: Clorith Owned by:
Milestone: Priority: normal
Component: General Keywords:


Disclaimer: This is for sharing an extended idea, and is not an absolute solution, or implementation guide.

Now that we've got the formalities out of the way, currently to write a review for a plugin or theme on WordPress.org, you need to create an account, this is fine, but since WordPress.org does not have SSO (Single Sign On), it means users need yet another account, this is a barrier for many.

With the addition of Application Passwords, we could investigate other avenues to help plugin and them e authors encourage reviewing their solutions, there are pros and cons to this of course, which I'll get back to shortly.

If an anonymous user goes to write a review, ask them for their WordPress website URL as well. When the review is submitted, it would then be possible to validate their site, _and_ that they have the plugin or theme installed before leaving a review. After the validation is done, the token should be removed from WordPress.org, as there's no scenario where we would want to sit on the potential access to who knows how many sites.

One drawback is that anyone leaving a negative review is unlikely to have the plugin or theme still installed, I think the contrast could be drawn that they'd then not have a problem making an account to share their disapproval in the first place.

Alternatively, the app password request could be used to authenticate against a website, grab their account e-mail, and use it as an avenue to create (and approve) their account with WordPress.org in as smooth a transition as possible.

Regardless of approaches, it would need to pass through abuse detection of some form, like anything else, what options do we have to prevent abuse here? Anyone can spin up a WordPress site fairly easily these days, what potential abuse do we envision, and how do we work against each of these?

This could be used to signup under temporary emails we would normally filter out.
Any normal signup flow precautions should be applied like before

Someone could spam reviews for plugins or themes via single use sites.
Should we detect high activity on plugin or theme reviews/forums in the first place to trigger a "slow down" or similar for ensuring nobody is being targeted? (probably a different ticket, but a potential fix)

Those were two quick thoughts to get the discussion rolling.

Change History (0)

Note: See TracTickets for help on using tickets.