[wp-hackers] WordPress plugin inspections

Harry Metcalfe harry at dxw.com
Wed Feb 19 20:52:00 UTC 2014

Hi Chris,

I'm sorry you feel that way, and I can say categorically that we are not 
trying to hold anyone to ransom. I'll try to explain.

Going back a couple of years, our clients expected us to give them some 
sort of assessment of plugins before we suggested using them. For a 
while, we did this informally, and the results were very mixed. We found 
that sometimes we would miss things. There was no set of criteria that 
we applied, and we didn't record the results. This also led us to waste 
time by checking out the same problem twice.

To solve these problems, we decided have a list of things that we think 
are important (https://security.dxw.com/about/plugin-inspections/) and 
to record the results of inspections somewhere so we didn't duplicate 
work. We did this in private for a while but then thought that this was 
probably information that others might find useful. So, we decided to 
publish the results.

We have tried very hard to make sure that the results of these 
inspections, and our confidence in them, is obvious to people who read 
them. We've published the process. We've made sure it's clear that 
inspections deal with likelihoods, not certainties. We've said that 
people should always conduct their own checks. We've set out our terms 
of service prominently, which include contact information for anyone 
who'd like to tell us we're wrong. And we're totally happy (within 
reason) to revisit things if people do that.

I would very much like it if these inspections could be more thorough, 
but unfortunately, we're subject to the same commercial realities as 
everyone else. We care more about security than most of our clients. 
Most people are not willing to pay for security assurance work. 
Inspections are light-touch because we don't charge existing clients for 
them, and that's the only way we can make it economical.

I hope we can figure out some way to make some money out of this (hence 
those messages saying we can be commissioned) but so far, we haven't 
made a penny. We're just trying to make the outputs of something we do 
anyway useful to a wider group.

If you have feedback on practical ways we could do that better, I'd love 
to hear it.


On 19/02/2014 20:17, Chris Williams wrote:
> I certainly can't speak for others, but I would venture to say that your
> business model is evil at best.  You do fly-by character assassination
> (oops, I mean "light-touch inspections"), based on personal bias ("this
> plugin is large"), and then broadly publish the results as if they are
> somehow authoritative.  Worse yet, you then hold plugin developers at
> ransom for changing the review: "If you would like to commission us to
> inspect or review the latest version, please contact us."
> How this is of value to anyone, and how you sleep at night with this
> specious business model, is completely beyond me.
> On 2/19/14 10:43 AM, "Harry Metcalfe" <harry at dxw.com> wrote:
>> Hello list,
>> We write and publish light-touch inspections of WordPress plugins that
>> we do for our clients. They are just a guide - we conduct some basic
>> checks, not a thorough review.
>> Would plugins which fail this inspection be of general interest to the
>> list and therefore worth posting? Is the list also interested in
>> vulnerability advisories, or do people tend to get those elsewhere?
>> Here's an example report:
>> https://security.dxw.com/plugins/pods-custom-content-types-and-fields/
>> Grateful for a steer...
>> Harry
>> -- 
>> Harry Metcalfe
>> 07790 559 876
>> @harrym
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list