[wp-trac] [WordPress Trac] #63304: Proposal: Permission-Based Access Control for Plugins in WordPress Core

WordPress Trac noreply at wordpress.org
Sun Apr 20 12:33:18 UTC 2025 

#63304: Proposal: Permission-Based Access Control for Plugins in WordPress Core
-----------------------------+------------------------------
 Reporter:  matinlk          |       Owner:  (none)
     Type:  feature request  |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Plugins          |     Version:
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:
-----------------------------+------------------------------

Comment (by SirLouen):

 Replying to [ticket:63304 matinlk]:
 > Dear WordPress Core Team,
 >
 > I hope you're doing well.
 >
 > I’d like to propose a new feature for WordPress core that I believe
 would significantly enhance the platform’s overall security and
 transparency—especially in the context of third-party plugin management.

 I find it pretty great, problem is that it's seriously challenging to make
 this, if not impossible. The main difference is that plugins operate
 completely independently of the WordPress core. They are entirely
 separated apps, contrarily to an app say in Android or iOS, where they
 control the underlying system. Nothing can inhibit a plugin to using a
 pure PHP function (at most a wp-equivalent function, but still this could
 be easily bypassed)

 So technically, this feature is not feasible without rebuilding some sort
 of underlying system for plugins. And still, I'm almost confident that
 this is not possible.

 But there could be a trust-based permission system, where plugin creators
 declare their permission intentions and these are listed. This could only
 rely on a full trust-basis and, at most, some mod review (Although I'm
 sure 1000% that the Plugin Team will be completely against this).

 Another idea that comes to my mind is something similar to WP Tide, a full
 plugin automated reviewer checking for certain PHP function uses. Again,
 very challenging, but this is more feasible.

 Replying to [comment:1 ayeshrajans]:
 > Wow this has to be the most obvious LLM-worded ticket description.

 Yes, 50/50 I would say, but not worse than the whole fricking series of PR
 that plenty of contributors are sending lately (in particular, for unit
 testing, it hurts my liver, specially when have to review it).

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/63304#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list