David Pérez: Ensuring plugins security, encouraging growth

David Pérez: Ensuring plugins security, encouraging growth

For David Pérez, technology makes businesses work smarter and get better results. This belief led him to become who he is now: the Chief Technology Officer at a marketing agency and a Plugin Reviewer on the WordPress Plugins team.

David has been a dedicated WordPress user since 2010. He’s also an active member of his local WordCamp community in Granada, Spain, serving as an organizer or speaker. Hostinger is proud to sponsor his WordPress contribution

We had a chat with David’s teammate and Plugins Team Representative Paco Marchante about the team’s new dynamic after a leadership change. Now, let’s join David as he takes us to see the work of the WordPress plugin directory’s guardians, who tackle the challenges of reviewing the constant influx of new plugins!

Marketing meets machine

Although he studied marketing in school, his career has focused on technology. This unique combination has equipped him with the necessary skills to excel as both a marketing professional and a Plugin Reviewer.

“I always enjoy figuring out how to do certain things and the best way to do them,” David says. His technical skills are self-taught from programming courses and tutorials. The huge WordPress community has also been helping him to research and find solutions easily. “My transition to technical tasks was gradual,” he explains. “Over time, I found myself constantly programming and planning.”

David believes that his technical knowledge enriches his marketing work. “It’s not just about deciding what to do, but also knowing how to do it,” he asserts. Understanding the technical aspects of marketing and web development allows him to make more informed decisions and prioritize user experience.

From user to contributor

In 2009, David started creating websites and was looking for a content management system that didn’t require building everything from scratch. He explored some open-source CMSs but found their interfaces difficult to navigate. After a year, he discovered WordPress and found it to be easy to use and update, robust, and reliable. It has been his go-to website-building platform ever since.

He also fell in love with the community right away because of its collaborative nature and how he can easily connect with its key people. It inspired David to step up from just being a regular user to an active contributor.

Before joining the Plugins team, David contributed to various teams, including Polyglots and Community. He started his WordPress contribution by translating plugins, themes, and the WordPress core software and later ventured into creating internal plugins. His involvement in the community then extended to organizing WordCamps in Granada and the flagship WordCamps all around Europe.

In May 2023, David eventually joined the Plugins Review team and contributed to the Plugin Check plugin (PCP). This tool is a real game changer for the Plugins team, as it streamlines their work by involving plugin developers in the plugin-checking process.

Rolling with the Plugins team

David’s interest in the Plugins Team stems from his belief in the team’s key role in fostering a healthier WordPress ecosystem. “By ensuring the security and functionality of plugins, we’re contributing to the growth of the WordPress community,” he explains. His two biggest motivators are learning how to identify bad practices and helping developers make their plugins better.

David Perez having a discussion with fellow WordPress contributors from the Plugins team during Contributors Day

One of the primary challenges facing the Plugins Team is the sheer volume of plugins submitted for review. The team’s small size and the critical nature of the tasks make it difficult to scale. To address this, David and his teammates have focused on automating review processes. PCP was born out of this need for efficiency.

Before PCP came to life, Fran Torres – one of the Plugins Team Reps – was mainly focused on the team’s internal plugin checker tool. However, after recognizing recurring issues in plugin submissions, the team thought there should be a public tool that developers could use during the programming process.

Plugin Checker plugin in WordPress official plugin directory

By merging two existing plugins, one from the Core Performance team and one from the Plugins Team, they created a unified solution. The PCP has significantly improved the review process and is on track to be integrated into the plugin submission form, empowering developers to identify and address common security issues before submitting their plugins.

“Our idea is that this plugin can also be useful for other teams, as they work to create higher-quality plugins,” David says.

Behind the scenes of plugin reviews

Now, are you curious about the Plugins Team’s day-to-day tasks? Let’s take a look at their responsibilities:

  • Code review. Analyzing submitted plugins’ code to assess functionality and identify potential security vulnerabilities. Security is a top priority for the Plugins team.
  • Interface evaluation. Ensuring that plugin interfaces comply with community standards and provide a positive user experience.
  • Tool improvement. Proposing enhancements to internal tools for improved security detection and external tools like the PCP.
  • Community engagement. Participating in events to share knowledge and support developers.

Usually, the team reviews plugins in the order of submission, with one plugin typically handled entirely by one reviewer. However, if any concerns arise, the reviewer consults the team’s Slack channel so other team members can provide feedback to prevent issues.

Here’s the general workflow of a plugin review:

  1. When a new plugin is submitted, the reviewer verifies that it doesn’t infringe on any existing branding and that the relationship with the mentioned brand is clearly marked. They also assess plugin ownership using various indicators based on WordPress standards.
  2. The reviewer uses an internal tool to conduct thorough checks. This tool, which was provided upon joining the Plugins team, is being improved continuously based on review results and code analysis.
  3. After the tool generates a report, the reviewer compares it to the plugin code and provides suggestions for improvement. Each team member manually reviews all reports.
  4. After the plugin developers revise the plugin, the reviewer creates an SVN space for the developer and approves the plugin for publication.
  5. The reviewer then conducts a final review to evaluate the plugin’s interface and ensure it meets the established guidelines.

On average, a plugin developer can expect 3-4 revisions before the reviewer approves for the official WordPress Plugin Directory. Thanks to tools like the PCP, this process has become smoother.

David performed more than 4,000 reviews in 2024. This helped him identify common issues and sharpened his craft in safeguarding WordPress installations from cyberattacks.

Making gratifying contributions

David’s passion for WordPress fuels his ability to balance his day job, plugin reviews, and his own plugin development, WPAutoTranslate. “Since I love this work, I don’t mind thinking about how I would improve it in my free time, in addition to continuing to train myself,” he explains.

David Perez on stage during WordCamp Europe 2024 Torino, Italy

David thinks that WordCamps are where memorable moments are created. One of his most memorable experiences within the WordPress community was leading the Plugins Table at WordCamp Europe 2024’s Contributor Day in Torino. “I enjoy sharing knowledge. It feels good when your contribution helps many people,” he reminisces.

For those who aspire to join the Plugins team, David recommends contributing to the Plugin Check project. By reviewing code, suggesting ideas, and addressing issues, you can gain valuable experience and demonstrate your commitment to the WordPress community. Right now, you can only join the Plugins team when the team announces a call for applications, but getting actively involved in the Plugin Check project can boost your chances of getting in.

Author
The author

Nadia Maya Ardiani

Maya is a Content Specialist and WordPress Contributor. With years of journalistic experience under her belt, her main goals are to help people understand complex processes in a simpler way, and tell the stories of people who thrive thanks to technology. When she’s not writing, you can find her watching sci-fi movies while eating ramen. Follow her on LinkedIn.