WordPress.org is officially dead
 

I mean as a platform for independent themes and plugins. You won't find any professional plugin or theme there anymore.

By professional themes and plugins I mean those that made from professional webmasters who want to somehow insert HTML, CSS, JavaScript and PHP code into their WordPress posts, sites (e.g. sidebar, footer, header) etc.

This is officially forbidden now and I've got an official confirmation on that.

You may say: "that couldn't be true, because there is a ton op plugins like PHP anywhere are freely hosted at wordpress.org".

Yes, they are. But not for a long time, so make sure to download them while they are not removed or not castrated on their functionality.

Here is a quote from the official email, that explains the new WordPress.org policy on 3rd-party themes and plugins:

Time to fork WordPress?

nope :1orglaugh:1orglaugh:1orglaugh

Seems reasonable to me; unless I'm missing something.
A post made by a random user should not contain any HTML/CSS/JS/PHP

Security "101" it seems.

:2 cents:

:2 cents::2 cents::2 cents:

"What is HTML, CSS, JavaScript and PHP?:helpme" - 99% of WP users

Not a page visitor. By a website owner. Like this: https://wordpress.org/plugins/php-everywhere/

I have submitted this plugin: https://www.wpadinserter.com/ - read its documentation. It' just an ad inserting plugin (a quote): "The plugin works with all existing WordPress themes and supports all types of ads. Use any types of ads like including banners, popups, AdSense codes etc. Mix HTML, JavaScript and PHP in any manner."

They said they don't accept those anymore, because some WP user may enter a wrong code, which will break his site or let other people to hack it.

I asked how my ad plugin will work, if the site owner won't be able to use Google or Amazon ads that obviously contain HTML/CSS/JS?

The answer I've got:

Is that clear enough now?

P.S. How visitors may add something to a 3rd-party site? Only in comments, IMHO. How it could be relate to a plugin?

...
A WordPress user - a person that uses WordPress engine at his site.
A visitor - a random person who visits that site.

:1orglaugh At least they know their target audience really well, gotta give 'em credit for that.

But yeah, I agree, even "banning" stuff like custom css or plain html to be inserted through plugins doesn't make much sense.

Seems like they really want to put the focus back on being "the" blogging CMS for the "non-technical" audience. And to be honest, I don't really understand why anyone with technical skills would pick Wordpress over a much more lightweight, custom code anyway.

Also, those that are looking to install plugins such as "include PHP" or whatever, likely won't have any issues with manually downloading and uploading a zip file to their WP dashboard anyway.

In a way, I think it's just them saying - you can install plugins from a third party server but "use at your own risk". Now it's no longer their fault when some popular plugin turns out to have an exploit (which they already deemed "risky"). I think they just want to keep the Wordpress core as secure as possible for the average user and get rid of anything that may, even if it's slightly, could potentially cause some sort of risk.

Are you sure you're reading that correctly? It didn't say that your plugin couldn't natively insert HTML/JS/etc. It says you can't enable your end user to insert their own custom HTML/JS/etc.

My end user is a person who uses my plugin at his/her site. Why he can't insert HTML/JS/etc into his own site with my plugin?

I have no problem with WordPress which is hands down a great product. I have a problem with wordpress.org and a bunch of arrogant hypocrites that moderate plugin submissions. They have no relation to the actual WordPress coders. I bet they hire 'em cheap somewhere in India...

What about this quote you posted:
This suggests that you are allowed to, for example, add a form where the user can enter his partner ID for whatever affiliate program.

Then you can sanitize that ID, and safely insert the ID into the rest of the banner code.

Perhaps I'm wrong but it looks as if they only disallow end-users to insert any code themselves (probably due to security risk when there's an exploit, as anyone would now be able to insert any evil javascript or PHP code he wants).

However, when you only allow the user to insert his partner ID through a form, the plugin can first sanitize that input (the partner ID), before including it into the final code (non-editable) and finally embed the output on page, thus eliminating the risk of "evil code".

For example, a form where users can submit:
- an affiliate url
- the link to media file (for the banner)
I think, would be totally fine, because you can then sanitize and validate both user input, before including it into the final <a href='ÚSER INPUT 1'><img src='USER INPUT 2'></a> code, which then gets injected on page etc.

Might not be what you were trying to build exactly, but I kinda get it from a security stand point. I mean, what if the user ends up using your plugin (allowing code to be inserted without sanitizing it) in combination with some sort of heavily outdated theme, full of XSS holes?

Who will use such a plugin then? E.g. you (as an adult webmaster) want to display a chaturbate chatroom code. How will you do it? What if it will be say some JS for an ad popup window?

I don't want to release a useless nonsense. I want to release a quality product and it will be released. At my own site. For free.

I ended up publishing my plugin here: https://www.wpadinserter.com/

Download it, try it and let me know if you'll find any bugs (they should be there :) and I always open for any suggestions.

You would need to offer ad templates from chaturbate. The site owner would then enter their chaturbate ID in a form and pick whatever options you allow him to do.

From what I understand, Wordpress is trying to tighten security around themes and plugins by not allowing end-users the option to add their own code. I assume this is because it's the most common form of attack Wordpress experiences.

I'm not saying it's a good move on their part. I don't agree with their decision. This is what I assume their intention is.