As you may know already (and if you don't, dude, follow me) I was one of the judges in the WordPress Plugin Competition held by Weblogtoolscollections.
The podium for this year's comp has been finally revealed so, as promised, I'm now publishing the 43 reviews of the 43 contestant plugins. Warning: this is going to be a long one.
*Mandatory* Must Read Disclaimer
Don't you dare read the review for your plugin if you skip this.
- All the plugins were reviewed following the same procedure. Please read it if you haven't already
- I've written all these reviews nearly 2 months ago. Some of them might be totally outdated, especially when I've contacted the plugin author after finding a critical security hole.
- As a plugin coder in mind, the very first thing I have a look at when testing a plugin is: its code. Most of the time, my opinion is done before I actually try the plugin within WordPress. The following are mostly, if not only, code reviews and thoughts.
- As an experienced WordPress user, I have particular needs that plugins can cover, but sometimes a plugin just don’t ring any bell. It can be hard to express an opinion about a plugin that seems totally useless (when obviously it can be useful to others)
- It’s not because I say “this sucks” that it actually sucks. What I mean is, “Me thinks that it sucks, but hey, who am I to judge, and there’s more than one way to do it”. Don’t get too upset if I say something sucks :)
- All I know about WordPress coding, I learned it from reading sources — WP and other plugins, and from others' advices. When I read about a plugin concept, I always ask to myself “How would I do this?” and then have a look at the plugin. Sometimes my way is better, and sometimes I learn something valuable from the plugin because their way is smarter, shorter or simply better. Read sources.
- I've probably been a bit severe. Most of the following comments or critics should easily apply to my own plugins, particularly the ones I wrote 3, 4 or 5 years ago. By no means I’m the uber definitive authority on plugins. I’m just sharing ideas :)
Still with us? Cool! Go on reading then. The plugins are in semi alphabetical order. There's a lot of text. Good luck :)
Acts As Group
This plugin is from Takayuki Miyoshi of Contact Form 7 fame (one of the most popular contact form plugins), and aims to provide an easy way of communication between groups of users of a WordPress (or, obviously, WordPress Mu) blog. You write short messages to a defined group of users, and all these users can read it and reply.
The plugin page has everything you can expect: detailed information, screenshots, download link, support link.
At first glance when opening the archive, this looks like a fairly good job. I like it when files are organized in separate folders, and selectively included when needed, which is the case here (except for install.php which is loaded no matter what, but that's no big deal). Code is clean and readable, there's no comment but everything has meaningful names so you can actually understand what's going on. Security seems to have been a concern for the coder: built-in functions are used to sanitized outputs, and whenever an SQL query accepts parameters, they're handled through wpdb->prepare().
I would have like the plugin to be more integrated in WordPress, with for instance a Dashboard widget, or a notification bar and a quick "post message" box on every page. Right now, having to go to a particular page of the admin area is too cumbersome for me, I'm sure I would quickly forget to check there for new messages.
A step further, the plugin could be extended to allow messaging *users* instead of a whole group to have a simple yet full featured internal communication platform.
All in all: good job, this is a plugin I'd like to see improved in the future.
Ajax Plugin Helper
From experienced WP hacker Matt Martz, this plugin adds the ability to manage your plugins (activate, upgrade, delete, deactivate) without page refresh or leaving the "Manage plugins" page, thanks to handy Ajax popups.
Plugin page is fine: info, screenshots, FAQ, changelog, everything.
The code is cleanly wrapped into a class and heavily commented. All the Ajax work is handled by built-in functions and files such as admin-ajax.php which is a good point. All the needed JS bits are smartly inserted, just on the page where needed and nowhere else. The only improvment I would suggest would be to split this (short) single file plugin into a couple of files to make it so nothing is parsed when WP starts to display a blog post (public part), and load just a couple of lines when not displaying plugins.php
Another worthy mention regarding the code is that this plugin provides great examples of all the API functions involved in plugin management. The Codex is great, but actual code is often better in my opinion to learn how functions work, and this plugin is enough to teach mostly everything a coder will need. In a word, this plugin is a sexy read in itself.
Integration in WordPress is just seamless and you never leave nor refresh the Manage Plugins page (for instance, on upgrading, no ugly page where every upgrading step is detailed), and a bonus "Ajax Upgrade All" button is a nice addition.
Everything looks fine, but still there are two problems with this plugin.
First, when you activate a broken plugins (borked code) the regular way, you get a message telling that activation was impossible. Activation attempt via Ajax with this plugin just lets you waiting for something to happen, the ajax image keeps spinning forever and you've never told something went wrong.
Second, when you activate a plugin the regular way, there's a page refresh so you can immediately see, for instance, a new menu. Ajax activation removes the page reload, so right after activating a plugin you can't see any new menu, unless you manually reload the page. Same kind of user confusion can take place upon deactivation, with a no longer submenu still showing up.
The first problem one is a blocker in my opinion, but there has to be a way to improve the plugin and deal with this. Function activate_plugin() attempts at activating a plugin within a "sandbox" and return an error in case something goes moo, so it should be a good start for this matter.
The second problem is also probably fixable. I would do something like compare $menu and $submenu before and after activation, and if needed, inject via Javascript new menu entries in the menu.
All in all: sexy code, still immature plugin at the moment but if improved, this would be a keeper in my WordPress install.
AmR Personalise
From the plugin's doc, "This plugin allows one to use shortcode type functionality in any email template or page or post, to extract stored details of the viewer or reader and use them to personalize the content.".
So, rephrased: On a page or a post, you can write [user] and this will be replaced with the actual name of the user if logged-in. The plugin also lets you mass-mail your blog registered users using the same shortcode syntax so instead of "Dear subscriber", I get an email with "Dear Ozh".
The plugin's page is fair, but I must admit I didn't see the download link at first because I thought it was a paragraph header.
The plugin's code is a bit messy and inconsistent was the word which popped in my mind several times. The indenting is inconsistent (tabs + spaces of various length), the function naming is inconsistent (amr_stuff() and ap_stuff() are both used), the commenting style is inconsistent (comments before or after the function name), all this made reading the code a bit tedious. Also, plugin options are stored in separate DB entries instead of grouping them all in just one. On the plus side, there are comments, and needed CSS style is added only on the page where needed.
All in all: I must admit I mildly get the purpose of this plugin. It seems to me that customized user greeting can be more efficiently done with a variety of plugins such as WP Greet, and that there are much more efficient mass-mailing plugins, as the plugin author lists on her blog. I have not tried these plugins but I guess they allow more personalised fields than just [user]
AmR Users
Yet another plugin by Anna-marie Redpath, which allows a blog admin to generate user lists and reports in a flexible way.
My comments regarding the plugin's page and code would be more or less the same. I'd add that the plugin is split in several smaller files, which is cool, but every file is always loaded even if viewing the public part of the blog, which is a waste of resource. I suggest conditionally loading parts if is_admin(), if viewing the plugin's admin page, etc… Also, the plugin page for report definitely lacks CSS consistency: no margin, random button and link styling, this doesn't look and feel like a WordPress admin page.
The plugin uses PHP function filter_var() for input sanitization. This function is 5.2+ only so the plugin won't run properly on blogs with older PHP install. This should be mentioned in the plugin doc and/or checked upon activation with a warning if applicable. Overall, I don't think enough attention was given to input sanitization, since a quick scan didn't show any built-in WP functions such as attribute_escape(), esc_attr(), wpdb->prepare().
Anyway, the plugin's concept and result are actually pretty worthy and will definitely interet people managing blogs with lots of users. You can generate an arbitrary number of reports about your users, for instance a list of registered people excluding those with role administrator, their email addy, the date they registered and the number of comments they left. The plugin comes with 3 predefined list so you have examples to start from. Finally, you can export your lists as .CVS files.
Interface could be greatly enhanced: at the moment the Settings page is a loooooong list of fields, I would definility add some Javascript UI there to make things sexier, less cumbersome and more usable in the end.
All in all: code is not pretty, interface is not sexy, but the plugin delivers something I think will interest blog admin dealing with lots of users and willing to do some data mining about them.
Ban Hammer
This plugin allows you to specify a list of email addresses (or fetch a list from StopForumSpam.com which is apparently a list of known forum spammers) and prevent them from registering on your blog.
The plugin's page lacks the screenshots you'll find in the plugin .zip or on the official plugin repository page, but is OK apart from this.
The plugin's code is clean, commented and readable, which makes my task easier when it comes to noticing potential improvements :)
First, common mistake in plugins, the author didn't get the translation stuff correctly: just doing __('Some string') won't work, it should be something like __('Some string', 'banhammer') with a proper initialization of the translation files.
The plugin uses cURL for the StopForumSpam feature. I think using the excellent built-in WP_Http class instead would have been better (smaller code, better to use built-in stuff as they are maintained and improved and they aim to work on most setups).
Security has not been a concern. The plugin does not sanitized input and output. For instance, if you enter </texarea> in the list of banned domain, it breaks the display. There's no use of referrer checking to make sure POSTed data are legit.
All in all: some coding mistakes and room for improvements. I'm not exactly sure how needed such a plugin is, but I'll point to it if someone asks for something like this.
Changelogger
Whenever an updated plugin's readme.txt file contains a ==Changelog== section, this plugin will display it, inline and within the "Manage Plugins" page.
Plugin's page is OK, once you find your way through it if you don't sprache deutsche. Ideally, I would put more emphasis on the tiny-tiny flags, and provide a screenshot in English as well:) Besides this, this is the archetype of the perfect plugin page: short description, then details, installation instruction, support link, FAQ, download & SVN links, I cannot think of something missing.
Plugin's code is in image of its page. Clean, commented with phpDoc support, everything is wrapped into a class, the plugin checks $wp_version and makes sure that current_user_can(), and eventually still provides useful information even when there's no Changelog section in the readme file (with a link to the SVN changelog). All this looks like academic work. The plugin also serves as an interesting example use of function plugins_api() which taps into the WordPress Plugins Repository API.
There's few to suggest here. I will nitpick a bit asking for better is_admin() checking: the class is instantiated no matter what, which is a bit of a waste if !is_admin(), since the whole __construct() function could be bypassed.
All in all: this plugin won't cure cancer or won't change your perspective on blogging, it's just a little and interesting improvement, but I cannot think of a better way to do what it does.
Debug Objects
From German WP star Frank Bültge, this plugin delivers tons of information about your setup, configuration, filters, actions, cache, cookies, basically everything that's running under the hoods and that a hacker wants to know.
Plugin's page is only in German, this is a bit of a shame. The page on the official repository or on the Plugin Competition Blog are fine, but I would definitely recommend that the blog hosts a translated version too.
Plugin's code is neat, with no comment but they're honestly not needed. Files are organized in subfolders. Everything is done to make you think "this is clean in here" when you're visiting the house. There's an interesting use of custom capabilities with current_user_can('DebugObjects'), and everything is cleanly created on activation then removed on deactivation.
Using the plugin is interesting, is like having the Codex interfaced with your blog, live. I find it a bit strange that all these debug informations are displayed only on the public side of the blog and not if is_admin(), since this is typically the kind of stuff I print_r() when coding theme or plugin admin pages.
All in all: aimed at the rather small audience of WP hackers (plugin coders and theme designers), this is definitely a handy toy if you're learning the insides of WordPress.
Easy Retweet
Made by @sudarmuthu, this one wraps into a WordPress plugin a little Javascript library made by John Resig, the brain behind jQuery. It will add a "Retweet this" button to your blog with a number of clicks as provided by the bit.ly API.
Plugin's page is very fine: description, screenshot, download link, changelog, everything.
The code is nifty, commented, Class'ed. The plugin's admin page makes good use of the new register_setting() function to make sure everything regarding security and option storing is handled by WordPress, and everything is stored in a single DB entry. Good job.
The plugin is newbie friendly: if you don't want to modify your templates to manually insert the required template tag, you can elect to let WordPress add it before and/or after your posts.
The only little weakness of this plugin, but it's not Sudar's fault since it's how the original JS library works, is that the button doesn't count the number of retweets (like the Tweetmeme button does) but the number of clicks issued on the shortened bit.ly link.
All in all: clean plugin, sweet result, I like it. Given how trendy Twitter and retweeting are, this is going to be quite popular.
EG-Delicious-Sync
This plugin allows to backup your links from Delicious into WordPress' links database. You can then use these links on your blog with regular WordPress features (widgets, template tags…)
Plugin's page is fine: lots of explanations and screenshots describing all the features this plugin has. Plus, there's a link to my blog in the sidebar, so I'll say that everything is more than perfect here :)
Plugin's code is really neat: the main plugin file is minimal and conditionally loads admin or public functions exactly the way I like it. Everything is wrapped into classes and heavily commented, PHPdoc style. All SQL queries go through $wpdb->prepare() first, all forms use nonces and referrer checking, and strings are sanitized using attribute_escape() just as expected: security was a concern and it shows.
Although the plugin was first released in July 09, it contains a bunch of compatibility code with older WP versions, back up to 2.6 it seems. From a user's perspective, this is certainly nice for those running deprecated, obsolete and probably insecure versions of WordPress. From a coder's perspective though, I don't recommend this: maintainability nightmare for you, and doesn't entice users to keep their blog up to date.
The plugin spits a warning on my blog (FYI: "The first argument should be an array in path/to/plugins/eg-delicious-sync-1.0.0/eg-delicious-widgets.inc.php on line 316") probably because I don't use categories — that's an edge case.
The plugin is very user friendly, with several checks and error message during the various steps of operations (for instance, checking the connection from your server to delicious.com before attempting anything)
All in all: a hell of a nice job for sure that makes me want to have a look at other plugins from Emmanuel Georjon. The only thing is that I can't help but have the feeling that this plugin is a couple of years late: who still makes stuff about Delicious nowadays? Such a plugin would have been a blast 3 years ago, and now I'm afraid it won't be as noticed as it might deserve.
Fitr Theme Options
Fitr Theme Options, or FTO, adds an option panel to your theme so you can customize its appearance (background colors, header size, footer content, etc…)
The plugin's page is fine: a short description with a illustration of the expected result immediately tells what this plugin is about, with an extra ounce of "wow, if it really does this, that's cool". Feature list, screenshots, unmissable download button, documentation: everything is there.
The plugin's code looks OK. A few indentation inconsistencies and a slightly confusing naming scheme (fto_ and ftr_) but it's commented and rather readable. The admin panel uses all the functions required for string sanitization and security issues. The ajax stuff are handled by WP's built-in functions.
Now, how is the plugin from a user's point of view? With one of the bundled WP themes (ie classic or default) it is a lot of fun. Simply put, the illustration explaining what the plugin is for is no lie and it's very easy to customize a theme you're not happy with. The plugin comes with two presets (classic and default) but its documentation explains how to make it compatible with another theme (basically, you have to tell the plugin "my header logo is named #header_img and my sidebar background is #wrap .sidebar" so it knows how to inject custom CSS). The plugin interface is easy to use with handy color pickers and a live preview.
All in all: a fun plugin if you're still running a default theme and don't know how to personalize it a bit. To really kick off, the author should probably distribute addons for other popular themes so they would be compatible with this plugin.
Geo Mark
Sudar strikes again with a plugin that parses geo information in your content and can expose it either in microformat or as geo rss. Holy crap, I have no idea what this means and what a geo information can be.
Plugin's page: mostly same comments as for previous plugin. Still, I think I would have added an example of what Yahoo Placemaker is capable of, for geolocationoobs like me. As I understand it, you write about your last trip to Las Vegas, and Yahoo fetches coordinates for this, but maybe I could have been impressed more by a finely chosen example
The plugin's code is as clean as Sudar usually does, yet I have a few minor suggestions. First, the plugin uses PHP native function json_encode() which is PHP 5.something+ only, while WordPress has, as of writing as least, much looser requirements. No mention of this appears on the documentation and there's no code to nicely warn the user if necessary. The function that taps into Yahoo's mighty API uses cURL, which might not be available, so I'd suggest using the excellent WP_Http class instead. Apart from this, nice job, nice use of cool WP functions like register_setting() or add_meta_box().
All in all: this plugin will surely attract people blogging about trips or places. This said, again, I admit I'm not sure what is the point of having GPS coordinates of a place in a feed item :)
Get Shortlink
This plugin generates short URLs using your own domain, TinyURL, is.gd or Digg and adds a button to your pages that will display this short URL.
Plugin's page has description, screenshots, support link. Great? Could have been, if I could find a download link (and if the page was not uselessly refreshing itself every 120 seconds). I guess the "Add to cart" button pointing to an online merchant is what you have to click to download the plugin, but this is exactly what can turn me down. Huge bummer.
Plugin's code is clean and readable, but I have some remarks. Several unneeded files (including debug stuff and empty ones) are always included. There are no security checks in the plugin option page (no referrer checking, no string filtering, nothing). The option page seems to be ready for translation (uses _e('stuff', 'gd-press-tools') for instance) but no textdomain is initialized. And why 'gd-press-tools' by the way? It seems a lot of code was borrowed from plugin "GD Press Tools" and included without really understanding what it does. For instance, a whole class is included and so far the only function they use from this class is a trivial option saving one.
Using the plugin is when things get worse. The plugin admin page displays a fat ad for a "Pro" version of the plugin, supposed to remove the ugly "Read more" link that is displayed on every page that uses the button.
All in all: Looking at the code did not give me confidence in the plugin. Plus, there are already several plugins to generate short URLs (<shameless>hey, did you try the excellent YOURLS plugin? Supports TinyURL, is.gd, other services, and it's really free</shameless>) so why bother using a commercial plugin? I hated the fact that you have no control over the ugly "Read more" link pointing to the plugin's page, that appeared on every page of my test blog.
Greg's High Performance SEO
Yawn… yet another SEO plugin. With this one you can "Configure over 100 separate on-page SEO characteristics. Load just 600 lines of code per page view. No junk: just high performance SEO at its best" says the description. I'm not sure how sensible or interesting is the fact that you load 600 lines of code per page view, by the way.
Plugin's page: disliked it. It starts with a long explanation about SEO, about SEO plugins, about tons of things I didn't bother to read because there were too much of them, and you have to scroll down to the middle of the page to read about the plugin for the first time. The download link barely makes it into the page.
Plugin's code: hated it. Some blocks are not even indented, there are practically no empty lines between logical blocks, how can someone read (and maintain) code like this? I can't. This is typically the kind of plugin I would not install on my blog because I cannot be sure of what it does since it's barely readable.
The plugin comes with *tons* of explanations and documentation. The plugin admin pages consist in 9 pages and more than 12,000 words. I mean, you have to seriously believe in SEO plugins to go through all this. I must admit I mildly believe in SEO plugins.
All in all: in the over crowded market of SEO plugins, Greg's HP SEO will give you a lot to read, a lot to ponder, a lot to think about. Too much. I obviously cannot judge about the SEO results of this plugin, as it would require online testing for a couple of weeks or maybe months. I would strongly suggest trimming the plugin's page down to the essential, and, for PHP God's sake, making the code readable! Nobody cares if it's 600 lines because you removed 120 white lines and 300 tabs. This is not optimization, this is useless obfuscation.
Import HTML Pages
This plugin will import HTML files from a directory as posts or pages. This sounds handy when you want to migrate an old school HTML site to WordPress.
The plugin's page is nice enough: short desc, features, download link, screenshots. There's also a warning that the plugin requires PHP5, which is OK with me as long as you're told about it before finding yourself in trouble.
The plugin's code looks OK, a bit compact maybe, but at first glance I see a couple of things.
First, the function naming scheme is not consistent enough: you have html_import_do_stuff(), fine, but also functions named like pretty_title() which is too generic to be confident you'll avoid conflict with another piece of code.
The author did not get correctly how you are supposed to use nonces for security, and just used function wp_nonce_field(). What she need to do is either use the new register_setting(), or at least the "old" way (from WP 2.0.3) using nonces (this article about nonces on the Codex links to two great examples).
Native PHP function fopen() has been misunderstood too (doing fopen() on a file does not return file content).
The plugin needs mbstring functions, but the requirement for this PHP extension is not mentioned on the page and not checked at run time, which would probably make the plugin fail and let user alone in the dark wondering what went wrong. Same comment applies for SimpleXML functions (which are more likely to be available, unless they have been turned off by server configuration)
This may look like a long list of awful things but actually I think it's not a real big deal: this plugin is not something you're supposed to have forever on your blog, but instead use it once, say thanks and deactivate it. While I'm picky about plugins for the long run, I don't mind running once something that may be a bit rough but works, especially if this is something quite unique (I don't think there are too many other plugins of this kind). In other words, I value result more than the way to do things, when I don't have too much choice over the way to do things :)
The plugin interface is neat. You can select content to import by HTML tag ("<div id='main'>") or by Dreamweaver template region. You can decide to import everything in posts or pages and pick a status (publish, pending, private or draft) which is a nice option if you want to review the result before publishing it.
All in all: from a coder's opinion, there are things to improve. But from a user's perspective, this plugin can be a life saver if you have to import dozens of static HTML files into WordPress. As of writing, googling for "import html files into wordpress" doesn't provide much cool stuff and I'm not sure there is another polished tool to do so. Bottom line: I like this plugin.
ImageShack Offloader
WP-Hackers' mailing list resident Scribu made this plugin to use ImageShack as a free Content Delivery Network (CDN) for your images, ie to lessen the traffic and storage burden on your host. Just upload images on your blog as usual, the plugin takes care of everything. If for some reason the image cannot be found on ImageShack, the local copy is shown instead.
The plugin's page is a bit confusing. It looks like an archive for posts filed in category "Image Offloader" more than a plugin page. On the sidebar there's still the minimal info required: short desc, download link. The page on the repository has more details which makes the plugin really interesting (especially informations about what happens when the image cannot be loaded from Imageshack).
The plugin's code is typically the kind where I learn stuff, not where I have suggestions for improvements. It uses scribu's own framework for plugins, which I've read about a few times in the wp-hackers mailing list but had never tried. His framework is designed to automate repetitive tasks you come accross while coding a plugin: adding option pages, handling options, creating tables, etc… It's quite cool: for instance, once you've included the files, all you need to add an entry to WP's internal cron job is a 4 line snippet, and everything is handled included during activation/deactivation of the plugin.
Using the plugin can be a bit disconcerting. I activated it, configured it, started to create new posts with attached images and… saw nothing particular happen. As far as I can tell, it just didn't work on my test blog, it didn't upload anything to ImageShack. I don't know if something was not working as expecting, or if ImageShack was for some reason unreachable by my web host, and this is my point here: the plugin lacks diagnosis tools, something that would say how many images uploaded and that would simply check the connection.
All in all: this is one of the plugins that have impressed me so far. I really like the concept of the plugin and its smart fallback to local images in case they can't be loaded from ImageShack, but in case something is not working, the user is just left alone in the dark.
Live Blogging
As the plugin page says, "Live Blogging is a plugin to support micro blogging of live events using Comet/Push HTTP technology". Yeah, I too went WTF on this. But hold on. Put simply: when you blog with this plugin, you readers just sit in front of their computer with a capuccino and the page refreshes itself every time you update your post, or every time a new comment is posted. No need to hammer a server down with F5 to reload the page, it reloads on its now when needed. If your web server runs on Meteor.
The plugin's page is pretty good. Besides all the wordpress/extend elements, it features a screencast that explain what the plugin is really about, and that's the moment when you go "oh wow, now I'm impressed". This screencast is really what makes the page good, because without it I think most will just not understand what the plugin does.
The plugin's code looks good, it's clean and heavily commented, SQL queries are prepared. Yet I have a number of questions or remarks. The plugin creates two extra tables and I'm not sure why it is a good idea. First table contains just a list of post ids & post names, which could be well stored in wp_options. Second tables contains the post contents, and I don't get why wp_postmeta is not good for this. And there is no uninstall procedure to clean this up, which I don't like when extra tables are created.
Using the plugin is a bit more cumbersome than it should be. First, you have to go to a dedicated page to set up a new "live blog". Then go to a post to add a shortcode. Then go to another dedicated page where there's a write interface similar to the regular one and start blogging. All this could be dramatically improved and feel more natural if it were more integrated into the regular "Add/Edit New Post".
As the plugin readme says, "Meteor is sort of the point", and indeed the screencast is pretty impressive. But without Meteor, ie with the regular Apache web server everybody has, it is sort of useless. Not sure how feasible it would be, but a fallback would be really cool, something like when you update your live blogging a file is updated, and an Ajax script regularly polling the server would then add it to the page.
All in all: for the small fraction of people who are able to set up a Meteor server, this is an impressive plugin. For the others, well, this is just useless.
Max Image Size Control
This plugin "adds the functionality to change the max image size". Yeah, I'm not sure neither about what this implies.
The plugin's page is a bit problematic for me: too few explanations and an approximate English that forces you to guess the meaning of sentences rather than clearly understand them. Obviously the author is Japanese so I can perfectly understand that he might be a bit uncomfortable in English. Making an English translation of a plugin page is a terrific idea because it makes your potential "market" virtually global. I would suggest getting help from some friends with better language skills, or from native English speaker, so they can review posts before they're published and propose a few tweaks.
The plugin's code looks OK, yet a bit compact especially within the multilevel nested foreach() loops. The option forms implements no security measures of any kind, which is definitely missing.
The plugin's interface should be enhanced. At the moment, you have to input post or category IDs, it would be a lot more friendly to pick post or category titles from a list (especially now that WordPress admin pages don't show posts IDs).
All in all: I'm sorry to write this but honestly I'm not sure what the plugin is for. I *guess* it lets you set a maximum image size for a particular post or category, but I'm not totally sure. Getting potential users totally sure about what a plugin does is absolute #1 priority in my opinion (otherwise there will simply be no user)
Navbar
Yet another plugin by well known WP enthusiast @vprelovac. Navbar "adds a handy navigation bar to organize your WordPress blog shortcuts".
The plugin's page is OK (short desc, screenshots, download link) although I think the short description could be enhanced (to "organize my blog shortcuts" does not mean much to me)
The plugin's code is what you expect from a seasoned WP hacker. There's an edge case that could get the plugin into trouble: if a blog setup has a custom location for its wp-config.php file (which I think is probably rare), this will break all the Ajax functionalities, since the path to the config file is hardcoded (ie require_once('../../../wp-config.php')). A simple workaround for this would be to include wp-load.php instead. Other than this very little detail, nothing to say, add or criticize.
Using the plugin is fun. It adds a configurable sidebar to your blog (both in the public and the admin part, which could be mentioned on the plugin's page and could also be an option) in which you can place your favorite links for handy shortcuts. Customizing this sidebar is easy: just drag and drop any link on it. The color picker didn't work with me (it would not update the input field).
There's an interesting little internal API in this plugin, allowing other plugin coders to easily add custom information to the navbar.
All in all: a clean plugin with a really polished interface and behavior, I liked how you can just simply drop a link to add it to the navbar. I somehow regret that the navbar does not look and feel more like a WP component, so even if it's less configurable I'd rather use something like Viper's Admin Bar.
Next Page
Another plugin from Stephanie Leary, this one adds shortcodes and template tags to display links to previous page, next page and parent page.
The plugin's page is short but OK. I like the fact that Stephanie is providing her plugin's main function as a standalone snippet of code, allowing anyone to implement it in their theme without having to deal with the plugin itself. Really nice initiative. A clarification could be made about the purpose of the plugin: at first I thought this would be an enhancement of the pagination systeme when you split a post or a page into multiple sections, using tag <!--nextpage-->.
The plugin's code has the same weaknesses as Stephanie's other plugin: way too generic function names, no security implemented in the option page. Using 9 DB entries instead of one to store options is a bit of a waste, especially with a plugin that provides no uninstall.php to make sure there's nothing left after you deactivate it. Just writing _e('some string') won't make a plugin translatable (suggested read).
All in all: the concept of having a link for the "next" or "previous" page was at first a bit odd to me (giving a false impression of chronology, something that pages are typically independent from). But after all if I were to, say, publish a book using WordPress, these would be very useful tags. This handy plugin deserves a quick code improvement.
One Time Password
This plugin allows you to login to your WordPress weblog using passwords which are valid for one session only. Holy cow, now that's some serious security. While such measures are a total overkill for home, this is something to consider if you blog from potentially insecure places such as internet cafés or anywhere you would fear keyloggers and/or packet sniffing.
The plugin's page is too short. OK, there's a download link somewhere in the text, there are a few screenshots, but hey, this is way too intriguing, I would have definitely like to know more about the plugin and how it works.
The plugin's code is nice. First thing the plugin does is check the environment to make sure the plugin can run. Quick check of the plugin's option page: nonces and referrer checking, phew, that would have been ironic. Okay enough code reading I just want to play with this plugin.
When you activate the plugin, you're prompted for a quick configuration. Basically, the plugin generates a unique ordered list of long passwords consisting of short words (for instance a generated password could be "YOGA FORE FLAT ONCE CUBE PUT" — long so the bad guys won't guess it, but easy to type for you). Then you need to print the list (an alternative option is too use a portable device that supports JavaME and run an helper application, but printing the secret list has this cold war old school spy extra feeling). Now, everytime you want to log in your blog, you can either use your regular password (home), or (goulag with a shared open wifi connexion) a super secret password from your list as identified by a number displayed from the login screen (see screenshot). Once you've logged out, the same password won't be valid any more, making keyloggers, packet sniffing and infrared remote sensors totally useless. Ah! Take that, spies!
All in all: this plugin would need a deeper code inspection than my quick look, but it looks awesome. Maybe adding an extra option to automatically log the user out when there has been no keyboard activity would be handy, so that those damn spies cannot use your blog if you're AFK for a pee. I totally recommend this plugin for people blogging a lot while traveling. Great idea, interesting concept, and cool implementation.
PixoPoint Menu
As advertised by the plugin file itself, "adds a menu to your WordPress site".
The plugin's page is fine: description, screenshots, download link, support link.
The plugin's code is not fine. Although the main plugin file is trimmed down to the minimal so it can load only what's needed when needed, which I like, despite the very few lines of code I see a number of problems: coding style is so-so with weird indentation and formatting; waaaaay too generic function names (function pages()!!); hardcoded plugin path parameter for load_plugin_textdomain(); processing of $_POST with no check for data validity (where and by who were they posted from?).
There an uninstall.php which is a nice addition. Oh my, no, it's an absolute nightmare: it does 87 delete_option(). Sweet Jesus, why so much pollution in the DB when it would have been probably ten times better to put everything in one DB entry!
The plugin phones home to fetch from the author's server a config file used during menu creation, which many won't like, and using function readfile() which will fail on numerous hosts. Anyway I'm not sure what the point is to make a connection to a remote server just to get a tiny configuration file.
Using the plugin was not a great experience. The option page has a slightly weird look and feel (big buttons, tiny fonts) which doesn't give a feeling that the plugin is well integrated into WP. Activating the plugin and loading theme default did not produce anything, I didn't see any menu so I was a bit frustrated and ended there my tests.
All in all: I'm not saying that the plugin doesn't work, since obviously from screenshots and example website, it's capable of producing a rather nice menu. But for all the reasons above, I didn't like it.
Post Google Map
This plugin allows you to add multiple addresses to a post/page and have those addresses automatically plotted on a Google Map in a sidebar widget. "This is a great plugin to help locate your stories, events, news, etc", says the plugin page.
The plugin's page is fine: nice screenshots, short description first then details, download link and install instructions, including how to get a mandatory Google Maps API key.
The plugin's code is mostly readable so it's easy to immediately spot a few weaknesses: waaaay too generic function names (function update_options(), it can't get much more generic than this), no proper security checks in the option form (just outputting the nonce hidden field won't do), the function that updates options doesn't sanitize anything and stores each setting into a separate DB entry, basically anyone can delete a stored address since a direct call via GET is enough and not securized. A few bits in the code mention compatibility with super obsolete WP version 2.2.1 and 2.3, which I find a bit odd and, if true, totally superfluous. On the plus side, I notice a proper use of WP API's and internal mechanisms: WordPress HTTP API, no hardcoded path but constants WP_PLUGIN_URL and such.
Usage: the plugin inserts a box within the post editor where you can create new locations, either by address or by GPS coordinates. The settings page asks for a list of category IDs, which is too cumbersome to find and enter, I'd rather have a list or something easy to chose from.
Having reviewed Geo Mark previously where a Yahoo API guesses location from the text you post, I can imagine how much more efficient a combination of the two plugins would be: simply name a restaurant in a city and the widget would automatically put a marker on a map for it.
All in all: some serious but easily fixable flaws in the code. The plugin has potential for something rather interesting.
Post by Tag
Another one from Sudar Muthu. This one displays in a sidebar widget a list of posts from a specific set of tags. For instance, tag your favorite entries "Featured" and promote them using this widget.
The plugin's page is perfect: short desc, download link, features, advanced use with a template tag, translation list, feedback and changelog. Can you think of something that's missing? I can't.
The plugin's code is Sudar at his finest and provides a nice example of how to use those damn pesky widgets in WP 2.8+ (oops, did I just say I hate coding widgets?:) The only minor glitch I can notice is that the plugin path is hardcoded in the translation file initialization procedure, which should be fixed as it is a potential source of problem if a user renames this plugin directory (users, they do such things sometimes)
All in all: a nice short little plugin that's easy to use and a quick way to promote particular posts on your blog. I like it.
Recent Posts with Excerpts
Yet another plugin from Stephanie Leary, which this time is a widget to show a list of recent post and their excerpt, optionally from a particular category.
The plugin's page is minimalist, but it works: short desc, and no more is actually needed, download link, screenshot of both the interface and the result on the default theme.
The plugin's code is overall OK: nice use of the new Widget class with a little custom loop. Localization is done the classic wrong way (just __('some string') with no textdomain) and is not consistently used (for instance the "more…" link is hardcoded). The plugin checks for functions from two popular excerpt related plugins, which is a nice touch.
All in all: a nice simple widget with a few harmless coding mistakes. A possible enhancement I'd consider would be caching the latest excerpts with a refresh of the cache whenever a post is published. This would avoid the couple extra queries that the widget custom loop will induce.
Rich Related Posts
From the website: "Rich Related Posts plugin facilitates related posts functionality where posts can be enriched with groups of links to blog posts (or other sites), defined by headline and thumbnail". What a mouthful. That's not too clear to me.
The plugin's page is… this is going to be similar to my review of their other plugin: description, OK, screenshot, OK. Download link? Cannot find, and there's no way I'm going to click on a "Add to cart" button to try and get a free plugin. But what utterly infuriates me more than everything is the uber dumb page refresh every 120 seconds. Ah, the joy of seeing a page disappear then reload while you're reading it. Seriously, why not add animated gifs and blinking text while we're at it? Normally I would not go past this point when I'm looking for a plugin.
The plugin's code looks clean but, once again, most of the comments for their other plugin apply. Unneeded files are always included (typically I don't want a plugin on a production blog load a debug class). There are no security measure implemented in the option forms. An SQL query is run against the database (in function get_closest_post()) from parameters passed via GET query without every sanitizing them, which is *very* critical. The plugin uses PHP5+ functions (json_encode()) which is not mentionned in the plugin doc (at least I didn't see any before their silly page refresh)
The plugin interface could be slightly improved: for instance you're supposed to enter an HTML template in a tiny <input> field while a textarea would have been much more adapted.
After installing and configuring the plugin I just didn't know what to do to use it. The bundled readme.txt file contains no information, and there's no helpful message in the admin screens so the only option is to have to check their auto-refreshing page again, duh. Hopefully I randomly found a new box on the Post editing interface, which is a bit complicated to use but has meaninful icons to help. So, I did something with it and posted a new post to check what the result would be, but loading the blog would now completely crash my Apache server unless I deactivate the plugin. Didn't want to bother digging deeper to see what would cause this.
All in all: sorry guys, this will sound like a harsh review but overall I really disliked every step of this review. Once again, just as for their other plugin, I won't say this is not working because they have screenshots and example sites. I just didn't work with me.
Note: as of writing this, I've contacted the plugin author to report the critical SQL issue, which has been reported to be fixed. This review is outdated now!
Section Widget
This plugin makes it easy to create a tabbed widget and display it on selected "sections" of your site (ie front page, category archives, etc…)
The plugin's page is not very appealing: above the fold on my laptop, all I see is text, text, text. A little screenshot or a subheader after the first paragraph would do wonders. Reading the text is completely confusing: the 7 first links on the page refer to other plugins in a way I don't get ("Want to do this or this? Yes you can [link to another plugin]"). So why am I reading a plugin's page if the first thing it does is advertising other plugins' features? I'm lost.
The plugin's code is clean. The option page has no security measures implemented but that's the only point I can bring up.
Activating the plugin threw an ugly notice on my test blog because of an included file that could not be found. It turned out to be that include() in an anonymous function created at runtime can be touchy and I suspect running this on Windows or Linux will have different results. Anyway on my Win32 test blog setup, I had to apply this fix to make it run properly.
Basically the plugin is an advanced text widget: it's like the original "Text" widget, except that you can easily select the pages where it will appear. Also, you can display HTML of course, but also dynamic content using shortcodes. Oooooh, OK, now I get it why so many plugins were linked at the beginning of the plugin's page: they can provide additional shortcodes. This makes sense once I really understand how to use the plugin, but wasn't obvious at first read.
All in all: this is a neat text widget with a "Select where to display it" option. But out of the box, it's a just useless since you really need shortcodes to make the most of it. I would definitely ship this plugin with several shortcode included, instead of making separate shortcode plugins.
SEO Ultimate
This plugin will… wait. You already know what it will do. It will hax0rz the rezultz of Go0gle to make your blog #1 and pwn your competitorz. Something like this.
The plugin's page is near perfect: short desc, easy to scan bullet list of features, details, screenshots of the interface, install procedure, FAQ and changelog. So, what's missing? Comments of course! How are users supposed to say thanks or ask something if comments are disabled?
The plugin's page has something completely awesome: an "Auto Installer" where you enter your blog URL and just click OK. What it does is simply send you to your blog's Plugin Install page (ie blog.com/wp-admin/plugin-install.php?tab=plugin-information&plugin=seo-ultimate) so you can skip the download, unzip, upload steps. Simple. Brilliant. Why didn't I think of this myself? I'm totally stealing this idea for my own plugins from now.
The plugin's page also mentions something interesting: development with WordPress plugin "best practices" in mind, like nonce security, uninstall file, WP's contextual help and ready for translation. That turns me on, let's have a look!
I wouldn't mind files to be a bit more organized in some subdirectories (includes, js, css, translations…). This said, reading the code is totally enjoyable: clean, heavily and consistently commented, everything wrapped into a class. Forms use nonces, SQL queries go through wpdb->prepare(), I see no obvious coding mistake. Looks like some good job. OMG this is an SEO plugin and so far I'm liking it, I need a break :)
The plugin makes extensive use of WP's contextual help system (the little dropdown tab near the top of the page in the admin area) and as a result, each option page the plugin adds is uncluttered and clean. If you know what you want, just click/check/pick the options and save. If you're not sure, then roll the help tab down and read. This is much better than showing tons of text on every page, especially with a plugin dealing with somehow complicated concepts. Each setting has a very neatly structured contextual help, always answering the same 3 questions: What it does, Why it helps, How to use it.
There's an interesting feature that allows a user to export all the plugin's settings to an external flat file, and of course to later import this setting file. This is a nice touch considering the number of options you can deal with.
All in all: again, I'm totally not enthusiastic about SEO plugins, but this one has a seriously polished look and feel, from reading the inside code to using its option pages. I particularly like how consistently each setting is explained, clearly, simply, with no fuss. Very great work.
Theme Options
The plugin says it will add options to my current theme and allow me to expand and customize the theme without modifying the theme files. I found the first screenshot to be very attractive: super clean interface, really looks like something built in WP.
The plugin's page is on WP.org/extend, so it's a bit formal but has everything you need thanks to a well formed readme.txt file: description, screenshots, bullet list feature list and obviously unmissable Download button.
The plugin's code is a bit compact (come on guys, white space is cheap and new lines are free, use some). The main plugin file loads everything on every init, which is a bit of a waste since there are several files that are needed only for the backend area. More critical, the plugin performs some actions depending on $_GET['page'] without first checking rights to do so or at least that is_admin(), so basically anyone can trigger stuff just by visiting your blog and appending some parameters to the URL. I don't think anything like critical damage can be done, but this is a very high priority item on the To-Fix list. The option form has never seen a nonce. The function naming scheme is way too primitive, with generic functions like trim_value() or, more problematic, filter_data() which was once a builtin PHP function, so there's a risk on some PHP installs, depending on version, that the plugin won't run at all. Localization was misunderstood, using the classic _e('some string') with no textdomain. The plugin's concept is that you enable snippets of code: each one will use 3 entries in the option table, so an extensive use of the plugin could quite clutter the database.
On the plus side, plugin files are well organized (lot easier to grasp than a single directory full of various files) and there's a very interesting use of custom hooks and action to integrate each snippet into the main plugin.
Using the plugin was quite frustrating. The plugin's option page is very neat: list of available snippets that you can filter (by author, tag, status), a form to upload a new snippet in a .php file, and another form with a code editor to manually input and add a new snippet. But of course the first thing I tried was to upload a malformed snippet containing PHP code with an error: from that point, I haven't been able to reset or reinstall the plugin and it would crash consistently. Even manually removing plugin options from the database didn't do. In my opinion, a plugin allowing end user to input PHP code must have an unbeatable and foolproof way of sandboxing that code till it's somehow validated, and an easy way to restore things if all the blog goes belly up because of a bad snippet.
All in all: I was expecting quite a lot and I like the idea of a modular plugin in which you can input or upload components, but I was let down. I think a better way to store user added snippets would be to save them as flat files instead adding entries to the DB options, so you can just delete the file is something goes unexpectedly wrong.
Advanced Export for WordPress & WordPress MU
This plugin by MU Guru Ron Rennick adds the ability to selectively export portions of your site (say, limited to a category, author, tag…) into a file that you can then import into another blog. The purpose is to make it easier to deal with several smaller split files than a gigantic single file on blogs with lots of entries.
The plugin's page is missing in action, so the entry on the Plugin Blog will do fine untill it's completely burried down in the archives. It has short desc, feature list, screenshot of the interface and download button, fair enough.
The plugin's code is clean and commented in the tricky parts. SQL queries are prepared() and user priviledges checked before proceeding. The plugin looks like a quick hack –that works– that was submitted to the competition without too much polishing, as they are a few minor glitches to spot: localization done wrong with the too classic _e("stuff") and no textdomain, option page has no title (there's a blank <h2>$title</h2>), main function ra_do_export() triggered by an unchecked GET request (but the function itself checks user permission so that's not too big a deal), no nonces in the option form, plugin URL missing in the plugin file header (it points to the site root).
All in all: this plugin comes straight from the "No big stuff, just the little things WordPress should do out-of-the-box" department. What I suggest here: clean up a few details and submit this as a patch for WP 2.9, in my opinion this is the kind of stuff that should be included into core.
Tweetable
This plugin throws your blog into the Twittersphere: tweet your posts as they are published with a shortened URL via tr.im or is.gd, display your latest tweets in your sidebar.
The plugin's page is OK: description, download button. There are more screenshots on the WP.org/extend page, and there are no comments to say thanks or ask for help, so it could be a bit better.
The plugin's code looks very clean, is well commented. First thing it does is checking for WP and PHP version, which is good practice when you need PHP5+. The plugin uses Twitter's OAuth API so you authorize your blog to update your Twitter stream from the Twitter site itself, which is a bit more secure (and slightly more complicated for both the coder and the user) than storing your username and password in your blog. The plugin selectively includes files depending on context (is_admin() or not) which is a good point.
Still, there are a few things I regret or dislike: the plugin stores its settings into multiple DB entries instead of using just one. It partly relies on cURL, which may be missing, instead of using the wonderful and presumably always working WP_Http class. The option to add Google analytics component to an URL of your post before tweeting it won't work on blogs with no pretty permalink (you'll end up with site.com/?p=1337?utm_source=...). The plugin adds its CSS and JS into every single page of the admin area, including other plugin pages, which is unacceptable. The plugin forms use no nonce. There are a few poorly named functions (documentation() for instance). I find it weird that there are files that are supposed to be used as standalone (ie the browser should point them directly) instead of really integrating them into WP. I guess this is to speed up the interface, but this is done to the detriment of security. For instance, the file that acts as a hashtag search interface is public and anyone can use it (example) which I think is unexpected and certainly not what I would want to run on my own site. The file that acts as a Twitter client to post your tweets has a rudimentary security check, but doesn't use nonce or current_user_can(). Why reinvent the wheel when there are so many great functions in WP?
All in all: from a regular user's perspective, this is for sure a cool plugin, but there are too many things I've seen inside that I did not like and, as of now, I would not use it or recommend it. Given its potential and how mainstream Twitter is, I hope the plugin gets fixed and improved.
Tweetback Helper
Welcome back to the Sudar Muthu Plugin Competition 2009!
So. Tweetback is a plugin by WP superstar Joost 'Yoast' de Valk which detects tweets containing shortened URL of your posts and add them to your blog as if they were trackbacks. Tweetback Helper by @sudarmuthu is a helper plugin for it: it helps Yoast's plugin detect more tweets.
The plugin's page is perfect as usual with Sudar: short description, features, screenshots, download button, install procedure, changelog, feedback, comments, everything.
The plugin's code of the main plugin file is really slick and shows great use of WP functions: register_setting() with parameter validation, localization done the right way, additional forms in custom meta box correctly protected by nonces and using current_user_can(). On the dark side I can see that the plugin adds its javascript into every single page of the admin area, and that the file cron.php uses hardcoded path to wp-config.php and the plugins directory (so everything will break in the (unlikely) event of a user moving one or both somewhere else, as permitted in WP 2.7+)
All in all: it's hard to tell about the real worth of a plugin which is only intended to be used in conjunction of another one, but this one is a solid coding job.
User Count
User Count is Kirby Witmer's first attempt at coding a WP plugin. This one simply displays the total number of users, by role, on your admin dashboard, in the "Right Now" box.
The plugin's page is short and fine: basically, a screenshot that says it all and a download link. By the way and since I'm just nosing around, it's not plugin related but the navigation bar under the header give a false impression of a breadcrumb so at first I thought I had been misleaded to a page about Windows Wallpapers.
The plugin's code is a ugly: compact, unindented, that would make a long plugin file totally unreadable — hopefully it's very short. An all time classic, localization functions are used with no textdomain.
All in all: a very simple plugin which is a nice first attempt at grasping WP's internal wonders and its awesome hook architecture. But please, read this and make the next one look prettier :)
W3 Total Cache
First there was WP Cache. Then WP Super Cache. Now WP Total Cache. I'm eagerly anticipating next year's WP Definitive Cache! :)
The plugin's page tells one thing: we're here for serious stuff. Nothing fancy, basically a feature list with lots of rather technical scary jargon. We're sent to wp.org/extend for more, where there's an install procedure (again, scary stuff) and an interesting FAQ that tells more about the plugin and how it works. Nothing is wrong with the scary stuff by the way, it's totally OK to implicitely warn readers that they'll need to understand a few things about a few stuff, and it's anyway much better than letting insufficiently prepared users mess with their blog.
The plugin's code looks like high class stuff and is well commented. The plugin adds its JS and CSS on all pages of the admin. There a very suspicious code block that call_user_func() from an unchecked GET request, oh my, looks like anyone can simply delete your plugin config file with a simple call to site.com/?w3tc_action=deactivate. Anyone can trigger any function from the main class TotalCache.php, that's a high priority security hole. The option pages do not use anything like nonces. The plugin FAQ refers to other cache plugin uninstall procedures, but this plugin itself doesn't have one.
The plugin's interface is neat and split into several subpages. One of them is a gigantic 6500+ words FAQ that will mostly answer everything you'll ask without needing to visit the plugin's page — it's always nice to have documentation at hand. There's also a handy installation guide which covers installing Memcached, APC and the plugin itself. In this page, links to various subpages are harcoded to /wp-admin/... so it will 404 if your blog is installed in a subdirectory.
All in all: I'm highly embarrassed to judge this plugin. One one hand, it deals with lots of stuff I don't use myself (a CDN, an Opcode cache like APC, Memcached) and which I'm definitely no expert at. Compared to the seminal WP Cache, this plugin looks light years ahead and does tons more than just writing flat files to cache page request. One the other hand, this highly critical security hole is a blocker and I would recommend not to install this plugin until this is fixed.
Note: as of writing this, I've contacted the plugin author to report this issue and it has been fixed. This review is totally outdated by now!
Widget Block
This plugin will create widgets that display only on specified pages.
The plugin's page is interesting, as it compares Drupal's modules and WP's widgets. Then, a bit too far from the top if you ask me, comes a plugin description and then a screenshot. Now, where's the download button?… Ah there, found it, a tiny link lost in a paragraph of text. Make it bigger, you don't want people to miss it!
The plugin's code, bleh, me doesn't like. The widget creates an extra table where to store its settings, and makes an extra SQL query on each page load to fetch those settings. I don't see the benefits of this versus simply storing settings in an entry of table wp_options. Then, to determine the current page, there's an oddly convoluted operation with $_SERVER['REQUEST_URI'] and others while, unless I don't get something obvious, a simple check on global $id is enough and foolproof. The plugin file header doesn't mention the correct plugin URL, which will make users just lost in case they want to refer to the official page.
The widget interface needs improvement. You have to manually input URLs to include or exclude from the widget: if you have lots of them, this will get highly cumbersome. I would rather have an intuitive list or dropdown from which I could select categories or tag archives, pages, etc… Also, since there's a textarea where you can input text and PHP code (oh my, letting users input PHP code) a nice touch would be to have syntax highlighting, since this is now a built-in ability of WP.
All in all: here again we have a plugin that the average Joe, no offense Joe, will find satisfactory, but I would not recommend it.
WordPress Beta Tester
This plugin by Westi, one of WP core developpers, give the ability to upgrade (via the built-in Core Upgrader) your blog using beta releases instead of stable public releases. The goal is to have more people use the beta release and get better feedback.
The plugin's page is on WP.org/extend so it's the usual no-fuss just-the-goods page: description, screenshot, download button, and the usual various little things such as rating, download stats and support link.
The plugin's code is, well, just what you expect from someone who pretty much *is* WordPress. The simplicity of Westi's plugin just shows how easy it is to interfere with WP with just a few lines of hooks.
All in all: the audience of this plugin is certainly limited, since the average user should not use it unless they feel confident they'll be able to identify dysfunctions and make valuable feedback (I expect the average user to generally just say "it doesnt' work!" with no more details). The only thing I could suggest to improve all this would be to update the offical page about nightly builds on WP and link to this plugin as an easier way to download beta versions.
WordPress Dashboard Twitter
This plugin adds a Twitter client to your Dashboard to send tweets and direct messages and everything from your blog.
The plugin's page is empty and still under construction. The announcement on the plugin blog is pretty good though: short desc, feature bullet list, a "what this plugin is *not*" paragraph that makes a lot of sense, screenshots, more features, and download link. There's even a video introducing the plugin. Wow they even say this comes with their own URL shortener at wp.gd, how leet is that? :)
The plugin's code is very clean. The main plugin file is basically empty and require() needed component only is is_admin(), I like this. The main plugin class is very clean and commented, and starts by checking that WP and PHP version are OK. It should check for cURL support too, since the function that shortens URL and the whole Twitter class need it (hint). The whole plugin uses WP built-in Ajax functions, with proper nonce usage, and inserts its JS only on the Dashboard where needed (actually, it almost succeeds: it also adds it to index.php subpages such as index.php?page=akismet-stats-display — WP-Announcements
This plugin displays site wide announcements (notice, survey, featured post, critical alert, etc), via a CSS popup or a marquee. The plugin's page is very good: description, and screenshots explaining the process and the various options and settings you can play with, install, download and support link. The plugin's code is easily readable. Since it's listing public stuff first, and admin stuff then, why not make 2 separate files and only load what's needed? The option forms use no nonces. There's an inelegant overuse of delete_option() and add_option(), but nothing that will break the blog. The plugin performs SQL queries without using the $wbdp object: this is bad practice because it makes you reinvent the wheel and it prevents your queries from being logged and potentially inspected if you suspect something going too slow. The plugin's option page lacks a bit of styling to have a more WordPressian look (no white space between option groups, no padding and text right next to the window left border, ewww). Using the plugin was a failure on my test blog: the problem is that the function that displays the announcement, triggered by hook wp_head, tries to setcookie() after output has started. As a result, an ugly warning Cannot modify header information - headers already sent by... displayed on top of every page of the blog. To set cookie once the page output has started, you have either to use output buffering or to using javascript. All in all: a few inelegancies in the code but nothing too ugly or critical that I would recommend to skip the plugin. I'm just a bit frustrated that it simply didn't work on my test blog. Seen the Diggbar on Digg? This plugin says it will add the same features. The plugin's page fails: I just didn't find a download link, even searching the page source for "download" or "zip". Besides my inability to find any download button, I would suggest a few changes to the page. Starting off with testimonials from Joe and Mary I don't know and have no authority is useless and makes me expect the regular "Why wait? Buy now!!" button with a "time limited discount if you buy before tomorrow" badge. Who needs testimonials when you have comments? Or add them below the "What this plugin does" and the feature list that would make a very good intro. Then, I would swap the two screenshots: first show an example of what the plugin does, then show the many settings you can tweak. I would also add a link to a WPBar'ed site to show a live example of the plugin. Reading the plugin's code shows several weaknesses. The function naming scheme is too simple (like function replace_link()). The plugin performs various SQL queries, including UPDATE ones, from an unsanitized $_SERVER['QUERY_STRING'] and without using $wpdb->prepare(). This is a *major* issue to fix ASAP. The option forms use no nonce and localization is done wrong with the classic ubiquitous error of the _e('string'); with no initialized text domain. The plugin fetches remote favicons using file_get_contents() which will not be always possible depending on server config, and without any limitation on timeouts so the whole page will hang if a site is unreachable. The plugin creates two tables in the database, so I find it unacceptable that there is no uninstall.php file or removal manual procedure explained to clean this up when you get rid of the plugin. The plugin interface is a bit long to scroll, it would be better and prettier with a tabbed interface. Also, since you can select colors, icons and stuff, a live preview would be very cool. All in all: if you don't totally hate this kind of bars that frame your site into another, this plugin is for you. I would suggest to add some cookie management so that a user could check "Never show me a frame again". But before anything, the plugin must be fixed regarding the SQL queries it performs — don't install it otherwise. WebDev Studios strike again, this time with a plugin that can show debug information (queries, load time, included files…) to developpers. The plugin's page is fine: description, feature list, screenshot, download link, support link. The plugin's code has goods and bads. The plugin interface doesn't really feel and look like a genuine WP option page: weird spacing, too compact. There are a gazillion checkboxes: a nice touch would have been quick links such as select all, deselect all and toggle all. The plugin produces a very neat menu just like the admin bar on wordpress.com with a lot of informations. Didn't know this Krumo class the plugin uses, but it looks really cool. All in all: another plugin for developpers getting to understand what is going on under the hoods. I would add an option to display all this debug info inside the admin area too, as some can really be handy when you code plugins or theme backends. Yet yet yet another plugin from Sudar Muthu. This ones retrieves the number of people connected to an IRC channel and display it in a sidebar widget. There's also a email alert feature, to send out notices after XX people have joined the channel. The plugin's page is the typical Sudar's: clean, easy to read, short description on top, download link, screenshot, everything. Very fine. The plugin's code is not Sudar's best. Things are messier than usual here, with inconsistent indentation and lots of stuff commented out as if it was a quick hack still under development. The plugin starts off by set_time_limit(0); which, in case PHP is not running in safe mode, is in my opinion a damn bad idea: if anything in the blog hangs (a remote request with no timeout for instance), the whole blog will hang forever. The plugin creates a table but the uninstall hook does not remove this extra table. All in all: well, I am not a huge fan of this plugin. The set_time_limit(0); in itself is a blocker for me, but more importantly I have the feeling this plugin is incomplete. Fetching user count, ok, sure, why not, but since we're opening a connection to an IRC server why not do other simple stuff such as getting the user list or the channel topic? The plugin does one thing and does it OK, so maybe I'm just a bit severe here, but I just can't help feeling that this is a work in progress that will, and that has to, evolve. This plugin enables per-user localization of the backend, instead of define globally the language that the blog interface will be used. At this very moment I know nothing more about this plugin but I already think this is a *killer* idea. The plugin's page is nice: requirements, screenshot, explanations of what it is and what it's not (it's not something to translate your posts) and download links. The plugin's code, what can I say? As far as I can judge it's terrific. Needed files are included only when needed. Option forms are properly secured with nonces, referrer and user priviledge checking (the data is not validated, though). The plugin is also a nice example on how to manipulate remote files with WP_Http and WP_Filesystem classes. Using the plugin is just as pleasant as expected and you immediately wonder how come WP does not act this way out of the box. All in all: this one is definitely my favorite plugin of this year's competition. If you are managing a blog with several users from different languages, install this plugin. If you are managing a single user blog but write yourself posts in different languages, install this plugin as it will surely help you to have an interface in the locale you're currently using. This plugin allows you to insert tables in your posts without typing or knowing any HTML, thanks to a simple interface that can even import or export table from or to CVS, HTML and XML The plugin's page is pretty neat. Everything is there (short intro, screenshots, download link, changelog, etc…), and even more, but the page is not cumbersomely long thanks to collapsible blocks. The page also contains live examples of tables generated with this plugin, so after visiting the page you are absolutely certain about what this plugin is for. The plugin's code is superb, heavily commented, main plugin file is minimalist and load either what's needed in the admin area, or files needed for the public blog front end, forms are nonced and referrer-checked, everything looks really clean. Using the plugin is not as cool as I would have hoped, as the interface is rather slowed down by too many page reloads. Adding or removing rows or columns has to be quicker and easier than the way it is currently, you should be able to do this on the fly via JS and not submit the page again. Plus, if while filling a table you realize you need an extra column and click to get one, everything is lost on next page refresh if you forgot to press "Save" first. The "Insert image" button did not work on my test blog (JS error tb_show is not defined). All in all: not bad, but to be truely excellent the plugin needs two improvements I think. First, as I've said above, the interface page needs to be entirely javascripted and you should have to submit the page only *once*, ie when you are pleased with the table. Second, I think a more simple interface to allow a quick table insertion right from within the "Write Post" page would be a lot more efficient and friendly than having to go to a dedicated plugin page. The full featured dedicated page would be best for complex tables and everything, but definitely not if you just need to quickly insert a table you won't reuse anywhere else (ie probably 99.9% of the tables) This plugin add an notice to your pages or posts with a custom message, to let your readers know when and what has been updated. The plugin's page is fine: short description, download link, then screenshots and plenty of additional informations about the plugin and how to use it. The page contains an update message on top of it, to illustrate what the plugin is for — nice touch. The plugin's code is clean, but has inconsistent and too generic function names (update_message_box() or custom_post_info()). The use of nonces seems odd to me (not used where I expected them, but also used where I didn't). Nothing too critical, and nothing much else to say as this is a rather short plugin. Using the plugin is simple. It comes with several nice CSS preset, so hopefully one of them will match your blog. You can either pick an automatic location for the notice (top or bottom of posts, or both) or elect to manually insert a PHP template tag. All in all: a simple plugin, a simple task, and a good result in the end. Man, WordPress says that's nearly 14,000 words. Mark from Weblogtoolscollection wrote that judging was a "mammoth task" and boy I do agree:)The WordPress Bar
Note: as of writing this, I've contacted the plugin author to report this issue which was reported to be fixed. This review is outdated by now.WP-Devel
The bads: way too simple function naming scheme (yet another update_options() so, sarcastically enough, this plugin won't run with their other plugin which has the same function name); everything is loaded in memory but is useless is !is_admin() or if the debug menu is disabled in the plugin, so why just load everything in such a case? I guess this is the kind of plugin you run only on development setup, but still. Options are not sanitized before storing or output.
The goods: proper storing of options in one DB entry from a properly nonce protected form, use of current_user_can() to make sure potentially sensitive debug info is not for everyone. There a credit in the source comments to plugins that have helped or from which portions of code have been borrowed, this is a really nice touch.WP IRC
The code is not all that bad hopefully. There's proper option form security and data validation, options are stored in one DB entry.WP Native Dashboard
WP-Table Reloaded
WP Update Message
And that's it
Edit: hey this is my post #1337. WP FTW!
Shorter URL
Want to share or tweet this post? Please use this short URL: http://ozh.in/oo
Thanks for the tips Ozh! It's obvious you spent a lot of time reviewing plugins for this competition, and not only giving a thumbs up or down you actually give sound advice on what should be done. Hats off to you for dedicating so much of your time to this competition and really helping out plugin authors with your tips and knowledge.
Might be interesting to know what version you reviewed of each plugin? Looks like I have some plugins updates to do today! :)
Hello Ozh,
thanks for your time and reviews. My plugin Debug Objects was a small idea and provide informations for developer to understand WordPress a little bid better. I think, i write not a translation in english on my blog, my blog is a blog for german people and the site on the repository is in english. My english ist very bad and its very hard for me to write a documentation for all my plugins. Maybe other developer write in german about his plugins? ;-)
Thanks for the title "German WP star" – this definitly exaggerated. WordPress and webworks are only a hobby, not more. I code a little bid with PHP and learn al my knowledge as autodidact.
It is always interesting to have a technical and objective opinion on his work, especially if comments come from an authority. This allows progress.
When I develop a plugin, my first objective is to meet my needs. Then if this plugin is clean or usable, I publish it. This explains the creation of this plugin.
I totally agree with your conclusion: the plugin would certainly be more successful if I had written it two years ago.
Thanks again for your work.
Ozh, thanks for the time you put into reviewingthe plugins and writing this post AND the reminder to update the URL in the readme.
On the nonce, the WP export does not have nonces in it. One reason I can see for that is someone could set up an automated export (ex. with lynx) to do backups to their local computer. So, in tossing the coin on whether to include nonce, function/utility won
out over convention/form.
I did submit a ticket to trac to have the code rolled into core:
http://core.trac.wordpress.org/ticket/10317
I'm hoping that there are enough people to give it some support that it gets rolled in.
The length of this post is intimidating. :-D
Thank you, Ozh!
Cheers!
Thanks for the review :) Constructive criticism is always a good thing.
Most of the things you mentioned I was aware of and was fixing. The $_POST issue I most definitely was not aware of. As soon as I saw your post I released a security release with a patch that plugged the hole.
I genuinely appreciate the critique, I'm slightly baffled by how my code is 'indented weird', but I guess that's just a personal preference thing. I'm intending to start using the WP coding standards methods even though they're not the way I prefer to do them (simply for consistency). I've given my code to others to critique in the past, in fact I've paid people for it, but I think people are generally too polite (and I obviously didn't go the right person). If something sucks, let the person know it is my approach. No one will improve if they never get any good feedback.
One minor complaint: If you are going to report security vulnerabilities please let the plugin developer know before posting them in public. I nearly pooped myself when I realised what I'd done. After a frenetic recode I got a patch out within an hour or so, but having a little more time up my sleeve would have been nice.
I'll see if I can get the rest of the things you didn't like fixed this evening, but I'm not rating my chances of getting it done before the sun rises :)
Thanks again for all your hard work reviewing all the plugins :)
Ozh, that was a nice and interesting read. Thanks for reviewing the whole bunch of plugins (and mine), and giving hints and critique about 'em to improve plugin quality. I'm definately going to release maintenance updates soon for the 2 plugins I entered the competition.
On a side note, I'm happy to see the german contestants' plugins did a fairly well job in this 2009 Competition. :)
Great reviews Ozh.
Not sure what to think about "SEO Ultimate," considering that they actually use All in One SEO Pack on the site itself.
:)
Ozh,
Thanks for the time and the reviews. It's always good to get constructive criticism and that too from someone with authority. I am modifying my Plugins to fix the things that you have reported.
I have a small request. It would be helpful if you could add named anchors for each Plugin, so that we could link to that particular part of the document using #pluginname.
@Michael Torbert:
We'll be moving the site over to SEO Ultimate once I create an importer to move over years' worth of post metadata from All in One SEO Pack.
– John
SEO Ultimate developer
Sudar » I added names to all h2 elements. Good luck on updating all the plugins :)
Thanks for adding names to all h2 tags.
Howdy Ozh,
Does it make your job easier to be able to mark a plugin off your list as 'done' because you don't like the way the source code is indented?
I'm sure you know the difference between code and code formatting, but over and over and over again in your 'reviews' above, you conflate the two terms — giving us your gut reaction to code formatting as if it were a critical evaluation (or even a vaguely well-informed evaluation) of actual code.
Of course I'm biased, because it seems you were unable to get past my own apparently heinous code formatting choices while dumping all over my actual code. Since I had hoped for substantive feedback on my plugin, I'm pretty disappointed that the code didn't even get a serious look because its formatting wasn't good enough for you. I really would have valued feedback on something other than formatting.
I get it: you like pretty indentation. But most programmers do know how to tweak source code display to suit their own preferences — rather than expecting everyone else to divine and agree with (or at least comply with) their own personal requirements.
http://lmgtfy.com/?q=php+source+code+prettifier
I'm going to stick with writing code for users, formatting my code so it suits how I like to view it, and asking for feedback from folks who are more interested in grasping code than critiquing code formatting.
Oh well,
Greg
Greg » I guess you talk about "Greg's High Performance SEO".
It's not like I'm a crazy person who gives overrated importance to *basic* code formatting. It's just the way everybody should do it. Yes, obviously, if it's unreadable, I don't read it. No, I'm not going to spend an extra 20 mn on top of every hours or so that a single review requires to reformat your crappy stuff. Maybe once it's readable it'll be neat, maybe not. And no, I don't "conflate code and code formatting". But if food *smells* like shit, I don't *taste* it. Same thing for code.
Thank you for thanking me for spending my free time reviewing for free your plugin. Now if you want more feedback on your code, feel free to HIRE somebody (or me, even).
Hey Ozh,
I get the sense there's not a thing in the universe I could say that might encourage you to try out another person's perspective, even if only for a moment or two.
So thank you for your time. You have gone to pains to remind us that you have spent your free time reviewing plugins for free — and even invited me to hire you if I want any substantive input on actual code. So, I am guessing it would be a poor investment of my own time to put further effort into highlighting what seems to me like an important distinction between reviewing indentation and reviewing code.
Thanks again,
Greg
Thanks for the review of Tweetable. I will try to address the problems you found, though it may take me a little while to get to everything.
Hey, Ozh, thanks for the comments. You caught several things I knew I needed to work on and a few I didn't!
No questions that all these plugins are very competitive. That's why I like reading this post!