As some of you know, we have been working very hard on the new Super Captcha to get it back on WordPress.org.  We have followed nearly every guideline available in the coding of the new plugin including ensuring that it will be compatible with the next version of WordPress and PHP.

After having our plugin removed a year ago because the moderators didn’t like the idea we asked for a link-back to our website for credit after opening the source-code to them for the technology of a revolutionary 3D captcha, we decided to make this software a service based plugin instead of giving all the source-code away.

Here is the reply we got from WordPress.org

There are issues with your plugin code

## Errors on site when testing with WP_DEBUG

Please re-test your plugin with WP_DEBUG set to true. When we tested your plugin, it came up with numerous errors and alerts, which would cause problems for users.

Fatal error: Can’t use function return value in write context in /home/test/plugins.test.net/wp-content/plugins/newsupercaptcha/newsupercaptcha.php on line 220

We suggest you read this: http://codex.wordpress.org/WP_DEBUG

Also you can install the WP Debug Bar on your test site – http://wordpress.org/plugins/debug-bar/ – in order to track down errors.

## Your admin dashboard is an iframe

Having the admin dashboard be just an iframe isn’t permitted.
We don’t permit plugins to phone home like that (for two main reasons – security and appearance – too often people assume that they just signed into WORDPRESS and not your plugin). Please change your code to use an API or just link back to your site so they can configure things there.

https://my.goldsborowebdevelopment.com/submitticket.php

That can be a link, but not an iframe or thickbox. Better would be to properly use an API setup and push data.

The same goes for https://my.goldsborowebdevelopment.com/cart.php

## Making license checks

We do not permit plugins to phone home for license validation unless the plugin is providing a service that cannot be completed on the user’s server.

For example, a plugin like Akismet is processing spam on their own servers, and passing the data back to the users via an API. This is a service.

On the other hand, a plugin that simply validates a license and ‘unlocks’ functionality that’s already in the plugin is not a service.

This is explained in more detail in our guidelines (http://wordpress.org/plugins/about/guidelines/) under “Serviceware”
Please remove the license check from your plugin. Alternately, you may provide more information as to how you are providing a service. Remember. The service needs to be running from an external server.

## Incomplete Readme

You’re calling MyGWD’s Spam DB in multiple places, but you’ve not actually mentioned that in the readme. You MUST be perfectly clear in your readme that this is a service.

Plugins that send data to other servers, call js from other servers, and/or require passwords and APIs to function are required to have a full and complete Readme so we can make sure you’re providing the users with all the information they need before they install your plugin. Our goal with this is to make sure everyone knows what they’re installing and what they need to do before they install it. No surprises.

This is especially important if your plugin is making calls back to your own servers. For the most part, we do not permit offloading of images or code, however in the case where you are providing a service (like Disqus or Akismet or Twitter), we permit it. The catch is you have to actually explain this to the layman in your read me, so they know where data is going.

Your read me MUST validate per http://wordpress.org/plugins/about/validator/ or we will reject it. Keep in mind, we don’t want to see a readme.MD. Among other things, the formatting for markup is different, and the filetype isn’t read by our system. (And if you’re thinking “Hey, I did submit a read me!” then it’s likely we felt it wasn’t informative enough.)

Please create your read me one based on this: http://wordpress.org/plugins/about/readme.txt

Alternately, you can use this tool to generate one: http://tools.trepmal.com/wp-readme-generator/

Please send a link so the completed plugin can be downloaded. Alternately you can reply to this and send a .zip file. Note: We would like you to send the whole plugin, not just the read me, as we will re-review your entire code as a whole.

When you’ve corrected your code, reply to this email with the updated code attached as a zip, or provide a link to the new code for us to review.

There is a few things wrong here:

  1. Our plugin is programmed to use the latest versions of PHP.  The error they mentioned is only present in legacy version of PHP (PHP 4.4 and lower).
  2. Our entire admin panel isn’t an iFrame, in fact, only a small part is that allows users to see the output of the CAPTCHA and test it without leaving the admin panel — the rest of the configuration options are all coded directly into the admin panel.
  3. Our plugin does not offer any “checking” of any kind locally.  All checks are remote and called from spam.goldsborowebdevelopment.com.
  4. They just admitted inside the response that the plugin queries spam.goldsborowebdevelopment.com several times
  5. It was very clear in the readme that this we are providing a service and the inclusion of a TOS and ELUA solidifies that fact.

There is no other reason why they would have declined this software from inclusion other than they don’t like competition with their flagship plugin, Askmet.

Some evidence.

Line 221:

php if( !empty( esc_attr( get_option('distortion') ) ) ): ?>; CHECKED<?php endif; ?>

Line 224:

<?php echo %thisresult; ?>
<?php $this->getCaptchaImage(); ?>

And directly from the readme and description:

Entire Security Service Suite centered around an easy 3D Captcha that provokes deduction skills to solve it.

So here is what I have done. I have removed all features in which involve iframes. I have additionally added a “Allow Testing” option in the control panel that when checked will allow the CAPTCHA to be shown, otherwise it will not display.

I have additionally made all licenses and TOSes available within the plugin so it doesn’t have to “phone home” to grab them. As you may know, that this severely limits our ability to enforce our own Terms of Service in our right to change the TOS at any time for any reason.

And I have also suppressed the errors that I think they were talking about even though line 220 is not php code at all, it is simple, valid, HTML. This will not force the program to be compatible with PHP 5.3 and lower though, it simply prevents that error from displaying on PHP 5.4 and lower.

So, even though we’ve had to rip out many features in this plugin if they will still decline it. I’m just curious at this point if I have to remove the words “Anti-Spam” from the plugin to get it approved so it doesn’t attempt to rival their plugin, Askmet.