I have been watching the WordPress directory closely this year, and if you think it is business as usual, you haven’t seen the data. WordPress plugin development is currently hitting a massive tipping point. The Plugins Team—formerly the Plugin Review Team—just released their 2025 retrospective, and the numbers are staggering: weekly submissions have doubled, stabilizing at around 330 per week. That is nearly 1,300 plugins a month hitting the queue.
For some reason, the standard advice has become “just let AI write it,” and frankly, it is creating a mess. While AI has lowered the barrier to entry, it hasn’t lowered the barrier for approval. We are seeing a flood of “first-time” developers shipping code that hasn’t been properly vetted, leading to a 40.6% increase in reviews required just to keep the directory from becoming a security wasteland.
The Data Doesn’t Lie: Scale vs. Quality
In 2025, the team reviewed 12,713 plugins. While approvals rose by 66%, there is a depressing statistic hidden in the report: nearly 4 in 10 plugins received zero reply from their authors after the first review. This is what I call the “ship and forget” syndrome. If you are serious about your project, you need to understand that navigating the WordPress plugin review process requires actual engagement, not just a prompt and a prayer.
Furthermore, the team detected over 59,000 issues this year. Scrutiny is getting deeper, not lighter. They are now using an AI-assisted Internal Scanner and the Plugin Check Plugin (PCP) to catch everything from branding violations to direct database queries that bypass security layers.
A Common Catch: The Direct DB Query
One thing the new automated scans are ruthless about is improper data handling. I’ve seen seasoned devs make this mistake when they are in a rush. PCP will flag this immediately during an update scan.
<?php
/**
* The Naive Approach: Direct DB query without escaping
* This will trigger a security flag in PCP.
*/
global $wpdb;
$id = $_GET['id'];
$results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}custom_table WHERE id = $id");
/**
* The Senior Dev Approach: Prepared statements
* Use this to pass the WordPress Plugin Development security check.
*/
function bbioon_get_secure_data( $item_id ) {
global $wpdb;
return $wpdb->get_results(
$wpdb->prepare(
"SELECT * FROM {$wpdb->prefix}custom_table WHERE id = %d",
$item_id
)
);
}
Leveraging the Plugin Check Plugin (PCP)
If you aren’t running PCP locally or in your CI/CD pipeline, you are making your life harder. Since October 2025, the team has implemented automatic scans on every single version update. This is a proactive measure to stop vulnerabilities from reaching the end-user. If you want to keep your “approved” status, your plugin standards need a serious checkup.
I recommend using the WP-CLI interface for PCP. It’s faster and allows you to integrate it into your deployment scripts. For more on using the command line for fixes, see my guide on fixing WordPress via WP-CLI.
# Running a strict check on your plugin slug via WP-CLI
wp plugin check my-custom-plugin --format=json --threshold=errorAccording to the official GitHub Action documentation, you can even automate this on every push to your repository. This ensures you never ship minified files without source code or forbidden functions like eval().
Look, if this WordPress Plugin Development stuff is eating up your dev hours, let me handle it. I’ve been wrestling with WordPress since the 4.x days.
Refining Your Workflow for 2026
The core takeaway from the 2025 report is that the “barrier” for approval hasn’t moved, but the scrutiny has scaled. The team is staying the same size while the volume of code is exploding. This means if your plugin isn’t clean, it will sit in the queue until it rots. Specifically, you should focus on implementing WordPress Coding Standards from day one.
Stop treating AI as a replacement for architectural logic. Use it to scaffold, but let your experience (or mine) handle the security, race conditions, and transients that actually make a plugin production-ready. The ecosystem is maturing, and the “wild west” days of the directory are ending. It’s time to code like it.
