WordPress.org is introducing stricter requirements around AI-generated code disclosure, plugin ethics, and quality signals. For agencies managing multiple client sites, these changes redefine what responsible plugin vetting looks like, which plugins belong on a fleet, and how to set clear expectations with clients going forward.
The WordPress plugin directory is moving toward mandatory disclosure when a plugin’s code was substantially generated or assisted by AI tools. The plugin review team has signaled that plugins must now be transparent about their development process, particularly when AI-generated code is present, and that submissions lacking clear authorship accountability face closer scrutiny or rejection. Beyond AI disclosure, the updated standards tighten expectations around licensing clarity, data handling declarations, and removal of deceptive patterns such as fake review prompts or hidden upsell flows.
The practical effect is a higher baseline for what passes review. Plugins that previously cleared submission on minimal documentation now face questions about code provenance, third-party service dependencies, and whether AI-assisted sections have been audited by a human developer. For agencies, this is a signal and not just a policy detail: the directory is trying to separate accountable software from unaccountable software, and that distinction matters at every scale.
A plugin decision on one site carries site-level risk; the same decision replicated across a fleet of client sites carries fleet-level risk, and those two are not equivalent. When a plugin that fails the new AI disclosure standards reaches twenty client sites before anyone catches it, the exposure is not twenty times one site’s problem. It is a credibility event for the agency and a support burden that hits all at once.
Directory standards have historically functioned as a passive filter, a baseline most agencies trusted without much additional process. That trust was reasonable when the review team was the main gate. As AI-generated code makes it faster and cheaper to ship plugins, and as submission volume grows, the directory’s filter becomes necessary but no longer sufficient on its own. Agencies running fleets need their own gate that sits on top of the directory’s. The new standards give that internal gate sharper criteria to work from. For more on how AI is raising the risk profile of plugin updates at the fleet level, see how AI is changing the risk profile of WordPress plugin updates.
A fleet-appropriate plugin vetting process now needs to check for AI disclosure explicitly, not as a bonus question but as a required step before any plugin reaches a client site.
This process fits naturally into an agency runbook. Treat plugin approval the same way you treat adding a new vendor: a repeatable check, not a one-time judgment call.
Clients rarely think about plugin governance until something goes wrong, which means the agency that raises the topic first is the one that looks in control.
When the WordPress plugin directory tightens its standards, use it as an opportunity to document and share your agency’s plugin policy in plain terms. A short client-facing summary might cover: what the new directory standards require, why your agency runs its own vetting layer on top of the directory, and what that means for how plugins get approved or rejected on their sites. This is not a lengthy legal document. It is a clear statement that the agency takes plugin selection seriously and has a defined process for it.
Be specific about what the policy covers. Which categories of plugins require approval before installation? How does the client request a new plugin? What happens if a plugin already on their site fails a review under the new standards? Clients expect a professional answer to these questions, and an agency that can give one is harder to replace than one that cannot. For context on how update governance conversations with clients can go wrong, see what the SiteGround AI plugin controversy reveals about update governance for agency fleets.
The right move is a structured audit, not a blanket removal pass.
Start by listing every active plugin across the fleet and categorizing each one: actively maintained with known authorship, actively maintained but with unclear provenance, or unmaintained. For the unclear and unmaintained categories, apply the same disclosure checks you would use for a new plugin. Look for AI disclosure statements, review the plugin’s support thread for unresolved security reports, and verify that the version deployed across your fleet matches what the directory lists as current.
Plugins that fail the check fall into one of three buckets: replace, review further, or accept documented risk. Replacement is the cleanest outcome but not always the fastest. Review further means you have a reasonable expectation the plugin is sound but need more information before deciding. Accepting documented risk means you have reviewed the plugin, identified the gaps, and logged the decision with a plan to revisit it on a defined schedule, not indefinitely.
Fleet audits like this are easier to run and easier to repeat when the plugin inventory is centralized. An agency that has to log into each client site individually to answer the question of what is installed will find fleet audits impractical at any real scale. An agency that can query its full fleet from a single Command Center can run the same audit in a fraction of the time. The new directory standards are a good reason to close that gap if it exists.
WordPress.org’s plugin review team is moving toward requiring plugins to disclose when their code was substantially generated or assisted by AI tools. The standards also tighten expectations around licensing clarity, data handling declarations, and removal of deceptive patterns. Plugins that fail these requirements face closer scrutiny or rejection during the review process.
Yes. The directory’s review process is a baseline, not a comprehensive gate. Agencies running multiple client sites need their own vetting layer that checks for AI disclosure, declared third-party dependencies, and code-level red flags before any plugin reaches a fleet. The new standards give agencies sharper criteria to use in that internal review.
Run a structured audit: list every active plugin across the fleet, check each one for AI disclosure and maintenance status, and categorize plugins into replace, review further, or accept documented risk. The goal is not to remove everything at once but to make a documented, repeatable decision for each plugin under the new criteria.
Use the directory changes as an opportunity to share your agency’s plugin policy in plain terms: what you vet for, how clients request new plugins, and what happens if a plugin on their site fails a review. Clients with professional-tier relationships expect a clear answer to these questions. Raising the topic proactively positions the agency as the party in control of site quality.
The plugin review team has been signaling and implementing stricter standards, but the exact enforcement timeline and scope continue to evolve. Agencies should treat AI disclosure as a required check in their own vetting process regardless of where the directory’s formal policy lands, because the underlying risk of undisclosed AI-generated code is real whether or not the directory has formally rejected a plugin for it.
200 free credits. Just describe what you need.
See It In Action