The WordPress Plugin Directory Has an AI Problem Nobody Wants to Fix

The WordPress plugin directory has always had a noise problem, but AI is turning that noise into a wall of static. Reviewers are drowning in submissions, site owners can’t find quality plugins, and the people maintaining the directory are being asked to solve a structural problem with the same manual tooling they’ve had for years. After auditing dozens of WordPress sites for clients, I’ve watched this play out on the ground level—and it’s getting harder to ignore.

Here’s how I think about the problem, and what it actually means if you’re building or buying plugins right now.

1. The AI submission surge

The WordPress.org plugin review team is seeing a significant jump in submissions, and most people in the community agree AI tooling is the reason. Generating a plugin that passes initial automated checks is now a weekend project for someone with no WordPress background at all. The barrier to submission has collapsed, but the barrier to quality hasn’t moved.

What that means in practice: reviewers spend time on plugins that will never be maintained, never get a support reply, and probably shouldn’t exist. The real cost isn’t the review time itself—it’s the opportunity cost. Genuinely useful plugins from small developers sit in the queue longer because the queue is full of AI-generated chaff.

I’ve seen this from the other side too. When a client asks me to find a lightweight plugin for a specific feature, the search results have always been cluttered. Now they’re cluttered and the new entries are often thin wrappers around a single API call, built with no thought for edge cases, updates, or security.

2. Discoverability is already broken

Before AI submissions became a talking point, the directory’s discoverability was already a mess. Search on WordPress.org is notoriously bad—it surfaces plugins by active installs and ratings, which heavily favors incumbents regardless of quality. A plugin with 200,000 installs from 2018 that hasn’t been meaningfully updated ranks above a well-maintained plugin from 2023 with 500 installs.

The result is a feedback loop:

• Old plugins get found because they have installs
• New quality plugins can’t break through without external marketing
• AI-generated plugins game whatever signals exist by flooding the namespace

Ideas floating around in the community include better WordPress.org account integration (linking a plugin’s reputation to the author’s broader contribution history), and tiered or curated sections for plugins that meet higher standards. Both are sensible. Neither is fast to implement.

3. AI disclosure — why it matters to me

One proposal getting attention is requiring plugin authors to disclose when a plugin was substantially written by AI. I’m genuinely in favor of this, but not for the reason most people assume.

The issue isn’t that AI-generated code is always bad. I use AI tooling in my own development work and it can produce solid output for well-defined, narrow tasks. The issue is accountability. When a security vulnerability is found in a plugin, the question isn’t “was this written by AI?”—it’s “does anyone actually understand this codebase well enough to patch it?” AI disclosure is a proxy for that question. If an author can’t tell you what their plugin does without re-prompting a model, they can’t maintain it either.

From a WordPress development standpoint, I’d go further: disclosure should be paired with a basic competency check on the submission. Not a full code audit, but something that confirms the author can read and reason about what they’re shipping.

4. Premium plugins and the open-source tension

The other thread in this conversation is whether WordPress.org should officially support or surface premium plugins—freemium listings, paid tiers, or even just a way to signal “this plugin has a commercial backer and a support contract.”

This one is genuinely messy. WordPress’s identity is built on GPL and open-source ideals. But the plugins powering most serious production sites—WooCommerce extensions, Advanced Custom Fields, Gravity Forms—are commercial. Pretending otherwise doesn’t serve anyone.

The argument for embracing commercial plugins in the directory: it gives the directory relevance it’s losing to Envato, individual vendor sites, and now AI-generated marketplaces. The argument against: it creates incentive structures that pressure free plugin authors and muddies the waters on what “WordPress.org endorsed” actually means.

My honest take—the directory should stay free-only, but build a better verification layer for commercial developers who do maintain free plugins. Right now there’s no way for a site owner to distinguish between a free plugin maintained by a company with ten engineers and one maintained by a developer who last pushed a commit in 2021.

5. What I actually do for clients

Given all of this, I’ve stopped treating the WordPress.org directory as a first stop for plugin recommendations. Here’s the actual process I follow:

• Check the changelog first. If there’s no update in 12 months and the plugin touches anything security-adjacent (forms, user roles, file uploads), I skip it regardless of install count.
• Look at the support forum response rate. The directory shows this. A plugin with 100 unresolved threads and no author responses is a liability waiting to happen.
• Read the code for anything touching data or auth. Not the whole plugin—just the entry points. Fifteen minutes with the main plugin file tells you a lot about whether the author understood what they were building.
• For performance-critical installs, audit the plugin’s DB queries. A surprising number of “lightweight” plugins hammer the database on every page load. This is where proper WordPress speed optimization gets undermined—you can tune everything else and a single poorly-written plugin wrecks your TTFB.

None of this is new advice. What’s changed is the volume of plugins that fail these checks. Five years ago I’d find one or two duds in a typical plugin audit. Now it’s closer to half.

6. Where this is heading

The WordPress project has a habit of moving slowly on infrastructure problems until they become crises. The plugin directory is approaching that point. The combination of AI-generated submissions, broken search, and no clear commercial plugin strategy means the directory’s signal-to-noise ratio is declining faster than the team can address it manually.

The most realistic near-term outcome is some form of tiered review—a fast-track for known contributors and a stricter queue for new authors. That won’t fix discoverability, but it might stop the queue from collapsing under its own weight. Longer-term, the community needs to have the commercial plugin conversation honestly rather than treating it as a threat to open-source values.

If you want to go deeper on the policy side, the WP Tavern episode with Luke Carbis is worth 40 minutes of your time—he’s closer to this problem than most.

If you’re inheriting a WordPress site with an unknown plugin stack, or building something new and want a second opinion on your choices, book a call—a plugin audit is usually the first thing I do on any engagement.