WordPress Plugins - check before you upgrade automatically

Back to the real reason why Permalink Redirect 2.0 was released. When you visit your WordPress' plugin manager page, and see the following notice...

Permalink Redirect Upgrade, or Not

... do not click on "upgrade automatically". Let me repeat, Do Not Click on Upgrade Automatically. Because if you do, you will not be upgraded to Permalink Redirect 1.0, but rather a completely different plugin will be installed.

Over the past week I have been notified by a few people about a strange behaviour after they have let the WordPress Automatic Plugin Upgrade to upgrade their Permalink Redirect plugin for them. Instead of getting an upgrade, another plugin of the same name, Permalink Redirect by Joost de Valk, has been installed instead. It has been asked on WordPress support forum, and it turns out that Joost's plugin has registered the slug "permalink-redirect" on WP's plugin directory which I assume is where the version number is checked. So when Joost bumped the version number to 1.0 a few days ago, suddenly everyone with Permalink Redirect installed gets that automatic upgrade option...

Here is what I have posted on WordPress.org regarding this issue, and so far there is no response.

Hi. This is an issue recently raised by users of one of my WordPress plugin.

I wrote Permalink Redirect back in 2005 to solve the issue of canonical permalink URL, and it has been downloaded many times and installed on many WordPress sites. Its core functionality has been integrated into WordPress 2.5 although it is now doing a bit more that just fixing the permalink. Currently the version in my own Subversion repository is 0.8.5 and is compatible with WP 2/2.5/2.6.

Then one of my users notified me that when he visited the plugin management page, the Permalink Redirect plugin has been marked that a new version is now available. User has been given the option to download or upgrade it automatically. To his horror, after the upgrade my plugin now ceases to be installed, and a complete different plugin with the same name but different author is now installed and activated.


Now my question is, how can two totally independent plugins with different author and different plugin URL be allowed to be replaced by one another? Moreover, I would like to know whether there's any solution in this situation.


Being able to replace someone else's WordPress plugin almost-automatically by registering the same name on WordPress.org -- this is a serious issue. While the code is hosted on Wordpress.org, but I do not thing the code is audited by Automattic/WordPress developers. There is one scenario -- what if offending code that automatically insert spammy links to all your posts get automatically pushed to the end user? And I won't even talk about worse or more evil scenarios.

I do not think two independent plugins sharing the same name is an issue (although I do suggest that you do a Google search before start writing a new one). It is also partly my fault for not registering mine with WordPress.org (but why should it be centrally organised?) Anyway. Make sure you check very carefully before clicking on "upgrade automatically", or disable the automatic upgrade all together.

And the reason for Permalink Redirect 2.0? So it will be greater than 1.0 and you won't be bothered by WordPress' "kind reminder" that you need to "upgrade". Until Joost releases his next upgrade as Permalink Redirect 2008...