Concerned Over How the WordPress Block Directory Works?


Among the many improvements being introduced with WordPress 5.5 is the block directory. Any time a new feature is introduced to WordPress, it is important for users to consider not only the ends, but also the means.

The End: Users will more readily be able to search and insert blocks. 👏🏾
The Means: Plugins masked as blocks. 🤔

I think it important that we understand “the how” of what takes place when you search and add a new block to your post or page. So, let’s take a moment and consider this introduction of the block directory.

Blocks Are Plugins

In my first experience searching and inserting a block from the directory, I was surprised to realize that, instead of adding an additional /blocks folder alongside /themes and /plugins within a WordPress install, the block directory is piggy backing off the directory. That is, all blocks will be hosted as a subset of the plugin directory and when, in your editor, you search and retrieve a block, WordPress will be adding another tiny plugin to your site.

Searching the block directory via the editor.
Searching the block directory via the editor.

No Manual Review

Most plugins are manually reviewed prior to being approved for the plugin directory. This ensures they abide by all guidelines. However, with blocks, developers will only need to run their blocks through a block auto-checker tool. If it passes, the plugin can be added directly to the directory. Said blocks can also be removed at any time by a contributor.

One Takeaway

These new processes reduce friction – making it very easy for developers to deliver blocks and for users to utilize blocks. And, while we are working to deploy that site with more ease or hit that publish button without delay, we must remember that this new process has a good deal of hidden things happening. Hackers flock to hidden things. I’ve not followed the conversations that have been had as this workflow has come together, but I hope significant time has been spent on considering the security implications. When code can so readily be pushed from a developer to a swath of the WP ecosystem, we must proceed with caution.

Note: There is a way to disable the block directory.

Stay vigilant. Stay well. And happy publishing!

Secure WordPress with a trusted WordPress security plugin.