Questions about plugin updates

  • *NOTE* My two primary questions are at the bottom of the post.

    Greetings – Recently I installed the free version 1.0 of a plugin. I do not want to name the plugin at this time for reasons which might become apparent below. The plugin developer seems to have done things differently, but I do not want to shame or embarrass them without knowing more myself.

    So I installed the free version of the plugin with no problem. As always seems to be the case, I needed a feature only available in the pro version of the extension. Not really an issue because the plugin is not that expensive. After purchase, I entered my license key and had access to the pro feature I needed. No problems with that, either.

    The problems started happening when I ran a malware scan using Defender Pro. It reported 43 apparently modified files. It compares the installed version with the version available from the WordPress repository and reports the differences.

    All 43 reported files were from the same plugin. When I randomly examined a couple of the files, the side-by-side comparison allowed me to see the differences. Some were pretty basic, like an empty line, while others were obvious code changes.

    I reached out to the developer to ask about the file differences. The developer replied “…We added a few custom fields and category-based orders in the plugin so that it’s become more user-friendly and also fixed some bugs also.
    By the way, we fixed the error which you found inside your error.log file.
    For that, firstly you need to delete the “redacted” plugin, install it from WordPress and activate the license key.
    Don’t worry, you will not lose your data.
    Your plugin license key: redacted”

    There had been some updates, although there were no notifications about any updates in the WordPress admin area. After following the instructions from the developer, indeed the new version was 1.1.

    Question 1: Why would a developer have a plugin that does not register an available update? It appears that the way the developer implemented the update does not follow the same conventions (whatever those are) used by other developers, since I frequently have update notifications and can usually implement those updates with a single click.

    Question 2: Is the way this plugin handles the free vs pro versions incorrect? I have no issue with paying for quality plugins. What I take issue with is the fact that a malware scanner identifies 43 changed files for this plugin, which is not something more sophisticated clients who access the WordPress admin area would generally accept. It almost seems as if some shortcuts were taken here because when I use other plugins that have both free and pro versions, and these are plugins that use a single plugin scheme and not a free and a pro version (2 plugins installed) scheme.

    I would appreciate any insight into this plugin specifically, as well as the overall process of pro vs free activation, etc. I am relatively new to WordPress but have been working with other CMSs for nearly 20 years.

    • This topic was modified 3 years, 5 months ago by Jan Dembowski.
Viewing 3 replies - 1 through 3 (of 3 total)

  • 1. The update system in WordPress is only for the WordPress repositories. Anything external has to be done by the developer. In addition, the check is only run when there is a visitor to your site and the timer has expired.
    I think the ticket for adding a way to adjust the Update URI is going into WP 5.8.

    2. You said your malware scanner compares your code to the one in the WP repository. Since the pro version isn’t in the WP repository, of course there were differences. The guidelines for plugins in the WP repository say that a plugin may not send executable code (so it can’t update from somewhere else) and

    Plugins may not contain functionality that is restricted or locked, only to be made available by payment or upgrade.

    If you think the plugin from the WP repository is violating one of the guidelines, please report it to [email protected].

    Thread Starter boardboss

    (@boardboss)

    @joyously Thank you for the reply. I understand what you are saying in points 1 and 2. I am trying to understand *why* a developer might use the methods I describe.

    For example, Elementor (like many other plugins) offers both free and paid versions of their plugins. Others, like UpdraftPlus (as an example) and the other plugin I originally asked about, use a single plugin for both free and paid. Is one method better than the other? Why would a developer choose one method over the other, especially since the plugin I inquired about raises tons of alerts in the malware scanner?

    Again, I understand the why of the alerts. The plugin version in the repository is the free version, and when I purchased and activated the pro version the files on my server were changed. How is that different from my example plugin UpdraftPlus?

    I do not think the developer is intentionally violating any guidelines. Instead, I think the developer may not fully understand what they are doing and have created a great plugin but otherwise made a mess when it comes to maintaining that plugin.

    Bottom line is, IMHO, the developer created these issues because they have no idea what they are doing when it comes to managing, e.g., updating and differentiating between free and pro versions, the plugin.

    The “why” would only be speculation on my part. If you want to know, ask the developer. But since there is more exposure in the WP repository, it is likely they want that, and try to leverage the update system to notify about the pro changes since guidelines restrict what the free version can do.
    Plugins don’t have dependency information, like parent and child themes do.
    Again, if it’s a problem, report it to [email protected] or write a review so others can know before they buy.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Questions about plugin updates’ is closed to new replies.