Skip to content

WordPress.com Plugin Directory, Patchstack Bad News, ActivityPub 1.0 🗞️ October 2023 WordPress News w/ CodeinWP

📆  This is the October 2023 edition of “This Month in WordPress with CodeinWP.” 

Hey there, WordPress family. We are back with another batch of WordPress news and events from the last ~30 days.

In the biggest bit of news, there was some of the most heated #wpdrama we’ve seen in a long time, with well-known WordPress personalities duking it out on Twitter (or is it “X”?) over the WordPress.com plugin directory and WordPress governance in general.

Beyond that, we have a couple articles about the WordPress.org plugin directory, THESIS is expiring its lifetime license, and you can vote in Template Monster’s 2023 awards.

Let’s get to all the WordPress news from the past month.

October 2023 WordPress News with CodeinWP

Strong debate about WordPress.com cloning the plugin repo

In the last month, the biggest bit of WordPress news was some #wpdrama about WordPress.com publicly* cloning the WordPress.org plugin repository and, in some cases, outranking the .org plugin listing pages.

*I believe that WordPress.com had already had the cloned repository for quite some time, but it’s only recently that they made the plugin listing pages indexable by Google.

It started with a tweet from John Blackbourn (see tweet a), the guy behind some really useful and entirely free plugins like Query Monitor, User Switching, and WP Crontrol.

It might not have been the most diplomatic way to address the issue, which John agreed on (see tweet b).

But as he also said, the point still stands.

This started a snowball rolling that included Matt Mullenweg jumping in, Matt blocking a prominent WordPress contributor, a WordPress Code of Conduct report, and lots of thoughts from the community.

While the impetus for all of the drama was the WordPress.com plugin directory outranking the WordPress.org directory in search and causing confusion for users, it seems to have spilled over into a much broader debate about WordPress governance in general.

Drama aside, there does seem to be a potential fix here (at least for the search rankings issue), despite some of the comments about being unable to control Google.

Since the WordPress.com plugin listing pages cloned the text descriptions from the WordPress.org listing pages, it seems to be a use case for the rel=”canonical” tag.

This would tell Google that the original version of the plugin listing is at the WordPress.org directory, which seems like a factual statement.

So where do we stand at the end of September?

Well, WordPress.com has not added canonical links pointing to WordPress.org, so you still might run into the issue of WordPress.com plugin pages outranking WordPress.org plugin pages in some instances.

However, WordPress.com has added a message for logged-out users that tells them they can also download the plugin for their self-hosted WordPress installs. This addresses another issue that developers had, which is that the WordPress.com plugin listing pages made it seem like the only way to install the plugin was for users to purchase the WordPress.com Business plan.

If you want to read more, check out the first post from WP Tavern, as well as the follow-up post from WP Tavern.

Twitter debate about WordPress.com cloning the plugin repo
tweet a
Twitter debate about WordPress.com cloning the plugin repo part 2
tweet b

Patchstack reports 358 plugins to the Plugin Review Team for unpatched vulnerabilities

If you’re not familiar with Patchstack, it’s a WordPress security plugin/service that also does a lot of its own security research and testing to detect issues in plugins.

If the Patchstack team finds a vulnerability, they normally reach out quietly to the developer to inform them of the problem. Once the developer has had time to release a patch for the issue and users have had time to update, Patchstack then responsibly discloses the vulnerability to the public.

That’s how it should work (and how it often does work).

But the Patchstack team has also built up a large library of 404 plugin vulnerabilities where the plugin developer has not patched the plugin, either because Patchstack was not able to contact the developer or because the developer just flat-out abandoned the plugin.

These 404 vulnerabilities were spread across 358 unique plugins, as some plugins had multiple number of them.

While Patchstack did not disclose these vulnerabilities publicly (because doing so would endanger sites using those plugins), having 350+ vulnerable plugins out there floating around is obviously not a good thing.

Collectively, the plugins in Patchstack’s list were used on over 1.6 million sites, so it’s no trivial matter.

As a final resort, Patchstack reported all the plugins/vulnerabilities to the WordPress.org Plugins Team. Since then, the Plugins Team has closed 289 plugins whose developers did not respond, while 109 of the plugins were eventually patched.

To try to prevent problems like this in the future, the Patchstack team is advocating for a few changes:

  1. Encourage developers to add their contact information to the readme.txt or SECURITY.md files of their plugins.
  2. Create a WordPress dashboard alert that notifies site owners when a plugin or theme is removed from the WordPress.org directory for security issues. Currently, there’s no way for site owners to notice unless they actually check the plugin listing, which most WordPress users probably won’t do.

Both of those seem like worthwhile changes to make.

Patchstack

You may also be interested in:

The WordPress Plugin Review Team adds new members to speed up approvals

1,257 – that’s the number of plugins that were waiting for review at WordPress.org as of September 25.

That led to an estimated wait time of at least 94 days for an initial review for developers submitting new plugins to the WordPress.org plugin directory.

Obviously, that’s not an ideal situation and it’s frustrating for both the developers wanting to submit plugins, as well as the overworked Plugin Review Team.

However, it might be getting better in the near future.

Over the past months, the team has been working on training new reviewers, along with documenting its processes and creating better tools.

According to WP Tavern, the Plugin Review Team has “onboarded two rounds of new members, with three more reviewers added recently.”

The team has also received more than 40 applications to join on its recent application form, which means more members are expected to onboard soon.

Beyond that, the team also recently released a plugin named Plugin Check that helps developers review their own plugins for common errors. This helps ensure that, once the plugin developer does get their turn to be reviewed, the review won’t be delayed by preventable errors.

So – if you’re a plugin developer, here’s two things to know:

  1. Make sure to use the Plugin Check plugin to test your plugin for common errors. It’s not a replacement for the manual review, but it will help you avoid common errors.
  2. Be happy that help is on the way and that big queue should start shrinking soon. According to Alvaro Gómez, “the tide is about to turn.”

THESIS ends its “lifetime” license and moves to recurring billing via FOCUS theme

What does “lifetime” really mean? Does it literally mean “for the life of the product,” as would seem to be logical? Or does it mean “until some date that will be determined in the future”?

A new license change to the THESIS theme is sure to bring up the debate. On September 30th, “All legacy “lifetime” THESIS licenses will expire…Sites with expired licenses will no longer receive automatic THESIS updates…If you wish to keep using THESIS, you will need to purchase a FOCUS license in order to get a valid THESIS license key.”

I can see both sides of the story.

As a developer, offering lifetime support and updates for over a decade simply isn’t sustainable. Eventually, the reality of the numbers is going to catch up with you and the economics don’t work.

But at the same time, no one forced developers to offer lifetime licenses. And if customers paid for “lifetime” support, they’re naturally going to be upset if that goes away.

With THESIS, this leads to an awkward outcome.

The “fairest” thing would be for DIYthemes to just stop updating/supporting THESIS. In this case, customers received updates and support for the “lifetime” of the product, so they have no right to complain.

However, this puts THESIS users in a very bad situation because they now need to switch themes.

On the other hand, having DIYthemes continue to support and update THESIS puts site owners in a better place because they can keep using a well-maintained theme. But, it doesn’t feel as “fair” because they’re now being asked to pay for something that was advertised as “lifetime.”

So, what matters more – fairness or practicality?

One thing is clear, though. If you’re a developer, be very careful about offering lifetime licenses.

If you do offer lifetime licenses (or have in the past), you might instead try to think up ways to generate recurring revenue without affecting your existing license agreements.

For example, you can see the Elegant Themes team trying to find ways to monetize lifetime Divi users with recurring payments. But instead of just discontinuing the lifetime options, Elegant Themes has done this by releasing new connected subscription services like Divi AI ($24 per month) and Divi Cloud ($8 per month), as well as Divi hosting partnerships. This lets them build subscription revenue without messing with the lifetime nature of Divi, which has always been one of its big selling points.

ActivityPub is ready for primetime – version 1.0.0 released

ActivityPub is a free WordPress plugin that helps WordPress users enter the “Fediverse.”

What is the Fediverse?

Well, if you’re a tennis fan, you might be disappointed to find out that the Fediverse is not an alternate reality where Roger Federer won the 2019 Wimbledon title.

Instead, the Fediverse is a collection of independent social networks that can all still communicate with one another using the ActivityPub protocol. Instead of each social network being an independent walled garden, they can all play well together so that users aren’t locked into a single system.

Popular platforms in the Fediverse include Mastodon, Lemmy, Pixelfed, and others. Notably, Bluesky is not part of the Fediverse because it’s trying to create a new standard protocol.

The ActivityPub plugin helps your WordPress site enter the Fediverse by making it compatible with other networks in the Fediverse.

For example, someone on Mastodon could follow your WordPress site’s profile. Once they’ve done that, they would be able to see your new WordPress posts in their Mastodon feed.

While version 0.X of the ActivityPub plugin has been around for a while now, the reason it’s in the news post is that the developers have now launched version 1.0.0, which brings a bunch of new improvements.

You’ll now be able to create one blog-wide account for your WordPress site (instead of accounts for individual WordPress authors, though you can still do that if you want). It also adds other new features such as blocks to show your Fediverse followers and support for hashtags.

It’s no surprise the plugin has been pushing out big changes since Automattic acquired it back in March 2023.

If you want your WordPress site to join the Fediverse, you can install version 1.0.0 of the ActivityPub plugin from WordPress.org – it’s 100% free.

WordPress opens 2023 annual survey

Every year, WordPress.org runs an annual survey to collect feedback from the entire WordPress community, including users, developers, and more.

Last year, around 3,400 people shared their feedback in the survey.

If you want to participate in this year’s survey, WordPress has officially opened it to the public.

It should only take around 5-10 minutes to complete and it’s fully anonymous. Beyond English, the survey is also available in eight other languages.

You can fill out the survey here.

Monster’s Award 2023 is open for voting

Finally, we’ll end with a quick note that Template Monster’s big Monster’s Award 2023 is open for community voting.

You can vote on your favorite WordPress blogs, plugins, services, newsletters, and more. In total, there are 24 different WordPress categories to vote on.

CodeinWP is nominated in both the “Blogs” and “Newsletters & Communities” categories. So, if you find value in what we offer, you’re always welcome to vote for us as part of your visit. 🙌

That sums up our October 2023 WordPress news roundup. Anything we missed?

Don’t forget to join our crash course on speeding up your WordPress site. Learn more below:

 

Layout and presentation by Karol K.

Yay! 🎉 You made it to the end of the article!
Colin Newcomer
Share:

0 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!