If you’re a WordPress developer like me, you’ve probably seen it countless times: your client never renewed their Gravity Forms or Revolution Slider licenses, and now they’ve been hacked because those plugins are three years out-of-date.
Unfortunately, this is far from uncommon. There are reasons those two plugins specifically are the cause of, in my opinion, the majority of all hacked websites:
- They are extremely popular and used on a huge percentage of WordPress sites.
- They regularly have vulnerabilities discovered that become public and available to any hacker.
- They cannot be updated after the license expires.
These two are of course not the only offenders; there are dozens of high-profile, extremely popular plugins that require you to renew their licenses in order to get the latest updates, security-related or not.
I get that it’s their business model. But they are taking their users down and WordPress along with them. Think of the complaints you hear about of WordPress as a CMS:
WordPress is totally insecure and always gets hacked!
Is it really? Well that depends. Is your PC insecure when you haven’t updated your virus definitions in years? Of course it is. And the same is true of WordPress websites when you don’t update your plugins. The reason this belief is so pervasive is because websites actually do get hacked all the time, and many are really insecure. But that’s only because they are running old versions of plugins either because they don’t know to update them, or they never renewed their license. In many cases, the web developer who built their site never bothered to give them their license information or in the case of themes, never gave them access to updates.
WordPress sites are always unstable and things always break!
This is occasionally true, but in my experience, the instability is very commonly associated with old versions of plugins that just don’t work anymore with the newest jQuery, or the newest version of WordPress, or any other number things. Or, maybe the code is just deprecated and doesn’t work anymore. Either way, when you can’t update a plugin, sooner or later it’s going to break. Sometimes it may even break your site, requiring a paid developer to figure out why the site is broken.
If sites continue to get hacked and break because of this, eventually the credibility of WordPress will be shot and people will stop using it.
Solutions?
Simply making licenses perpetual is one solution. Envato has been doing this for years with Theme Forest and Code Canyon. They envision a world where you can buy something and have it still work two years later. Kudos to them for doing that! The world would be a better place is everyone did.
Some developers may need to raise their up-front prices for this model, but it would be a much greater value for customers, and all of WordPress would benefit as a result.
Another option is switching to a freemium model. The updates are always free, but some features are locked unless you continue paying. No problem! Popular plugins like WordFence and Duplicator subscribe to this model and it seems to work for them. Both are plugins I highly recommend, and also respect for doing it that way.
WordPress once took a stand against theme developers who incorporated too much functionality in to their themes that completely broke when the user switched to a different theme. I think that’s a great direction. My favorite theme, X Theme, uses a plugin to add all of their awesome front-end editing functionality. If you switch themes, in theory you will retain all of that.
I believe they need to take a stand here, because slowly but surely it will ruin WordPress.