Mika Epstein, who helps review plugins before they’re added to the directory and is a dedicated support forum volunteer, has a great post on the difficulties associated with plugins that require license keys for updates. She addresses topics like keeping users informed, ownership, and bundling plugins with themes. She also suggests the following solution to get users with an expired license key to renew.
What if the updater kept checking, license expired or not, and when you clicked to upgrade it alerted you?
Your license for Foobar has expired. Please renew it in order to upgrade.
What if you got this email?
Hey, you bought Foobar back in 2014 and that license lapsed. Normally I’d never bother you, but today I’ve pushed a major security fix. Since this is a security release, I’m offering you a discount. It’s already applied to your account, just log in and you can buy the upgrade at 50% off. If you’re not using Foobar anymore, click here and I’ll have your account flagged so we don’t bother you about this again.
How happy would you be to find out someone saved your soy bacon?
Based on the comments of her article and from what Epstein has experienced from years of providing WordPress support, it’s a complex problem without a solution. The perils of updating commercial plugins bundled with themes that require a license key were apparent two years ago when a critical security vulnerability was discovered in Revolution Slider.
Had the news not been published across media outlets, many users may not have known about the update. In some cases, users couldn’t update because they didn’t have the required license key, as was the case with Brenda.
The slider plugin was bundled in a theme that a PREVIOUS web developer installed for one of my clients. As such, I do not have the theme license key. There is NO WAY that I would ever have known about this extreme vulnerability had Sucuri not released it.
Some companies make security updates available to all customers regardless if their license is expired. For example, earlier this year, a critical security vulnerability was discovered in Elegant Themes products. Due to the severity of the issue, the company made the updates available for free to expired accounts. The updates contained only the security fix without any of the new features developed in recent versions.
There’s a delicate balance between pushing customers to upgrade, renew license keys, and making it easy to do so. As Epstein says in the conclusion of her post, “If you make it easy to pay, people will renew and pay. If you inform them of security issues, they will pay and upgrade.”
If you’re a commercial plugin developer, how do you inform and convince customers to renew their license keys? Also, how do you handle security updates for customers with expired licenses?
I consider recalls valid and customers should be made aware of vulnerabilities regardless of license status. But customers need to opt-in. Burn this into your EULA.