ProfilePress Rebrands and Repurposes WP User Avatar, Now a Membership Plugin, Users Revolt via the WordPress Review System

Less than two weeks after publishing about the broken user experience of the former Dark Mode plugin being renamed and repurposed, another plugin development company decided to do the same. The consensus seems to be that this is a bad idea. However, the ProfilePress Team forged ahead and repurposed the WP User Avatar plugin.

Instead of a simple, single-purpose custom avatar solution, it is a full-fledged user registration, profile, login, and membership management plugin.

It is now called ProfilePress. But, let’s call it ProfilePress Lite because there is a commercial component where you can upgrade to the actual ProfilePress premium plugin. We need to differentiate the two. Plus, the plugin itself uses that term, at least once, in the admin.

The difference between the Dark Mode switcheroo and this one is that WP User Avatar has over 400,000 active installs, and users are voting with their feet. And their ratings. In the past 48 hours, the plugin has received a staggering 60+ one-star reviews — and counting. The support team has already had to close two forum topics. A review titled “Unexpected changes, expected reactions” sums up the situation.

Over 400,000 users can do a lot of damage in a little bit of time.

A fraction of a fraction of a fraction of those 400,000 users can knock a respectable 4.4 rating down to 3.6 in two days.

When no one from the company responds to any of the 60+ reviews, it looks like you have something to hide. Those are 60+ opportunities to at least attempt to smooth things over.

Pre-3.0, WP User Avatar was a simple plugin for managing how avatars were handled on the site and allowing custom photo uploads on a per-user basis. In the plugin’s eight-year history, users had come to expect a solid plugin that handled one thing and handled it well.

The original settings screen for the WP User Avatar plugin.
Settings screen for pre-3.0 WP User Avatar

In April 2020, the plugin changed ownership. ProfilePress had taken over from Flipper Code, the project’s only contributor since 2014. Bangbay Siboliban was listed as the plugin owner from 2013-2014. It is unclear if this was an acquisition or a simple transfer. Neither the former nor the current owner has responded to a request for comment at this time.

Under new ownership and its version 2.2.5 – 2.2.9 plugin upgrades in the past year, everything seemed to be status quo. ProfilePress kept the plugin going, fixing bugs for multiple releases. Until two days ago, users were likely unaware that a tidal wave of change was roaring their way. No announcements on the ProfilePress blog. No sticky topics in the support forum. Just, here’s your new membership plugin that you didn’t ask for.

Users were greeted with a new settings screen and much more, an admin that was barely recognizable.

Settings screen for the new ProfilePress plugin, which showcases multiple tabs for membership settings.
ProfilePress (formerly WP User Avatar) settings screen.

As one user put it, “What the heck? Updated plugin and suddenly I have a full membership solution.”

“You had the plugin WP User Avatar that did one specific function — added an avatar to users like when they leave comments on the blog,” wrote another reviewer. “Now I go to update it, and BOOM, a 100% completely different plugin takes its place. “

ProfilePress, the premium plugin, launched in 2015. It is a known product with an existing userbase. I cannot imagine any scenario that makes sense where the company takes a separate plugin that it acquired and implants a lite version of its premium product inside.

Except to capitalize on the 400,000+ active installs for a quick and easy profit.

The knee-jerk reaction is usually to demand the Plugin Review Team implement a rule against it. Some scenarios are less egregious than others. Drawing a subjective line in the sand can be a tough ask of them.

I am coming around to the idea of putting this decision into the hands of users. They are using the review system in the way it was meant to be used. Let them rain down all manner of hell on plugin authors who do this. Let them prop up another plugin with their numbers and hand out glowing five-star reviews for it. WP User Avatars (with an ‘s’) was a decent alternative the last I tried it.

Still, I wonder how much this hurts the plugin with its active install total. The owner might simply weather the storm and capitalize on the users left standing when the dust settles. Even if they lost an unlikely quarter or half of their install count, they are still in a position to profit from premium upgrades. Then, build a new base from users who are unaware of this current debacle.

The more companies that do it without repercussions, the more likely it becomes a trend. But, WP User Avatar’s, ProfilePress’s, ahem, ProfilePress Lite’s users are in open rebellion. Maybe the market will simply decide.


100 responses to “ProfilePress Rebrands and Repurposes WP User Avatar, Now a Membership Plugin, Users Revolt via the WordPress Review System”

  1. I deleted the plug-in. I have been using it for years. Simple, straightforward. I have no need for a membership plug-in. Unfortunately, there no replacement for the plug-in.

  2. It’s a good thing that all plugins on the repo are open source. Even if there weren’t alternative plugins, someone could fork the old version and take a good chunk of the userbase with them.

  3. I also removed the plugin. Truly insane bait-and-switch move by the devs here.

  4. Luckily I don’t have auto update on this plugin and saw the reviews beforehand. Very deceptive practice. This should be against the terms now that plugins can update on their own without warning

    • Did that with the Google Analytics (renamed Monster Insights) plugin. InteligenceWP came up with GAinWp which was more or less the same as the old Google Analytics plugin.
      That’s what I use these days. Works perfectly for users who just need to see their basic pageviews/sessions/users data on their admin dashboard.

      • Yep, that’s the one I’m referring to. I remember the furor when that happened. I’ve been using the fork and everything’s back to how I like it.

  5. Plugin author here.

    We have gotten a ton of request over the years from profilepress users to allow users to upload avatar especially one that integrates with default WP profile. That is why I acquired the WP User Avatar plugin. And since I think they are complementary, I decided to merge them.

    Maybe I should have made the new features optional as some disgruntled users suggested.

    However, since the update I’ve had a flood of emails asking for even more features. Despite some negative reviews on the WP plugin directory, the vast majority of /direct/ feedback has been very positive.

    I really don’t know what else to say or do at this point other than to apologize for my actions and fix any reported bugs.

    My apologies to everyone who are pissed by this move 🙏🏻

    • Okay. That adds perspective, and it sounds like a great benefit for existing profilepress users.

      But regarding WP User Avatar users, you maybe hadn’t taken into account that many of them were using WP User Avatar with bbPress, since it had compatibility with that. bbPress users would have no need for membership or profiles because bbPress has all that. Bbpress only needed user avatars. Anyway, good of you to explain the change.

    • I was a ridiculous move and I have no doubt will impact your business negatively in the short- to medium-term at least.

      The way you went about this and your lack of reply where it matters – on the plugin support page, is another indication why I, and I have no doubt I am not alone, will have nothing to do with any plugin you release in the future.

      Call me a cynic but I find it extremely hard to believe that you have “had a flood of emails asking for even more features.” from WP User Avatar users as the reviews over the past 48 hours or so can attest to (74 negative 1 star reviews out of the total of 94 in 8 years is pretty damning).

      “I really don’t know what else to say or do at this point other than to apologize for my actions and fix any reported bugs.”

      Apologising on here is all well and good, but how about apologising on the plugin page and giving the user base back what they loved – a robust, lightweight and simple plugin that allowed site users to use their own picture as an avatar.

    • Ah, since this was just a merge in the favor of rebranding to accommodate your ProfilePress users and snuff the rest, then please allow me to help with a new slogan.

      “ANY press is good press” – ProfilePress

      Or if that one is not quite up to par, maybe this one?

      “Install, Update and Delete!” – ProfilePress

    • “We have gotten a ton of request over the years from profilepress users to allow users to upload avatar especially one that integrates with default WP profile. That is why I acquired the WP User Avatar plugin. And since I think they are complementary, I decided to merge them.”

      Not a merger. More like a hostile takover!

      The solution to profilepress users wanting to upload avatars is to merge the smaller plugin into profilepress, and not the way it was actually done.

    • I don’t understand this at all. As far as I can see you closed the existing plugin and bought a plugin with more users, then moved your plugin across.

      But this means you lose 4k users who want your plugin and gain 400k users who don’t.

      Why didn’t you fork the plugin and merge the code with your own? As long as you give credit this is acceptable under GPL and it would have kept your users who want the plugin happy.

    • Your rationale here seems bizarre to me. ProfilePress users and WP User Avatar users were using different plugins for completely different reasons. If you want to add features for the ProfilePress community, then fine, do that! But do not radically alter the functionality of an unrelated plugin. There is simply no charitable way to read your actions.

    • This is the most ridiculous excuse I’ve read on the subject 😂

      If having custom avatars was a popular feature request then just add it in to the existing plugin. Everyone knows why this decision was taken. It’s the exact same scenario as to what happened to Dark Mode.

      It’s all about money. Take a plugin that has a couple thousand (in this case, couple hundred thousand) installs and change it to something different and offer a premium version in the hopes that some will bite and pay for a new upgrade.

      It’s a cash grab, plain and simple. Try not to sugar coat it.

    • Let me first state that this is one of the most ridiculous excuses I’ve read thus far and the whole move was downright unethical and unprofessional.

      The whole part about acquiring the ‘WP User Avatar’ plugin with a massive user base of 400,000 just to add a feature to your existing plugin with barely any users (4,000) doesn’t fly with anyone who possesses even two brain cells.

      What’s worse is that the Support forum for your original plugin ( shows that you’ve reneged on supporting paying customers. Clearly, the unethical behaviour has been exhibited for some time.

      And as an past user of ‘WP User Avatar’, I have zero faith in your ability to manage and support current users. Heaven forbid that someone pays for your premium version only to be ignored forever.

    • Hi Collins. Thanks for owning up to your mistake publicly. If you’re still unsure what to do a thing this point, the obvious answer is to revert the plugin back to how it was before we all uninstall and replace it; and vow never to do business with you. If you act fast, you may be able to limit the damage to your reputation. Cheers, Graham

    • I have removed the plugin. The sensible thing to do would have been to survey and present yourself as a new viable product owner. You should have had asked users prior to acquiring a product ( and users) – aka, the right of consent and that is the way to go when you update any App. I understand you had good intentions by giving people new optional features. You said, “users suggested” but if you have surveyed them and gone through the stages of product dev. you had probably realized that some don’t need it as they already got it, and end up (maybe) given you new ideas.
      Now, you lost a good amount of viable users and some of us will probably never move back to experiencing the new features. I recommend following the “idea screening” and “market/user viability” in the future.
      Good luck.

    • “We have gotten a ton of request over the years from profilepress users to allow users to upload avatar especially one that integrates with default WP profile. That is why I acquired the WP User Avatar plugin. And since I think they are complementary, I decided to merge them.”

      Over the years, you have gotten a ton of requests from profilepress users to allow uploading of avatars, but you decided to merge your membership plugin into a plugin that had 400,000 people who weren’t your users. What on earth gave you the notion that the 400,000 users who weren’t asking for your membership plugin to be added to the avatar plugin, would welcome your intrusion?

      Wouldn’t logic dictate that you would merge the code from the avatar plugin (which would not require your acquisition of the avatar plugin) into a profilepress plugin that has YOUR users? I actually don’t buy that explanation for the very reason you stated. Your users were asking, not the 400,000 who weren’t.

      Truthfully, I believe you purchased the avatar plugin for the 400,000 users, hoping to get a portion of them to buy into your business. And you didn’t care one bit about those who didn’t want to be disturbed by your hack.

    • The plugin author has breached consumers’ privacy laws in the country in which my website is registered. When the unauthorised plugin changeover happened, I had ‘member pages’ published live to my site showing private contact details that should NOT have been made public. The issue has cost me time and money. Really disappointing – the plugin author has a lot to learn.

  6. This behavior by plugin authors will not change as long as WP moderators respond to user concerns like this:

    “The developer does not owe anyone anything. No one deserves even a reply from anyone or even support.”

    While that is true, having moderators completely dismiss user concerns isn’t helpful to this situation. So, I don’t think plugin authors will stop doing this anytime soon. I say this as an ex-plugin-author from many years ago.

    One support topic (the 2nd one linked to above) has a user say this update broke a section of his site, and he added helpful details for the developers, naming the other plugins that were conflicting with this update. But the WP moderator closed this topic. The plugin author doesn’t even have to reply to any concerns, they get shut down by moderators. There should be some way to deal with this switcheroo problem because as it is, user concerns are being dismissed.

    • To be clear, the moderators in the support forums are for all of, they have no relationship whatsoever with this specific plugin or developer, nor do they have any control over what the developer can do going forward (that’s up to the Plugins Team).

      Part of a moderator’s task is to keep the forums (again, all of orderly. A moderator closing a thread for becoming disorderly is not a dismissal, it’s just a moderator doing their job, and again none of that has anything to do with the plugin or it’s developer.

    • It was my comments that were removed. I was simply asking the plugin developer why he thought that a bait and switch move to remove a perfectly good plugin and replace it with something else entirely was a good move.

      All of my comments / a review and anything else I posted that day was removed.

      I now have to check all the websites I have used WP_Avatar on to make sure they aren’t broken. I’ll be getting hold of Collins Agbonghama’s details and sending him an invoice for my time.

      Never in my 15 plus years of WordPress development have I seen such a shady move by a plugin developer.. And I quote from a post he wrote here:

      “I am from Nigeria where I was born and still live in. I know we are all stereotyped as scammers and thieves but trust me, a lot of us own and operate legit (online) businesses.”

      There is nothing legit about what he has done here, at all.

    • Responses like that by moderators drive people away from WordPress. It’s one of the biggest reasons why my sites are now running on ClassicPress–though I still deal with WordPress plugins and see the moderators in the support forums. I seem to recall the plugin authors handling the support forums once upon a time, not the WP moderators.

      • Plugin Authors do handle their own support, but Moderators do their best to ensure that all forum content does not violate the posted guidelines.

        Please understand that you may not be privy to some incredibly disorderly content that was removed prior to the Moderator replies left.

        I can assure you that nothing was removed or closed without reason, we simply don’t have the time for that.

        • The moderator did essentially say “whatever the plugin author does is A-OK, you’re free to find something else”. I don’t think you fully agree with them on that, and I don’t think they’d stand by that position if they think it through.

          Install a crypto-miner? “It’s open source, be thankful for what you get or use something else”. Install a backdoor and take over the site? “It’s open source, be thankful for what you get or use something else”.

          No, obviously those are not okay, and I doubt you’ll find someone who argues that it is in good faith. It’s a weird overreaction from a moderator after they locked a topic to have the last word, and then add something like that.

          If that’s the opinion of the WP core team, I’m horrified regarding security.

          • Noting that there are three different groups mentioned here, so I want to make sure there is some clarity about who’s who.

            1. Forum moderators.
            2. Plugin review team.
            3. Core developers.

            There is some cross-over between those groups. However, the forum mods only moderate the forums. The plugin review team decides what plugins are allowed. The core team is really just a lot of different folks who contribute to the core software (there is some hierarchy, but it’s not relevant to this discussion).

            The forum mods don’t decide if a plugin is allowed. They enforce the rules of the forum. The call on whether a plugin violated the directory rules falls to the Plugin Review Team. A forum mod can definitely escalate an issue up to the Plugin Review Team, but they generally don’t have access to suspend plugins (as far as I know).

  7. As a (former) user of this plugin myself, I am planning to fork the release previous to these changes being made and will release as a new plugin.

    If will have no additional elements added, advertising or anything. My plan is to keep it as-is, with the exception of cleaning up the code and resolving any bugs, etc.

    If you’re interested in getting involved then I’ve spun up a repo at and will be committing the initial code to the Develop branch shortly.

    • When I saw this my first thought was to fork it as well doing this as well. I’ll leave it to the two of you 😄

      • As an update…. yeah. Forking plugins for the directory is harder than I remember it (albeit I’ve only done it before). Quality control (not surprisingly) is tighter on new submissions than updates, and I’ve found that this plugin is… what’s the best way of putting this… not in the best of health. For acceptance into the directory it needs a bit of work doing to it (if I was a mechanic right now I’d be sucking through my teeth and shaking my head).

        For anyone wishing to move forward with a solution to running this plugin how it used to be, then I’d be looking at a pure, unadulterated fork from Github, such as the one that Philipp has done above.

        I’m not giving up on mine but, due to limited time availability, I’m not sure when it will get done. I just wanted to be honest up-front, rather than having y’all waiting for something that may not happen now for a little while.

        If you have any questions, or wish to help then please head to the repo that I linked to above.

  8. Also surprised by this answer! One gets the impression that encourages this behavior of the owner.

  9. Was using this plug-in for several years quite happily. Yesterday it updated to something completely different and trashed my website in the process. Took me hours to undo the mess and clean things up. Uninstalled.

    Avoid this!

  10. In response to the negativity about WordPress mods and speaking as a plugin author these plugins are free.
    They are freely offered to the community but many in the community expect to be treated as paying customers and demand 24 7 support.
    I’ve removed many of my plugins from the repository because of demands from users who pay nothing and contribute nothing.

    • This is true, however, when you foist an entirely new plugin onto people when they are simply expecting the existing plugin to update – This is shady and cynical.

      It will also break a lot of people’s websites. There is a certain level of responsibility you should take, even if you are an open-source developer, that your code will not either change the scope of something many people use, or in fact break what they have created.

      If you don’t take that responsibility, then I can understand the backlash that has occurred here.

      If you don’t like open-source, that’s completely fine. However, I don’t think anyone who is complaining about this particular plugin is being entitled. They just want to know why the plugin they originally installed is now something completely different. This is fair enough.

      This is pure and simple a cynical tactic to push a commercial plugin on to 400,000+ users, regardless of if they want it or not.

      It’s unethical and dodgy as heck. It’s almost as though anyone who updates the plugin will get their site hacked – And features they didn’t choose to install be added. However you cut it, this isn’t on.

    • I think the problem here is not plugin users expected to be treated as paying customers. It is that the new plugin owner expects to turn the 400,000 users into paying customers.

      I don’t deny that there are free users in the wp ecosystem who are demanding the support of a paid user.

      It’s all really interesting. A user base of that size is a huge potential market. But the current plugin owner didn’t do anything to develop that. It’s not that they spent years cultivating that base and then decided to add more features and offer a paid version of the plugin. Unless I’m misunderstanding something.

      Lots of people specifically choose plugins because they do only one thing. Hopefully this doesn’t become a pattern: simple plugin with huge user base gets acquired by a company that then tries to monetize it.

    • The claim that many users of free software act entitled is indeed correct, but also a complete non-sequitur in this specific instance.

      This isn’t a case of users demanding a bunch of new features or premium-class support, it’s an egregious no-warning bait-and-switch that caused problems for people who now need to uninstall and replace this plugin.

      Advocate for more reasonable expectations from plugin users, absolutely. But defending what happened here doesn’t serve that purpose in the slightest.

  11. This kind of move is really dirty. Hope there’s no more act like this. Imagine, your website/blog is running smoothly and you just finished writing/editing for the day. Then the next morning everything changed. Your plugin is changed and the functions too.

  12. Whilst I can understand the shock of a functional change like this and the way the author went about it, what is more shocking is the ‘entitled’ stance of the users of a free open source plugin, issued under GPL.

    You are using software that is provided for free with no warrantee.

    If you are going to use free software then occasional changes like this or security issues, no support etc etc are the part of the price you are paying.

    The caps are in the GPL not me shouting

    “15. Disclaimer of Warranty.

    Limitation of Liability.

    • This doesn’t really have anything to do with the GPL. The plugin directory does not allow just any plugin. It goes above and beyond the basic tenets of the GPL. It is a listing of vetted (even if sometimes loosely) plugins, and that means there is some level of trust that users put into the system.

      It is not a sense of entitlement to push back when that trust has been broken. It’s a bad look for the plugin. It’s a bad look for the core WordPress software and its plugin directory. If this trend continues, it’s a bad look for our entire ecosystem, and none of us win from that.

      If users were expecting these types of “occasional changes” (i.e., swapping one plugin with another), WordPress would be dead software by now. There would be no trust there. If these types of changes were the price of admission, this would be a non-story.

      And, it’s really not about the code, which is what the license covers. It’s about the business practice.

      Plugin creators have a tremendous responsibility to do right by their users. And, when they don’t, users have the right to complain, regardless of the monetary cost. That’s the price of developing free software.

      • Exactly Justin. This is also the sort of thing that will encourage users to turn off or refuse automatic plugin updates. Because if you cannot trust a plug-in to remain a plug-in and not change into something completely different via an auto-update, people won’t use the feature. And that’s a security risk because it means people could be more likely to run outdated code.

        It’s already bad enough that users have to be weary about popular Chrome extensions and WordPress plugins being sold to companies that clearly want to take advantage of the large userbase to potentially put spam or malware in the plug-in/extension, but to have to worry about a plug-in being replaced full-bore with new code and a new purpose, just so the new owner can try to get 400,000 people in an upsale funnel.

        I don’t know what should be done about stuff like this, hopefully it isn’t a trend. But if it becomes a trend and the PlugIn Team doesn’t step in and offer governance around it, it will erode the value of the WP official repository in a major way.

  13. Lol what a dumb move, just opens up the market for someone to rewrite what they had before and sell it cheaper… or make it for free as a passion project or just a “buy me a coffee” pricing model.

  14. I totally agree with you, Alan. A free plugin comes with no guarantee for support, functionality, or other warranties. Users should not take it for granted to be treated like paying customers.

    On the other hand, I feel this is a little different case: More than 400.000 websites installed the original plugin. The WordPress auto-update functionality distributes that change to hundreds of thousands of websites – and swaps out a plugin that the web designers did knowingly install (“WP User Avatar”) with a completely different plugin that none of those users ever wanted to instant (“ProfilePress”).

    When looking at the plugin source code, you can see that the original plugin is inside a sub-folder named “deprecated”. The rest of the plugin is an entirely different code-base that simply imports “deprecated/wp-user-avatar” files.

    I love free software and support developers where possible. But this update was a sample of how open source should not work. It’s not about the legal aspects of GPL software (nobody accused the author of breaking the law or license agreement), but that such actions destroy the trust in the public repository.

  15. Judging by the .org moderator responses and inaction, it seems we’ll keep seeing these kind of dirty moves by plugin authors in the future… This is like taking over LibreOffice and turning into something unrelated like Gimp.

  16. This seems to be like something WP should be cracking down on with bans and other harsh penalties. They impact the image of with this kind of amateurish stuff. Writing such a policy is bloody hard though, but the language needs to be something around “significant changes in functionality, either additions or removals”

  17. Very unfortunate, to say the least, another case in which the developers behind a plugin totally neglect the fact that the community relies on their honesty to keep their sites running without the bloat.

    Frankly speaking, it reminds me of the day that one of the Yoast plugins all a sudden appeared renamed, Monster Insights, and my first reaction was “the site got hacked?!”

    Regarding this much-beloved plugin, I have taken a different approach which consists of instead of updating it or removing it, just block the update and start to maintain it myself.

  18. Leasons to learn here:

    Plugin repository control mechanisms failed or were outplayed or are not existent after first upload.

  19. “Disable XML-RPC-API” plugin, developed by.. (well, I don’t know anymore) Neatmarketing, is another plugin which became something else on the last week.

    Until then, it was a simple XML-RPC deactivator. No settings page. Nothing else. It just worked. How I love a lightweight plugin.
    Now we have a menu icon which redirects the user to a settings page with many tabs. If only the tabs followed the wordpress design, but no. There is advertisement about a PRO version on every login, and the so called free version in which we are now is considerably bigger than before.
    Now we have some options to speed-up our wordpress websites. We can disable JSON REST API. We can disable wlw manifest, among other things.

    I would enjoy that proposal, because at the moment I need 3 or 4 plugins to adjust these basic things. But are the developers willing to release their plugins as separate ones, as in fact they are? Of course not. Money is the language they choose…

  20. After one of my support threads has been deleted by a forum moderator, I asked the plugin review team what they think about this move. This is the answer I received from the plugin review team:

    “What plugin authors decide to do with their plugins is not really our concern. It may be unpopular, but unless it’s doing something actively malicious, it’s allowed.

    The plugin changes may be unpopular, but that’s how things work. People can stop using the plugin or switch to another plugin. All these plugins are free, after all. We’re not paid for them. Nobody pays anybody anything, we only host a free repository here.

    Also, remember that these plugins are all open source. The code is entirely free. If somebody wants to take the older version of the code and submit it as a fork for users to switch to, then that’s entirely plausible too…

    Sometimes, you have to let people figure things out on their own. Simply telling a plugin author that a full overhaul with a bunch of new stuff is a bad idea isn’t really going to get you anywhere. They have to screw it up themselves and have the people tell them so, in order for them to figure out where they went wrong.”

    • This is a genuinely terrible response from the Plugin Review Team. Like, genuinely terrible.

      I thought the Plugin Review Team was supposed to care about the users of these plugins. Where is any empathy for people who have had their sites broken by this sort of stuff? Passing it off as “nothing is paid and it’s open source” is such a colossal and egregious cop-out. WordPress powers over 41% of the web and this is the official repository. What in the actual?

      An overhaul of a plugin that adds a bunch of features/revamps the interface is one thing. With that, I agree that you need to let people make mistakes.

      But this is something else. This (and the Dark Mode plugin fiasco) is taking a very popular plugin and wholesale replacing it wholesale with a completely different plugin, changing the name, and then trying to upsell 400,000 people.

      This is malware, pure and simple. Because the original user didn’t consent into installing ProfilePress, they consented to installing WP User Avatar. This isn’t a rebranding (and users could still object to that, even tho I think it is defensible), it is a hijacking. To treat it as anything but that is missing the point. The original code is gone and a poorly-coded import feature was added. The new plugin broke users websites. This was a hijacking and is straight-up malware.

      If the official response of the Plugin Team is to shrug and say, “we just don’t let malicious code in, anything else goes. YOLO,” then that alters my trust in the official repository to a significant degree. Because all this does is incentivize shady devs to buy popular plugins and then swap them out wholesale with the stuff they want them try to upsell.

      I’d much rather get plugins off of GitHub or directly from developers if this is going to be what the Plugin Team says is kosher.

      Again, this is the official WordPress Plugin Directory. To not have any standards to protect against hijacking and malware is ridiculous.

  21. If anybody is interested, I forked the old plugin and will continue to provide updates. I submitted it to and it’s awaiting review. Until then I’ve published it on GitHub and community contributions are welcome:

    I cleaned up the code to be in line with the WordPress coding standards, fixed some minor issues and updated the translation file. I’ve also translated the plugin into 7 languages: Dutch, French, German, Italian, Portuguese, Romanian and Spanish.

    I’ve tested it with a website that was using the old plugin and it is 100% functional, including all the old avatars remaining in place.

    • Thanks for good job!
      Everything works fine.
      But if to delete the WP user avatar through the standard admin-panel, the table of links between pictures and users is removed.
      All connections will be restored …
      Exit – del WP user avatar from the plugins folder via FTP. Be careful!

      • Thank you for your observation, this has been very useful. I have added a warning in the readme and instructions on how to delete the plugin properly. An in_plugin_update_message-{$file} would have been perfect here, but I’m afraid the plugin needs to be already active for than to work. I’m considering moving deleting all the plugin’s data from the uninstall.php script where it currently causes this behavior to either a button in the settings screen or a link next to the plugin details to make it more predictable.

        An update for fellow readers: I have submitted the plugin to and like David Artiss pointed out it has to go through a full review as if it were a new plugin, which is good because as it turns out it had many outstanding issues. So far I’ve been making good progress and the volunteers behind the plugins directory have been very responsive so I’m hoping to see the plugin in the directory sometime in the next few days.

    • Thank you for adding the new-old plugin to the directory. Downloaded, installed, works great I have OCPD (Obsessive-Compulsive Personality Disorder), so losing the Avatar plug-in was disruptive for me. A small thing, to be sure, but when you crave order and perfection, abrupt change is not appreciated. You have brought order back to my life. Thank you. 😂😂

  22. So this became a new plugin, shouldn’t it be reviewed by the Plugin Review Team?

  23. its kinda like that. look at what happend to the dark mode plugin that became and markdown plugin… also GAWP became exactmetrix. it is becoming a practice perhaps lately

  24. I’m surprised no commenters have discussed the real problem here – the reason why this plugin is needed. Which is that after buying Gravatar, WordPress decided that users could no longer have local avatars by default.

    Nothing against Gravatar itself. The problem is that Gravatar is pretty much unknown outside the WP community, so when you’re running sites where users aren’t all WP geeks, you have to convince them to get a Gravatar profile. Which means having to answer questions about what Gravatar is, why people should have a profile, and generally having to break their resistance to having ANOTHER profile on something that they never heard of.

    In other words, you’re essentially being forced to evangelize for Gravatar. So of course it’s easier to just install a plugin and not have to bother.

  25. This is just another data point on where WordPress is headed.

    I setup my first WordPress site almost 17 years ago. Several years later it seemed like so many people in the web space were using WordPress to setup sites for clients. Among web developer friends several were hacking around with WP and PHP, and a lot of really talented developers around the world were extending it and growing the ecosystem (eg. ACF, which came out about 10 years ago I think). There was a good amount of “quality attention” from young, talented developers.

    Here in 2021, it’s clear that the slice of “quality attention” that WP/PHP gets is not the same. The recent comments about headless WP by Matt are another data point. As well as the over-sensitivity of many WP folks to the Wix ads.

    Anyways, that said, WP is still awesome. I still use it on client sites and will be probably be using it years from now on some projects. It’s just hard to ignore the general trajectory, and we do so at our own peril.

  26. Original blog post says:

    A fraction of a fraction of a fraction of those 400,000 users can knock a respectable 4.4 rating down to 3.6 in two days.

    As of May 21, its rating has even more deteriorated – hinges on mere 3.0!
    Since this plugin destroyed our site and forced a completely recovery of the web-serve, I think I am entitled to happily observe its declining reputation ;)

    For those of you who are looking for in-place replacement, I recommend “Simple Local Avatars”. It is simple yet very functional. We are quite happy with it.

  27. Wow! They removed WP User Avatar v2.2.16 download links. I thought before that only a repository can do this.

    And now the history of the plugin starts with version 3. It’s a shame.

      • Hmm, it appeared)) Although the old versions are removed on the Development tab.
        Did it really seem … Can the author delete old versions himself or he does not have such a right?

        • The Advanced tab is where the older downloads are found. I think you’re referring to the change log on the Development tab, which is a separate thing.

          As for whether plugin authors can delete old versions, I believe they can. Ultimately, it’s their code, so they can do what they want with it.

        • In the “Development” tab you’re looking at the changelog (which is pulled from the readme.txt file). The changelog can be shortened or altered anytime.

          The past versions of a plugin are available on the “Advanced View” page. Though it’s technically possible to also remove and alter those past versions, I’ve never tried it myself or seen anyone else doing it.

        • Yes, plugin authors can delete old versions, and are encouraged to do so, ideally leaving the last 1 or 2 versions on the official repository.

  28. The funny thing is that the ones (.org) that see this as a non-issue (judging by their answers everywhere) are the same ones constantly pushing for automatic updates of everything.
    How do you want me to trust automatic updates if I cannot be sure that a plugin I use won’t completely change from one day to another and thus ruining the sites I build for myself or for my clients?

  29. I was left spending hours working out why my site menu was looking wrong, turns out a plugin unrelated to menus had auto-updated and broken it. Although at least I could log in, looks like lots had bigger problems.

    For me if the new owners just added an advert to wp-user-avatar to try and upsell their membership plugin that would have been fine. But they didn’t. I’ve rolled back to 2.2.16 and added a rule to my custom wordpress plugin which removes it from the update checks. Going forward I have no plans to use anything from this developer.

    Also it was disappointing to see the comments from moderators. Yes the plugin was free, yes they can change it, however when WordPress want’s us all to move to auto-updates to avoid stories like 10M sites with Plugin X can be hacked with this simple bug, they need to ensure that developers who bait and switch are penalised.

  30. This “switching of the plugin” increased my “page time to interact” from around 2.7 seconds to over 7 seconds. Also, the total blocking time went from 30ms to over 500ms.

    The person who purchased this plugin and switched it keeps trying to say you installed a free plugin, and can not be upset that it changed. Yes, there are explicit expectations of plugin developers not to do something like this. I am sure it is in the user agreement as well.

    Google is rolling out the page experience update and this slower page speed could cost people lots of traffic resulting in millions combined with a 400K multiple to be billions in lost sales. I imagine there could be legal consequences to send a message never to do this again.

    This was not someone trying to offer a premium version of the plugin. That is great and reasonable. This was purchasing a different plugin and forcing a radial change that offered no benefit to the original WP User Avatar Plugin users. This one done to get more people on the upgrade path of a different plugin. The result was only broken sites and or sites that were much slower.

  31. If you have UpdraftPlus backup and restore and saved the plugins directory in the past you can then upload the old version of the WP User Avatar plugin. I just saved it a WP User Avatar2 and sent it to a compressed folder by right-clicking and it worked. I also named the subfolders wp-user-avatar2 in the hopes it will not say the plugin needs to be updated. So far it has not and auto-updates are not on.

    Does anyone know if it is legal to put this old version on GitHub for people to download? WordPress is open source after all. The guy purchased the plugin but was really just buying that people had it downloaded. Everyone has the code. My version is not quite original as it does link to the user images on my site.

    Also, is it legal to just create the old plugin in the WordPress plugins as it would no longer be a duplicate as the functionality has changed?

    Really it would be nice for the old owner to do as they can tell he lots of people are upset. The big reason the new free version is not ok is that it slows down the sites that use it. Maybe they did not realize this would be a big issue for people.

  32. Philipp Stracker,

    Thanks for doing that and for the great info. I thought someone said that only version 3.0 and higher was thier. It does look like the older versions are available as well.

    That is great that you uploaded version 2.2.16 and provided this link!

  33. 1) Thanks for writing this – much appreciated. Was looking for info on WTF had happened! Very not cool, won’t be keeping ProfilePress.
    2) Please put the “leave a reply” section ABOVE the comments – pain in the ass to scroll down all the ay :)

  34. There would be quite a few more 1 star reviews than there already are if the moderator (name redacted) had not deleted them for dubious reasons. Also, it’s not a moderator’s place to offer their personal opinion on what is a valid review or what constitutes “entitlement”.

    The net result of this debacle is that many WP users will turn auto updates off and be very wary of installing plug-ins.

  35. The original plugin was forked to One User Avatar with the old developer. They just bought the userbase.

  36. Suggestions: best way to deactivate/delete, and replace?

    This is the most insane update of a plugin I’ve ever had in my 15+ years as website developer! My word…

    Nobody asked for this; we used to have a nice, little lightweight plugin for only one simple feature, and now we’re stuck with a full bloated membership plugin! Sad, sad, sad…

    What is the best way of deactivating/deleting the 3+ version of this plugin? Did it create tables and other crap that needs to be removed, and does the default delete plugin feature a good job at this?

    And any suggestions for replacing it with another plugin?

    • yes, thats what I’m looking for.
      and with backward compatibility, because i used plugin functions in my theme development….

  37. Once upon a time I had great faith in the .org plugin directory. Simple quality plugins.

    I thought i’d come around to auto-updates too. But for .org plugins like this it’s just way too high risk.

    I’ve seen some really good plugin adoptions/takeovers over the years. I’ve seen some unnecessary failures (Postman SMTP for example).

    Then I’ve seen things like this that someone should have stopped.

    If the .org directory is going to remain a trustworthy source then stuff like this needs to be addressed.

    Just some thoughts. Perhaps anytime a plugin adds a new developer there should clear notification in the dashboard and auto-updates shouldn’t occur until that notice has been cleared.

  38. now they are faking 5 star ratings….
    what’s going on here? is there anyone to stop this madness?

    • I haven’t seen any hard evidence of faked 5-star ratings. Someone else brought this up, so I checked into the various profiles. Most of them are users with years-old accounts.

      I think some of the upswing has more to do with the admin notice that pops up several days later asking for a 5-star rating.

      • Same with GADWP: most of their recent 5-star reviews are clearly fake as well, in an attempt to counterbalance the flood of 1-stars.
        Something that may be very hard for the mods to police though.

  39. I hope everyone who uses this plugin is updated…

    “Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin”

    On May 27, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites. These flaws made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled, all without requiring any prior authentication.

  40. WP User Avatar worked for years without any issues. Yesterday the “ProfilePress” version suddenly allowed an attacker to register administrator accounts on a popular website that I manage. Now I have zero trust in the developer and deleted the plugin entirely and forever.

    ProfilePress is not WP User Avatar, and it should not be allowed to live and update itself under the original WP-User-Avatar plugin folder. It should not be possible for plugins that are currently installed on 400,000 sites to suddenly transform themselves into something else that we did not choose to install. Seems like a massive security risk.

    • This happened to us yesterday as well! We also found php files uploaded to our media library. We uninstalled the plugin and added security measures.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: