Cancel

Justin Tadlock

Should WordPress Notify Users of Plugin Ownership Changes?

Plugin management screen with one plugin showing a notice of change of ownership.
Potential idea for showing plugin ownership change.

That is the question posed by Ian Atkins in a recent ticket for WordPress.

“I’ve experienced a few plugins change ownership, and it’s really not clear as a user, developer, and maintainer of sites when that has happened,” he wrote in the ticket. “Whilst having a plugin continue to be developed is admirable — I do think it would be wise to inform users of that change.”

For full disclosure, the ownership change that prompted Atkins to create the ticket was from the Members plugin. I am the former owner of the plugin and sold it to the MemberPress team in 2019 (I was a full-time plugin and theme developer before joining WP Tavern). Having been both a plugin author and user in this scenario before helps mold my viewpoint.

I agree with the idea. WordPress should have some mechanism for notifying users of changes of ownership. The more transparency that exists in the ecosystem, the healthier it is for all.

As a plugin author who was letting go of a project that I had worked nearly a decade on, it was tough to say goodbye. I had built friendships and trusted users who walked beside me on my journey. I posted on the company blog, Twitter, Facebook, and the WordPress support forums. I replied to emails, PMs, and more. I wanted to be as transparent with my plugin users as possible. When the plugin was out of my hands, there was no way for me to reach out to the 1,000s of users who did not follow me on social media or the blog. The new owner was as transparent. Even today, a year later, some users are just now realizing someone else is running the show.

In hindsight, perhaps there was more we could have done. Maybe there was more WordPress could have also done and can do in the future. There are valid concerns from users.

Atkins lists three primary reasons for his proposal:

  • There might be privacy policy changes that have impacts on what data is shared and how it is shared. Legally, depending on location, this may have to be communicated to end-users (under GDPR, etc.).
  • The plugin may change direction or add features that were not originally included or required under the stewardship of the prior owner.
  • The plugin may have changed hands to a developer or development house that a user knows isn’t as reliable as the previous owner.

He also asked whether the plugin team reviewed ownership changes. Changing owners is a simple task, and these changes are tracked internally.

Mika Epstein, a Plugin Review Team representative, said that the team could make such changes public. The biggest flaw with that system is that it is not always possible to know when a plugin’s owner changes. Sometimes, an entire company is sold, which would include ownership of the WordPress.org account. She also cited situations where serviceware plugins change hands in unobvious ways.

“I want to be clear, I’m not against this!” she said in a follow-up response. “I’m for this! I just want to be clear that we’re going to get MAYBE half of the changes.”

Half would be better than none. An automated system may work to create notices in some situations. However, an addition to the plugin review guidelines may also be part of the solution.

Plugin authors could also take it upon themselves to implement an ownership-change notification. This may be one of those use cases for the much-maligned admin notices that is worth exploring.

At this point, we are just asking the question of whether WordPress should create a system in which users are notified of plugin ownership changes. What would you like to see in terms of solutions?

I want to see continued progress on the transparency front. Atkins’ first list item is the most important. If there are privacy policy changes or a plugin deals with personal data in any way, users need to know when the plugin has a new owner. They should be able to make a decision about their continued use of the plugin with all the facts laid bare.

Category: ,
24

24 responses to “Should WordPress Notify Users of Plugin Ownership Changes?”

  1. I would love to see this happen. There have been cases where a change in ownership has been decidedly for the worse. I can even recall some plugins changing hands and distributing malware.

    But at its most basic, it’s just good for users to have that knowledge. That may lead them to better understand why a change was made or that they have a new place to contact for support.

    Create forum topic from comment

  2. As I think you’re aware, I’m a new plugin maintainer (June 2019 – Radio Station by Netmix at https://wordpress.org/plugins/radio-station). I took over the plugin from the prior developer and when we released our first update, we didn’t announce the ownership change as an admin notification. We could have but frankly, I didn’t think of it. Although we did improve the Read.me, which spelled out that we took it over from Nikki Slight, so that information would appear on the WordPress.org plugin page. I also quickly turned Netmix into the home page and mentioned Nikki as the original author. Now, we have an admin email newsletter registration, so anyone who joined in after the fact are now updated, but probably don’t know the story.

    I’ve been friends with Michael Torbert and Steve Mortiboy for ten years. Awesome Motive recently acquired AIOSEO and they recently released an incredible full rework of the entire plugin admin system, with new features and wholesale changes. But when the plugin was acquired, I didn’t know until I saw the news in social media. Seeing some kind of update that an acquisition took place and a link to a roadmap or some information about whether things would change might have been helpful to me in my client’s sites, so I could make everyone aware, since I held a developer license. Also, another recent issue is that Awesome Motive decided to sunset anyone with a lifetime developer license under the old crew and forced you to pay to upgrade. That wasn’t explained at all. Maybe there was an email, I don’t know. But it should have been displayed in the admin when upgrading that if you were a prior user with a deal with AIOSEO, that you no longer be honored.

    Seeing all the new changes to AIOSEO, I’m happy to pay for it now as my relationship with AIOSEO has changed. But I think these types of notifications are surely important in some way, shape, or form.

    Who knows if Radio Station is ever acquired. If so, I will face these same issues when the time comes in how to notify our users an acquisition took place. In one sense, you don’t want to let people know until the deal is closed, but you also want to prepare your users for the eventuality a change of hands will be coming. Then, update them along the way.

    Create forum topic from comment

    • I disagree. Some users indeed don’t care, but some do. I always do a due diligence check to make sure the plugin author is reputable. If not (yet), I will likely dismiss the plugin. I’ve seen cases of plugins turning malicious after an ownership change. I think that’s relevant enough to protect my clients against.

      Create forum topic from comment

      • Well that’s two manifest failures for the CMS in one reply! So if you’re checking plugin authors – to see if they are reputable – that’s a failure on the plugin review team’s part. You shouldn’t be checking to see if the plugin author is reputable, they should ALL be reputable [from the user’s POV]! The fact you’re saying that you have to check, means there is a failure somewhere higher up the pyramid. The second thing you’re saying is that this notice, will prompt you to check this data point “is the author reputable?” when prompted. In other words, this notice, will be used by you as a user, to “reputation check” the CMS ecosystem. That will not have a positive effect. This is because you have been trained – as a user – to think that the plugins suck, or that they authors aren’t reputable [why are you checking if you don’t think that?]! Here lies a smell, and this is not the solution. This makes the smell worse. In fact, the notice will be used for exactly what you’ve said: to check if the author is somehow “bad” [which they too often are!]. In other words, this is a system to remind users how bad the plugin authors are. That’s the effect anyway. The devs here are self interested, and most of them are competitive and consider themselves “good plugin authors” [probably are]. But the users don’t care about the debate between good authors and bad. That’s an internal family matter for developers. Users will only see the bad. Finally, the event of an author change is rarely associated with something positive. Usually the dev has died, or abandoned the code [fun!]. In other words as a user “Why am I being given this notice?” “Oh, because many WordPress plugin devs suck somehow, and this is a chance for me to check on that.” Anyway I’ll leave you guys alone again, good luck with this [my bet is it goes in!].

        Create forum topic from comment

        • Sorry, I forgot to subscribe so I did not see your reply earlier.

          This is because you have been trained – as a user – to think that the plugins suck, or that they authors aren’t reputable [why are you checking if you don’t think that?]!

          No I haven’t been trained to think that. The WordPress eco system is incredibly diverse, with all kinds of people in it not just users and developers. There are end users, power users, hobby devs, freelancers, enterprise level devs etc along with dito characters. The way I audit plugins probably isn’t the same on how the plugin team does these checks. Everyone can have a plugin in the .org rep and I agree with that. It’s an open source project, not a company. The repository serves other purposes than just serving me plugins for my project.

          This makes the smell worse. In fact, the notice will be used for exactly what you’ve said: to check if the author is somehow “bad” [which they too often are!].

          . No, I just check who I am dealing with. Can it be bad? Yeah. Have you heard of the Mason Soiza scandal, Pipdig? Oh and apps /plugins turning rogue after an ownership change isn’t exclusive to WordPress. Happens in the playstore and even the App store as well.

          But it also works the other way around. When a plugin gets adopted by a bigger company (like f.e. Automattic, Ithemes WPEngine) it can mean it will align better with other plugins in the future. In that case in time another plugin (or custom code) has to make place. Regular checks like these are in my opinion just good housekeeping.

          Create forum topic from comment

  6. I would like to see some kind of notification of when this takes place.

    In fact, I would like to see it go one step further. On the update plugin page, don’t allow plugins to update unless you acknowledged that your aware of the ownership change.

    Create forum topic from comment

    • I’ve helped a lot of WordPress sites in my country with all sorts of issues – and 75% of them was due to lacking updates. Making this mandatory will cause even more lacking updates, and potentially evolve to a security-issue as well.

      The ideas is good – if only everyone would keep their sites updated.
      But a notification, that doesn’t go away by itself, would be the way to start off at least.

      // Aris

      Create forum topic from comment

  7. Yes, there should be a standard method of notifying users. However, I respectfully disagree with the idea that “half is better than none.” That could create a false sense of security, as a user could believe that no notification means no change of hands. It would also be generally confusing. It should be for all plugins, all changes of ownership.

    Create forum topic from comment

    • Did that every actually happen to you, and did you tell the plugins team?

      For the extremely few times I know of, we rolled back the plugin code, eliminated the malicious author entirely, and ended the plugin. Not very often, and I’ve been doing this full time for 10 years now. I feel that your memory is long here, because that is a rare event.

      Create forum topic from comment

  10. Definitely a good idea. I have the Members plugin installed on one of my sites. The changeover was smooth, and afaik no functionaility has been removed, but as my process for installing plugins is to first review the plugin’s support history, reviews and get a general feel for the author through their responses and plugin library, this could all change dramatically in the event of a plugin changing hands. A notification would be ideal so I could review the history of the new author/owner before updating.

    Create forum topic from comment

  12. I would prefer to see a notice of ownership change for plugins. My clients may not care about it, but for me to offer the best experience for them, more info is always better.

    Most of my clients are rural small business owners with limited budgets, so for some things I find them the best free options.

    As an example, recently there was a popular analytics plugin that changed ownership. The new ownership decided to switch many of the popular free features to premium. It took me a bit to realize this. I have now switched them to the new Google Site Kit.

    I have experienced other ownership changes over the years as well. So I think having a notification pushed out just helps site owners and admins to be as informed as possible, so we can adapt quickly to any changes or privacy notification requirements.

    Create forum topic from comment

  14. “impacts on what data is shared and how it is shared.” – major issue.

    I had been using one of those plugins that allow you to add social share / find us on fb, twit, etc plugins on several sights..

    It took a long time and lots of searching to find one that loaded it’s images from local files and did not automatically pull scripts from third party servers..

    well after a couple of years it was bought out by one of this ‘add/this / addToAny’ type places – that offered an update very quickly and was now using the install and surfing data (of all the previous installs and their web site’s visitors) for data collection.

    I’d also like a notice when wp pulls plugins – like wp-spamshield(?) which is one some of my sites and never gets an update notice.. but maybe there should be some notices about that.

    Create forum topic from comment

  16. I like the idea. I think all new plugin owners should alert users of the new ownership. Some users won’t care, but many will. The ones who don’t care can simply ignore the message, much like they probably ignore all other messages in the admin area.

    Mika’s points are valid. I don’t think the Plugin Review Team will be able to identify all ownership changes. But if WordPress core provided an easy, standardized way to communicate ownership change, that would encourage owners to use it.

    I also think plugin developers should take responsibility here, and not place it on the Plugin Review Team. As plugin developers, if we transfer a plugin to another owner, it should be in the contract that the new owner must communicate the ownership change.

    Taking it a step further, personally I would require the new owner to make a public announcement about the change, including a statement from me, as the previous owner. And if they have plans to make big changes, I would make sure those are communicated publicly as well. Especially data sharing or privacy-related changes.

    I would also require them to announce the change as the first bullet point in the changelog.

    Create forum topic from comment

  17. I also think that this would be a great idea. As a website developer I take extra care selecting the best fit for my clients’ needs. If there is a change over it’s crucial that this be know so research and review can be initiated and make a decision to accept the change or find another solution.

    Create forum topic from comment

You may also like

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.