Should WordPress notify users of plugin ownership changes? That was the question that Ian Atkins asked two months ago. WP Tavern readers seemed to think it was a good idea, at least those who commented on our coverage of it. However, the original Trac ticket has not seen any movement since.
There are real technical issues with automating the process. A change of ownership does not necessarily equate to a change of the plugin author. This is often the case when someone acquires a company and maintains the brand.
Tracking such changes does not necessarily need to go through WordPress. Chris Hardie built a service called WP Lookout that notifies users of such changes and much more. It has also been available since August of 2020.
“WP Lookout watches for interesting changes to the WordPress themes and plugins that someone cares about,” said Hardie. “I created WP Lookout for professional WordPress developers, consultants, and site managers who want to stay more informed about the plugins and themes that they (and their clients) depend on.”
While WP Lookout faces the same challenges with plugin ownership changes, it does have an advantage. It also tracks WordPress news organizations, including WP Tavern and Post Status. Even if the ownership change is not reflected on the plugin’s WordPress.org page, the story may be picked up in the news.
Hardie launched the news-tracking feature in early December 2020. It includes the Wordfence vulnerabilities blog and iThemes vulnerabilities roundup blog as a part of the service’s security notification system. The service also scans change logs for keywords related to security.
Notifications do not stop there. The WP Lookout tracks plugin, theme, and core WordPress updates. It also supports several commercial plugins such as Advanced Custom Fields Pro, Gravity Forms, and WP Rocket.
“When we first decide to use a theme or plugin on a WordPress site, we hopefully research it thoroughly — code quality, ratings, support responsiveness, new release history, speed of security fixes, and so on — but once it’s installed it’s easy to neglect those important bits of ‘health’ information over time,” said Hardie. “Auto-updates are great from many perspectives, but I think anyone who has had to manage and troubleshoot a non-trivial WordPress site over time knows that it’s also important to stay aware of, for example, what’s happening in the change log or whether ownership of a plugin has changed hands. But nobody wants to log in to wp-admin on a bunch of sites every week to gather that info.”
Hardie said WP Lookout will always have a robust free option for people who just want a daily email notification for a handful of plugins and themes. However, there are paid tiers for customers to access more features. They allow users to track more plugins and themes and get immediate alerts through email, RSS, Slack, or custom webhooks.
“The middle tier supports up to 50 themes/plugins, immediate email notifications, and a personalized RSS feed,” he said. “The Builder tier supports up to 200 themes/plugins and adds in Slack and custom webhook support along with the option to just get security-related notifications. With more real-world user feedback, we may adjust what’s in each tier over time.”
All users get access to the Builder tier for a few weeks after signing up. After that, they must subscribe or stick with the free tier features.
How the Service Works
WP Lookout allows users to search for and add a tracker for individual plugins. The service primarily relies on the public WordPress.org API for getting plugin and theme data. This is the same system that WordPress uses to check to see if updates are available.
“But it also goes beyond what the API offers,” said Hardie. “For example, there’s no standard yet for theme authors to provide .ORG theme change logs, and so that information doesn’t show up when you go to update a theme in wp-admin; you’d have to go poking around in Trac or source files to find it. So WP Lookout follows the trail to the change log details and puts that right in front of you.”
There is also a WP Lookout plugin available in the plugin directory. It uses an API key, which users can get from the WP Lookout website. The plugin then lets the WP Lookout service know what plugins and themes are installed and adds them as trackers. Using the plugin is far more efficient than manually adding individual plugins and themes.
For plugins and themes that are not on WordPress.org, the service uses custom update APIs provided by the third-party developers. If that is not sufficient, it uses webpage scraping. For news sources, it parses RSS feeds.
“It’s been interesting to see the wide variety of ways that WordPress theme and plugin authors do or don’t manage and present data publicly about their products,” said Hardie. “Some have API endpoints that return the same level of detail as the .ORG API, others have change log/version documents generated by some internal tools, and still others don’t bother doing much at all. I think an argument could be made to standardize on something here for the long-run to help boost the culture of keeping software updated, even/especially if it eventually makes the need for a tool like WP Lookout obsolete.”
The Future of WP Lookout
Hardie has no plans of sitting on what he has already built. One of the next goals is regularly adding new themes and plugins that are not on WordPress.org. This will mean connecting with development teams and figuring out how users can get notifications of things that often have no public APIs. The lack of standardization in the space could be a tough hurdle to jump.
“I have a long list of features I’m planning to add, including things like integrating tracking GitHub repo releases, bringing some helpful data points from WP Lookout into the wp-admin interface, WordPress Packagist integration, allowing per-tracker Slack channel configurations, better internationalization, and better handling of change logs that theme/plugin authors chose to maintain outside of their .org code repositories,” he said.
Hardie does not want to get too far ahead of himself with feature ideas. He said he is excited to get more feedback from users about what they find useful. Currently, there are 80 users, which is publicly available data. WP Lookout maintains an open data and financial transparency page.
“Despite having paid options for more advanced users, I mostly think of this as a service I want to operate for the WordPress community, and I’ll always have a robust set of free functionality,” he said. “I’m also committed to participation in Five for the Future, bringing what I’ve learned here back into improvements that might benefit all WordPress users, whether they take advantage of WP Lookout or not.”