Lewis' Blog Tales from the trenches of information technology


What not to do with a free WordPress plugin

Download PDF

The Subscribe2 plugin for WordPress, which powers the email notifications of new posts to this blog, was recently turned over from the original developer to a new group. Often, this is a good thing: a devloper runs out of time and energy to maintain his work, and someone else steps up. Sometimes, however, it's not such a good thing.

Subscribe2 was a truly well-written and functional plugin. It did what it claimed to do, and the licensing model was straightforward: the free version supported plain text excerpts via email, and the HTML version supported plain text and HTML full content, as well as HTML excerpts, for a reasonable fee (and purchased support packages were available).

The original developer apparently handed off the project to Matthew Robinson in 2006, and he managed the project until just a few weeks ago.

Support was very good, even for the free version, and I had only minimal trouble with it (though admittedly, I don't really look at it very often; it just does its thing when I generate a new post).

Matthew turned over the reins of Subscribe2 (sold, according to his statements in this post) to a new group of developers, who apparently wanted to utilize it to feed data into their own (very new) project, R-adyGraph (use the name, replacing the "-" with an "e" and adding .com to get to their website; I will not link to it from here, and shall henceforth refer to it only as RG). What do I mean by "utilize it (Subscribe2) to feed into their own project?" Well, the changelog for version 10.0 merely shows:

Initial introduction of R-adyGraph features


which doesn't really tell the tale. However, a quick review of the support threads shows the outrage which some (vocal) users felt at having a big banner plastered across the admin panel in their WordPress installations, "reminding" them to register for their "free" RG accounts. Of course, nobody knew what an RG account was, or what "signing up" might cost in terms of information sharing 1 .

Unfortunately, they chose to do this without any warning to users beforehand. WordPress' built-in plugin updater, for those who have not yet disabled the evil thing, dutifully pushed this little nugget out to everyone. That first login and visit to the man plugin admin page was a rude awakening, as most of us had no idea what was even generating that big, ugly banner. In short, it seemed as though our sites had been compromised.

Yielding (somewhat) to user pushback, the new developers graciously provided a "dismiss" button on the Banner of Ugliness. Unfortunately, though, dismissing the banner for one session didn't mean that the banner would stay hidden forever - and what of this whole RG thing? Were we already leaking...er...sharing (what a euphemism!) subscriber information contrary to our own terms of service and privacy policies?

Somewhere around this time, someone noticed that wp-cron 2 was consuming resources like a Great White. Apparently, this little buglet crept in for those who actually subscribed to RG, so likely this was not the source of my recent server frustration...

The common thread, gleaned from my post here, and the support forum for Subscribe2, is that rapid-fire updates, with little testing, no real attention to what the audience wants, and the ever-present "push" to share information with an unknown third party, has turned a number of long-time users away from what was a well-behaved and useful component.

Most of you regular readers here know that I am always wary of sharing personally identifiable information, and any hint of such activity from a plugin which I have installed mades me shudder. Taking steps to address the situation, I rolled the plugin back to version 9.4, the last version released before the whole RG thing crept into the mix. I then edited the version string in the plugin to read "99.4" to ensure that any accidental mass plugin updates 3 would not result in overwriting a known quantity with the newer, undesirable code.

I was surprised to see that I hadn't left a review for Subscribe2 previously, and it was really with some pain 4 that I left a rather scathing, 1-star review. I tried to be constructive, particularly in my follow-up comments, offering what I thought/think are the three main roadblocks to once again making this the great plugin that it was. We'll see if the developers take heed (probably not).

I understand the desire to not give hard work way for free, believe me. It seems that I lose more and more time each week giving free support to friends, clients, and users of my own software, as well as all of the hours spent maintaining and enhancing code. However, there is one principle which should override all else, and that is to be honest; no bait-and-switch. If there was a desire to fundamentally change the approach of the plugin to allow for "sharing" (that is way too benign a word for giving other people's names and email addresses - and more - to an unknown third party for some idea that one will get to "share" in the "harvest" 5 of information from other sites with synergies 6 .

Well, the code (up through version 9.4, at least) is GPLv3. I may just end up forking it to provide some type of support path for other users of this once-popular plugin. Right now, though, I have quite enough on my plate.

  1. If you construct the url to their website and follow the link at the bottom of the page to the Terms of Service, you'll likely find some interesting reading, including the little tidbit under the heading Your User Content. Follow the link to their Privacy Policy for some further eye-opening (jaw-dropping?) reading.
  2. wp-cron.php: that beast of a core component and force which every WordPress developer and webhost hates, because CPU cycles and RAM seem to get sucked into its vortex without any warning; see here for a great discussion of this now-out-of-control-script and how best to tame the thing.
  3. Yes, that's how the last one got in there: check 'em all, and click - I confess!
  4. As a plugin developer/maintainer myself, I know how depressing less than 5 stars can be.
  5. Harvest: another euphemism for "stolen or otherwise unscrupulously obtained information."
  6. Synergies: (these buzzwords are coming on hard and fast, eh?) Other sites which similarly (mis)treat their visitors' personal information.

Last Updated on by

Comments (0) Trackbacks (0)

No comments yet.

Leave a comment

No trackbacks yet.