When WordPress plugins become abandoned

Friends don’t let friends run abandoned plugins.

Start Reading
Rocket Apps Blog: When WordPress plugins become abandoned

When a once-popular WordPress plugin becomes abandoned or is removed from the official repository, it spells bad news for everyone involved.

The exact reasons for this occurrence aren’t always clear, but one of the most common causes is when the developer simply moves on from the WordPress ecosystem. This results in a developer who has shifted their focus and no longer has the time or motivation to maintain their WordPress plugins. While this is entirely understandable, it remains a disappointing reality within the WordPress plugin ecosystem.

Another significant reason for plugins being left behind is in the context of free plugins. I, for one, have a few plugins in the WordPress repository (and a handful I recently deleted), but ultimately I don’t receive anything in return for supporting and maintaining them, unless you count community kudos. Instead, because my time is finite and spread thin, it makes better business sense for me to channel my energy into the development and maintenance of my premium products, and providing support to the users who have invested in them.

Fortunately my free plugins require minimal maintenance, and I’m more than willing to continue taking care of them. However, should they ever demand a significant portion of my time I’d have to reassess the situation.

So, when a plugin becomes abandoned or unsupported, what are the available options? Website owners are left with a couple of unenviable choices: they can either continue using the plugin and hope it remains compatible and secure in the long term, or they can seek out an alternative which may or may not be as suitable as the original. There is a third option, which I’ll explore further in this post, but it may not be accessible to everyone.

Through coincidence, bad luck or both, I have found myself in this situation more times than I would like. One particular plugin (which I won’t name) is vital for the operation of Rocket Apps. Over the years, I, along with others have submitted numerous support requests that have gone largely unanswered. To be clear, this is not a complaint, but rather an observation. I understand too well that when a developer offers a plugin for free, there is no obligation for them to continue maintaining it, which is always a risk when using any free software. In the case of a paid plugin, the expectation is rightfully the opposite.

I now face the same choices as those mentioned earlier. However, as I make a living coding for WordPress, I have taken it upon myself to take the plugin in question (thanks GPL!), address the issues, and further improve it to better suit my specific business requirements. Of course the downside of this approach is that I am now personally responsible for the ongoing development and maintenance of this version of the plugin. Whether that’s a good or bad thing depends on your perspective, but given the lack of assistance for the original plugin developer, my hand was somewhat forced.

The most recent incident occurred last week with ‘Delete Me,’ a plugin that enables users to delete their own accounts. It all began with an email from my host, WP Engine, explaining that the plugin had a security vulnerability and that “there does not appear to be a fix for this update at the moment, and we recommend updating when one becomes available”.

I visited the WordPress plugin page to check for updates and was met with a message stating, “This plugin has been closed as of October 23, 2023, and is not available for download. This closure is temporary, pending a full review”. Speculation within the support threads suggests that the plugin may have been abandoned, which is a fair assessment given that the plugin author has not responded to any inquiries in nearly a year and a half. It also states the closure is temporary, so benefit of the doubt may still apply.

But with no indication of when the plugin might be patched and re-released, I felt it was too risky to continue using it and decided to take matters into my own hands.

Instead of fixing and reworking the ‘Delete Me’ plugin, I chose to build a new plugin (Delete My Account Pro) from the ground up with the same primary function while also adding some ‘quality-of-life’ features that I felt were missing from ‘Delete me’.

I realise this is an option available primarily to plugin developers, but if you find yourself in a desperate situation you could consider outsourcing the task especially if security is of concern (and it should be).

UPDATE: As of the 11th of November 2023, the ‘Delete Me’ plugin mentioned in this post has since become available on the WordPress repository again, with the cross-site scripting security vulnerability apparently fixed.

More Articles

Mike Ott

Michael is a veteran developer / web designer / usability evangelist, product engineer, former long time serving Judge for the annual Australian Web Awards and card carrying geek.