Reminder: Research Before You Sell Out

Are you thinking of selling your plugin? Did someone offer you money to put a link to their sites in your readme or wp-admin settings page?

STOP. THINK. BE CAUTIOUS.

I’m sure most of you are aware of the recent bad behaviour that’s gone on with regards to unscrupulous people purchasing plugins and using them to leverage malware, spam, and backdoors. While we would never tell you that it’s wrong to sell the plugins (they’re yours after all), we do want to help you recognize the warning signs of a bad-faith purchase.

Above all, if anything in the process makes you nervous and feel like something is wrong, call the deal off. You can email us at plugins@wordpress.org and we can help vet the buyer for you.

But remember this: The primary reason people want to buy ‘popular’ plugins is to use it to spam.

Signs To Watch Out For

Here are some basic red-flags:

  • You get an unsolicited email that reads like a generic form
  • The offer includes different prices based on how many people use the plugin (i.e. $500 for every 1000 users)
  • The amount offered seems to be rather high ($50,000 USD for a plugin)
  • The offer comes from a company who claims to be purchasing a ‘suite’ or ‘collection’ of plugins
  • They want you to sign an NDA, and not talk about the purchase
  • They don’t offer to show you an improvement of the code right away
  • They have (or plan to have) a special domain and user account just for this plugin
  • They have a brand new (less than a year old) account on WordPress.org with no other plugins
  • They have no visible, active participation in the WordPress community (forums, plugins, themes, WordCamps, etc)

Do Your Homework

When people come to us asking to adopt plugins, we vet them. We look at the code first. If there’s no new version of the code, with fixes, we don’t even consider it. If the prospective buyer of your plugin can’t show you how they’ll update it, don’t do it. Period.

No matter what you must do the work to vet these people. Ask them serious questions. How do they plan to handle support and reviews? How familiar are they with the directory guidelines? Do they already know how to use SVN? How will they take care of your existing users?

Review their code. Sit down and look over every single line of code and make sure it’s safe and well written. If you see base64 and it’s not for images, tell them no. If you see them phoning home, tell them no. If you see them doing things in an insecure way, tell them no.

At the end of the day, what they do is going to reflect on YOU, and your reputation could suffer.

Many times, good developers find their names dragged through the mud when a plugin they own is purchased by people who do horrible things with their code. Make absolutely certain, beyond shadow of a doubt, that they understand what owning the plugin means, and that they must abide by all the plugin and forum guidelines.

Worst Case Scenario

If we find out you sold your plugin to someone who does evil with it, the odds are you won’t get that plugin back. Among other reasons, you sold it. To have you take someone’s money for the access, and then give it back to you, would be tantamount to theft. At the very least, it would be a bad-faith action on our part. Once you sell a plugin, accept the money, and your access is removed, that’s it. You’ve indicated you’re done with it, and we will enforce that.

This means if evil is done and we need to fix the plugin, we’ll roll it back to a safe version, remove everyone’s access, and disable the plugin permanently. That will it will push a final update, but no one new can install it. We feel that once a plugin has been sold and used like that, it’s near impossible to recover any reputation, and it’s better for the community to walk away.

Should You Sell Your Plugins?

The directory was never intended to be a sales marketplace, and it’s unlikely it will ever be one. If your deepest wish is to make a super popular plugin and sell it for gobs of money, this is probably not the place for you. Selling your plugin is a chancy business, and it’s hard to make money legitimately on a free plugin. After all, they can legally just fork it and make a new one.

You certainly can sell your plugins, but sell it smartly. At the end of the day, it may be better to retire a plugin than sell it or give it away to someone you’re not sure will do good.

#notice, #warning

Sock Puppetry Is Not Welcome

When a single users makes multiple accounts with the sole intention of leaving reviews on their own plugins (or leaving poor reviews on their competitors), this is called being a “Sock Puppet” – https://en.wikipedia.org/wiki/Sockpuppet_(Internet)

This behavior is expressly NOT welcome on the WordPress Forums as it is spamming, and it can result is us removing all your plugins from our repository for abuse.

That’s from an email we send out when we catch you (or your plugin team) making multiple accounts.

There’s a fine line between making multiple accounts for a team and making fake accounts that leave comments and reviews on your plugin, which you (or someone else on the team) then interacts with.

It’s disreputable, it’s an abuse of our good faith in you, it’s spamming, and it’s wasting the time of forum volunteers.

It’s also not permitted.

We’ve shut down many plugins because the authors engage in unwelcome behavior. Please don’t make us shut down yours. Don’t leave reviews on your own plugins, don’t make fake support posts, don’t spam. It doesn’t make your plugin look good and it will result in your plugins being pulled.

#reminder, #warning

Regarding Offers to “Buy” Plugins

Did you get this email:

We’re reaching out to the WordPress community, looking for
individuals/companies like yourself who are keen to explore the opportunity
of a joint venture/sale of their WordPress plugin/s.

If you are interested in discussing your plugin and what we’re offering
please fill out the form on the attached website, and we will be in contact
with you.

This was a blast email sent to a few hundred people by an unknown person.

Please delete it. It’s not from anyone we can trace back to the WordPress community, and selling your plugins will likely end with your users being highly upset that the changes in the plugin are not what they wanted. At the best, you’ll end up on a spam list.

If you are a company looking to ‘buy’ plugins please don’t use tactics like this. It makes you look like a sleazy sort of person, whom no one would want to do business with. Purchase plugins by directly talking to people who have made a plugin you had a need for.

If you do sell your plugin (or give it away to someone else), please make sure the new owners understand all the guidelines of the repository. Should they violate our terms the plugin will be removed, and we may not give it back depending on the level of the violation. Whomever has commit access to a plugin has the ownership and responsibility of it’s behavior for users. Spamming, inserting tracking data, and adding junk features are the fastest way to ruin your plugin.

We advocate only giving your plugin to people you personally have vetted, and that you trust with being responsible with your code and your users.

#email, #warning