WordPress.org Plugin Developers Demand Transparency … – WP Tavern

Sarah Gooding
Frustrations are mounting, as WordPress.org plugin developers plead with WordPress leadership to restore access to the active install growth data for plugins after it was removed last weekend without any public discussion. A ticket calling for bringing back the charts is home to a heated discussion on the matter but so far the developer community has not been able to get any clear answers on why access to the data was cut off.
In his first response on the ticket, Matt Mullenweg asked developers to explain their reasoning for bringing the stats back, without communicating why they were removed in the first place, asking them to present “that side of the argument.” No decision makers have confirmed this to be a security issue.
Mullenweg’s second response on the ticket evades the questions plugin developers are asking and instead states that the availability of an API for this data was never promised:
As has been pointed out, there was never an API made for public use or with any promise of availability, people just reverse engineered and exfiltrated the data to create the chart.
I definitely think we can show some more stats to plugin authors about their own plugins, and I’m hearing that for newer plugins every new install can be a motivator. Feedback loops are important. It will take some work but it’s doable.
While he seems open to finding a way to show more stats, Mullenweg did not promise the return of the active install growth data, the most important metric for plugin authors tracking the trajectory of their user bases. Many businesses rely on this data to make product decisions.
“I think that one of the main things (from my perspective) is that this change has made us feel vulnerable and powerless,” WordPress plugin author Ross Morsali said.
“I’m about to change a repo based on three years of work, and I won’t even know how it does until I lose or gain at least 10,000 users. Feels kind of insane, not a good foundation for my business.”
Morsali commented on the ticket to explain the importance of the data:
It is literally the only way to know how your plugin is doing – which in itself, is pretty bad – the removal of it just put blindfolds on everyone – so we have to wait until the next tick of install growth (up or down) to get any idea – it’s not reasonable – this can take 6 months or more in some cases, and literally forever if your plugin is neither going up or down in active installs.
Participants in the discussion on trac were so inflamed that one suggested plugin developers should strike by offering no more support, updates, or new plugins to the directory unless WordPress brings back the growth charts. This simply isn’t possible for the many people who make a living from their plugins.
“As someone who is in the early days of trying to grow a freemium plugin, I’m incredibly frustrated,” Equalize Digital CEO Amber Hinds said. “We were using that as one way to gauge the efficacy of our marketing efforts and now it’s just gone. Also, in investor conversations being able to show growth is vital.”
George Stephanis, an Automattic employee who was not involved in the decision, claims that, “This chart was removed due to a Security or Privacy concern,” and speculates that it hasn’t been disclosed yet because it can’t be shared without putting users at risk.
“It was never explicitly stated it was removed for a security or privacy concern,” Earle Davies said in response to this claim. “It was removed due to ‘due to insufficient data obfuscation’ which to me does not mean security or privacy. Privacy is PII which this chart did not include. The obfuscation is because ‘we’ (whoever we is) did not want people to be able to see ‘exact’ stats.
“Framing a summation of this as a privacy or security update isn’t accurate. What may be most useful is if Matt stops flying by with 1-2 sentence non-answers and finally addresses in detail and plain language WHY this was removed. Short of that it should be reinstated ASAP and work on better charts in the future.”
WordPress plugin developers may never know the details behind this chart’s removal. If it is in fact a security issue, this could have been confirmed in a transparent way by the people involved. Instead, plugin developers have been set on edge by the demand that they present their side of the argument for bringing back the stats.
Mark Zahra, the author of the ticket to bring the stats back, tweeted to bring attention to how many people are following the ticket and invested in its outcome.
“Even if 10,000 people commented and appeared to agree that would still be a small fraction of the wider WP community,” Mullenweg responded. “That’s one of the hardest things to navigate in open source, and product and community development generally.”
This reaction drew the ire and frustration of those hoping for some real answers. It also makes it exquisitely clear who has the power in this situation, whether to withhold information or turn off access to data. Despite overwhelming consensus on the ticket from the people impacted the most by this decision, 10,000 wouldn’t be enough to wield any influence over the outcome.
At this point, the protracted lack of transparency in this matter has further damaged trust in WordPress.org as the best distribution channel for free plugins.
“The way that this has been dealt with has made me seriously question if WordPress is the right platform for me, for the first time in years – it’s made me and my business feel vulnerable,” Morsali said.
WordPress.org is a non-profit; who is on the Board? Why is Matt Mullenweg the only one responding, and why can this even happen, given that non-profits are required by law to offer certain transparency?
I have been a huge WordPress.org fan. I maintain over 10 sites. This is ALARMING.
WordPress.org is not a non-profit, the WordPress Foundation is. WordPress.org is an open-source project.
The WordPress Foundation has no jurisdiction over the development of WordPress.
This is really disturbing. If it is not addressed immediately, both developers and users will lose trust in WordPress. I know that there has to be a tension between free and paid, and we low-end users can just look on in worry. Will developers maintain my plug-ins? If not, what happens to my sites? Will things get a whole lot more expensive, and how can my miniorganization, budget in low 4 figures, keep up if they do?
A few years back, when I read about Automattic’s IPO, I was concerned that the company’s emphasis would gradually shift from making a good product to making a good profit. So I was not surprised to see the suppression of information vital to independent developers (probably still quite available to Automattic), the lack of public discussion, and lack of recourse. How soon before Mullenweg will be cashing out and moving to his private Caribbean island mansion?
Automattic has not had an IPO, and the data is not broadly available inside Automattic.
Only a small subset of individuals — some employed by Automattic, some not — that actively maintain the WordPress.org website have access, and that data is not disclosed for business purposes within Automattic to my knowledge, and I’ve been there for almost a decade and a WordPress contributor for longer than that.
Sorry. A PSO, not an IPO. Though practically this has the same consequence: demanding investors.
Could you clarify what you mean by ‘PSO’? I prefer Pumpkin Spice Lattes, but I don’t think that’s what you had in mind.
Unfortunately, WP is open source and free. Their repository is free and usage of it is quite clear. You cannot sell on WP. Meaning, your free version adheres to their standards and usage terms.
As an owner of a large WP plugin, the workaround is to keep two versions. That is the sad reality. One for WP and one you control. This is the MAIN reason big plugins such as gravityforms.com or wp-rocket.me have NEVER been on the WP repo.
Be woke folks. WP is just a form of advertisement. Get your metrics elsewhere.
giving out usage/metrics could be a violation of GDPR and similar laws.
With wp.org, we’re playing in Automattic’s playground and always have been. They make the rules. The fact that Akismet, a freemium plugin with a paid SaaS backend, is still installed by default on every WP install should be enough to know who calls the shots. It’s something I’ve just grown to accept and I don’t see it changing anytime soon.
Not surprised. The terms are pretty clear. I use the WP repo for advertisement purposes only. The moderators didn’t accept this comment last time because of ‘name dropping’ I assume; but, may big name companies have NEVER been on the WP repo. The repo is free and should be used for the SEO value only. That is, of course; if you even choose to be on the repo.
Now, #2, the repo takes your plugin down at will. No mercy either. For instance, someone says your plugin is unsafe. They rip it down and do an investigate first approach and ask questions later.
Food for thought…
There has been plugin authors that have abused the repo. Their plugin gets accepted, then the next update for the plugin…hey look, some random advertisement on my footer.
What a great article. Yes it is interesting why WP.org is so nontransparent, isn’t it? Probably don’t want to take up the server data for storing this amount of information in order to give it back to you. Well, actually, the better prediction is that they don’t have ‘accurate’ stats. Never have and never will. It is far to easy for a user to manipulate a plugin file directory so that the WP install cannot track them. Say you install a plugin called ‘my-plugin’ and it is from the WP repo. If you just go to /wp-content/plugins/ and find that plugin, then you can rename it. From there you just rename the file that loads the plugin and then go activate it.
What is all this geek speak? It just means that too many developers out there are able to take your free plugin and make it their own. The stats are useless. Sorry.
has further damaged trust in WordPress.org as the best distribution channel for free plugins.
I think this is the most underrated reason for the whole topic. For free plugins WordPress.org is the best distribution channel (for the users), but for freemium plugins with an upsell offer you need data to measure success. And this is the confusing part here.
It is no secret for everyone following the #forums channel on Slack, that the plugin directory is not a marketplace. It is a plugin repository for free to install plugins. Users are not customers. If you base all your efforts on this distribution channel, then you are doing something wrong. As every platform, WordPress.org can change, add or remove features to better serve the main purpose and this main purpose is not being a marketplace, but being a repo of free plugins.
Although I understand all those who are missing this feature, I think the effort should be used to move on and find better places to sell. Like your own website.
When are people going to realise that MM is not a benevolent dictator and demand the urgently needed reform of WordPress governance?
This data is commercially important to plugin developers, including Automattic, and he’s just taken it away from everyone but his own company.
He’s ignoring lots of questions from developers and business owners and making ridiculous demands that WE justify why we should be able to see the data that had been there for years.
A strike sounds like a great idea – no more plugin updates, no more support, no more core contributions, no more WordCamp attendance it sponsorship until the data is restored.
I don’t want you (or any plugin author) to have plugin installation/usage on my site.
This discussion is very one-sided, where one side has all the power but doesn’t put forward any arguments or reasons. While the other side clearly has no power but has to make all the arguments, even if they have been said 10 times.
I am sorry to say, but Matt Mullenweg doesn’t come accross as trustworthy here. It will be interesting to see what will happen if marketshare of WordPress goes down, or rather when. Is he going to squeeze more?
I’m quite anxious how WP – and Automattic – evolves. It’s seem to me that WP evolves more for the benefice of Automattic than to regular users. I’m not a developer or a WP professional, just a blogger and these last times, WP evolution is just…unpredictable.
That’s all they found for obfuscating Classic Editor’s growth?
Mullenweg talks about the WP community as if it’s a thing. It isn’t. WP killed off the community years back and this latest development is further proof of that. In a true community, a decision such as this would be discussed before any action is taken and the reason behind the action would be made clear. What is Mullenweg hiding?
WPTaven just used this data to indicate that BuddyPress may be dying, and less than 3 weeks later Matt takes that data offline? When the numbers don’t show what you want them to, just get rid of the numbers and to hell with everyone else. It’s a bold strategy, Cotton.
BuddyPress Plugin Usage Declining, Remaining Contributors Discuss Path Forward

I wonder if this is just a petty move since BuddyPress has declined so much. I default to simple reasons when the answer is not forthcoming.
Probably very wrong but c’est la vie.
We bloggers support our plugin developers. Take the blindfolds off!
Also, commenters and Matt, quit the mean or inappropriate remarks. We are one community so behave as such.
Lol @ plugin authors “striking” by not providing support. That currently happens to a huge amount of plugins.
Anyways, with all due respect to plugin authors…………I do not want you knowing that I have your plugin installed on my website. I do not want to use freemius, I do not want to give you anonymous non-personal data.
The following is none of your business:
WordPress version I have installed, what plugins I use (yours and others), what theme I am using, my php version, mysql version I am using, everything else version I am using.
No I will not rate your plugin just because you asked me as soon as I activated the plugin. No I will not subscribe to your plugin newsletter as soon as I activated the plugin. I will rate your plugin/theme whenever I feel like it, and if I feel like it. I don’t want your newsletter where 60% of the content is about the PRO version of your plugin/theme.
The only time I want a plugin, theme and core to “call home” is to check for updates. Outside that, no. Obviously latest tweet/insta/facebook page thing is the exception to this rule.
Metrics and usage of plugins on MY site belong to ME.
Knowing the WordPress version and PHP version of plugin users is incredibly helpful for development purposes, and it benefits you to share that anonymously with the developer.
Here’s an example of this in real life:
We had a function in Accessibility Checker that had to be rewritten for PHP 8 because what we were previously using was deprecated in 8 and caused an error on the admin posts screen. But the function that we changed to was not supported in older versions on PHP (below 7). This means that when we released the fix we would add support for PHP 8, but we would have to remove support for PHP 5.6 and any sites that were running on 5.6 would no longer work with our plugin.
We identified the problem in 2021, but we reviewed the charts showing the PHP versions for sites with our plugin active there were a larger number than we expected. If we had not had this data, we would have just released the fix, added support for PHP and updated our minimum PHP version to 7.0, breaking all these sites in the process.
Given that PHP 5 end-of-life was January 1st 2019 and WordPress’ minimum requirement is PHP 7.4, we could have done this and it would have been safe to assume there were no sites on 5.6. But it would not have been a good experience for what turned out to be not a tiny number of users. Since we had access to the PHP version data, it allowed us to realize we needed to take a different approach and first warn users first, then delay the release to earlier this year.
Usuage data is not about spying on you. It’s incredibly helpful in ensuring that developers are creating better products for your website and ensuring that their plugin has maximum compatibility for the most common use cases.
I’ve used the active install growth data to make choices between using two different plugins on client sites – picking the plugin that’s growing rather than in decline.
Disappointed to see it go, particular without a solid reason being given.
My guess on motives from experience of running large APIs is that it’s fairly trivial to artificially inflate these numbers with bots. Which takes up much dev time for the constant battle of trying to scale to load and adjusting algos to attempt to filter out this bad data.
Assuming that’s what’s happening here, we have 3 options I see:
Nuclear option a kill the whole thing (not acceptable)
Open the data up fully and continue the fight to clean data up as much as possible. I believe despite the data being messy, there is much more value added to the community as whole having it fully open and transparent to all, and easily extendable by a powerful API. Competition is good for users and plugin devs, leading to better quality and WordPress experience.
Remove the motivation to game stats by making it only available to the plugin devs
Fully transparent numbers please, I want to know my actual install count!
Possibly later add in some more simplified public stat for users, like a growing/declining indicator arrow with %.
The WordPress foundation which is suppose to be free and non-profit is actually directed by people which are sponsored throw Matt Mullenweg‘s Automattic and because of this many people demand more transparency and a actual transformation for WP to become more democratic. Money that was bring from this group for the foundation cannot be a reason of the company to control the foundation.
On the note that it was about violating GDPR, it clearly does, but it is also true that WP.org doesn’t care about the EU laws.
Very true.
This may encourage people to write “phone home” functionality into their plugin, to help with tracking how many active installs are running a plugin. I don’t think that’s a good thing to encourage.
My thoughts exactly. Mainly because some developers take more freedom than they’re supposed to take. This could lead to a magnificent privacy sh*tshow.
I noticed this change today. As an admin of a few sites, I like to keep an eye on the active installs changes in plugins. Disappointed at its removal, and empathise with the plugin authors who have lost an important metric.
The bigger picture, as always, is the lack of transparency in governance and decision making. If the last 5 years have shown us anything its that the BDFL model just doesn’t cut it when it’s a piece of software powering most of the web.
You can’t argue that the people who ‘show up’ are the ones who get a say, and then hide behind the ecosystem ‘even if 10,000 people’s find their voice. And with more and more alienating decisions happening happening behind closed doors, even that facade is shattering.
Enter your email address to subscribe to this blog and receive notifications of new posts by email.

WordPress Tavern is a website about all things WordPress. We cover news and events, write plugin and theme reviews, and talk about key issues within the WordPress ecosystem…
© All Rights Reserved. Powered by WordPress, hosted by Pressable


Post Your Comment