EP326 – When premium plugins go bad

June 14, 2019

On this episode of WPwatercooler, the conversation delved into a myriad of critical challenges facing the WordPress community, particularly in relation to plugins and WooCommerce. The talk began with scrutinizing the accountability that plugin developers should bear, especially when their plugins could introduce security vulnerabilities. The need for a robust vetting system for both free and premium plugins was also emphasized, which would serve to better align user expectations with the actual quality and safety of plugins. The discussion then shifted to the integral role that WooCommerce plays within the WordPress ecosystem. A particular concern was raised about the WooCommerce Admin plugin, which has been promoted despite not being ready for production use. Additionally, the panel expressed frustrations about the inefficacy of the current problem-reporting mechanisms, where flagging serious issues sometimes feels like shouting into the void. Overall, the episode underscored the need for a more coordinated effort among developers, business owners, and end-users to address these overarching issues.

00:00 Introduction
03:20 Accountability of Plugin Developers
08:45 The Need for Plugin Vetting Systems
13:10 User Expectations for Free vs Premium Plugins
18:26 Architecting Before Code and Vetting Plugins
19:03 Plugin Developers and Security Risks
20:18 WooCommerce Admin: A Case Study
24:17 Testing Plugins and Reporting Issues
26:06 Supporting Free Plugin Developers
27:27 WooCommerce’s Role in WordPress Ecosystem
30:38 Custom Solutions in WooCommerce
31:13 Closing Remarks and Outro

Join us on this episode of WPwatercooler by visiting our Participant guidelines page.

WPwatercooler network is sponsored by ServerPress makers of DesktopServer. Be sure to check them out at https://www.serverpress.com


Episode Transcription

(00:00) number one this is Jason Tucker and this is WP water-cooler episode number 326 this particular topic is brought to us by brought to you rather and ice make sure you go to their website over at server press comm where you can learn about all the cool stuff that they have going on there they do a thing called WP site sync you just came out with some really cool stuff with it so before you go take a look at that over in suriname so today’s topic we’re gonna be discussing pre premium plugins go bad when or is it how how premium plugins go
(00:54) bad or where where where premium plugins go bad is the first one yeah Manny go for it okay I’m an originally from Brazil Las Vegas Las Vegas that is gonna happen in September first week of September we are looking for sponsors so please support the community yeah you like it that’s cool it’s like the same is where you camp here it’s kind of kind of there’s a little bit a trend there yeah there could be Kenan yes yeah I Corgan eyes also the wood coma spirit here in Las Vegas we actually had one
(01:45) last night it was really cool i build websites mainly what prize I do full stack and if you ever come to Las Vegas come to our join our meetups that is a bunch of great gear up ski town awesome do when they go to Vegas okay that may be what Matt wants to do and it’s a right so how about you say tell us about yourself Who am I anyway hi my name is say breed I make her breasts eat requests preach repairs on savory media at savory media on all the things isn’t that ironic today do you think a little too ironic about yourself
(02:39) hey everybody I’m Jason Casper it can’t hurt autoloader here with w-water quarter news you here at first tell us about yourself hey my name is Val I’m doing social media strategy for security the security company and I’m getting ready now for work camp Europe as a lead photographer so we’re gonna have a lot of photographers roaming those you know hallways and rooms making sure their sessions get photographed and videographed properly I live in Transylvania because if I say Romania most people will not know what
(03:23) it is but if I say Transylvania and they say no bite marks and after this I gotta go and you know put my dragon sleep in a coffin no bite marks in Transylvania you know what you’re saying right yeah yeah Steve how about you hashtag stereotype I am I’m Steve thinking I’m the founder of Zeke interactive I run the OC WordPress meetup which is like 10,000 spoons when all you need is a knife I’m Jason Tucker you can find me or Jason Tucker on Twitter my website is Jason Tucker dot blog I do this show as well as another
(03:59) show w people have before you go take a look at that we do social media marketing marketing all that fun stuff about WordPress so feel free to go take a look at that at WP water Qualcomm slash to be people out all right so when and how bring it bring it come on and why and what oh man premium plugins go bad hashtag all of them is it is it is this just limited to premium plugins or was for some SEO juice because this is really all plugins I want to point something out here so when we started what this is what I wanted to talk about
(04:36) this so badly when we started water cooler y’all well not you who were on here but you to specifically Steve and Jason gave me so much crap about how I hard-coded everything and how I basically rolled on my own like solutions to stuff basically I was like building plugins within things and whatnot and then right so then the trend has been like okay don’t do that anymore get all these plugins and then load your sign up and then now it’s like my advice was never load yourself up the pendulum is swinging back the other direction and
(05:19) all I have to say is validation no you’re just on you you live you learn say just once every to go back to four mill and they wonder we use a formula PL file so that you can put in your CGI bin and you can have that Perl script run that’ll see only one site I do not I do not agree with your assessment that I said I gave the advice just load up whole bunch of review tapes I did do that let’s go back to episode 56 where Steve said use gravity forms no that’s the episode where were you introduced
(06:00) the floppy disk point is if that was always the problem right it says dependency back in the day those plugins were way less they weren’t there weren’t nearly many of them the solutions weren’t there and they were less reliable because they weren’t these huge commercial enterprises built around plugins I yeah I would actually argue that plugins are less reliable now I would I would agree with you yeah go on and do you think that’s because the fact that there’s so many libraries that are
(06:38) being used that you’re just essentially going like I need one little function have a library I’ll throw that in all that library into my day I think it has to do with I think it has to do with how saturated that plugin repo is right so there’s so many plugins right and there’s a big there’s a big number on top of the repo that shows how many how many plugins are in the repo right and in addition to that there’s all the premium plugins I argue that that’s not a good thing right just
(07:05) totally dead right but more yeah more plugins does not equal better quality 5144 here’s ninja in it here’s how this topic came about I’m working with a client that is using a plug-in called infused whoo is anybody familiar with this plug-in no shellene essential oils is that it’s it’s not it’s it’s for connecting WooCommerce to Infusionsoft right that’s what it does right and so two very complex systems right and this is supposed to manage the API between WooCommerce and Infusionsoft and and
(07:56) it’s like you have one job that’s right it had one job well here’s here’s what happened here’s what we discovered this week all the sites on our we’ve several sites that were running for this client and they were all running slow and we just kept digging and digging and digging till we finally found that Infusionsoft was the culprit we found it in our century report so we use central eye out for for PHP debugging we found in our century report see last week’s episode for more on that yeah and what
(08:33) what I found digging into this plug-in is Infusionsoft because they’re a premium plugin and because they don’t do the same version tracking as plugins they’re in I’m sorry infused whoo doesn’t do the same version tracking as plugins there that are in the WordPress repo they wrote their own version tracker right and so they embedded their own little version tracker to let you know as a notification in the in the dashboard that the polygons are out of date right well they wrote it wrong and so what
(09:07) they did is they wrote they wrote it so that it goes and checks a very simple script on their server that shows the current version that’s all this function is supposed to do why did you have what right except what they did is they wrote it so that it does that on every single page load front end and back end of the website that’s intense oops and so think about the scale of that right all the people that have this plug-in installs right all the sites that are loading this plug-in right are hitting or hitting this server will they
(09:42) crash their own server right so they test they crash their own internal system for checking versions because they were calling their server too often right and so it was causing timeout right and so and so that timeout at I meant was about five seconds and it was it was causing page load of an extra five seconds per page unnecessarily throughout our entire site so so they were there they were their own bully and basically just going stop ddossing yourself stop detoxing yes yes yes and so and so they released a patch right I
(10:14) found it I actually just I forked the plug-in killed the script because my my client still needs this plugin so I just I just killed that part of the scripts I took out the version tracker well they released they they clearly they found the issue about it I did yeah so I’ve been very active on your Zendesk yeah and so I told them about it and so they released a patch and what they did in this patch is made it so it only checks every half hour instead of every page load right right which again I don’t understand why they need to check
(10:48) more than once a day once a week once a month maybe like any any fan of anything along those lines here’s the problem is they’re still calling the same URL right for the version tracker right so all those people who haven’t updated their plug-in to the latest version are still hitting that server so they’re still calling server so even though they’ve they’ve changed it to every half-hour there’s still a timeout every half-hour right so there’s still that that site slowness every every half-hour what do you call
(11:19) it fixed it’s not a fix obidos well think about if they have thousands of installations and everybody’s hitting the same server that is essentially a DDoS okay it’s not this is your client this is a lot of other clients and the people who use Infusionsoft are generally larger scale enterprises in general like it’s not really like you know a small scale a small scale program so solution so that that means that there’s a lot of struggling web devs digging endlessly I personally never come across somebody starting up and
(12:18) says oh yeah we’re looking at Infusionsoft Infusionsoft is the solution you pick when you have a large number of you some large-scale stuff and they are gonna have their you know I’m just surprised that you’re like how long was that going on for like they since they introduced the plugin or was it like a new I haven’t I haven’t I haven’t gone there yet right I just at this point I mean it’s just happened so I just had to fix the slowness first I mean it was it was noticeably slow
(12:57) throughout the entire network like it was it was deathly slow well so I mean this is part of the problem right miss dependence upon I mean just to broaden it up a little beyond this specific issue of one plug-in in this specific configuration this is the issue right you create this dependence on these plugins we talked about this a couple episodes ago where you are now not just dependent on word and your host and you know the theme and whatever else you’ve got going on now you’ve got basically like this you know
(13:30) I guess call a stack right of all these plugins from all these different different developers of different skill sets and different you know approaches and different approaches towards updating that are now all these you know different things coming into your site well and and and so and so if if I’m a site that’s relying on this plugin because it’s important right this is this is basically tracking orders from WooCommerce into your CRM right that’s what this plugin is doing right so that’s an important function the
(14:03) alternatives are replaced it was zapier right which which is not great or get your developer to just recreate the functionality and and and and hook into the Infusionsoft API is also not great there there aren’t great solution and the migration off of this this plugins not is not cheap or quick or easy well I mean the DP or is that B or whatever the hell you want to call it it’s still a dependence on them working there’s been plenty of instances where there’s that stopped working and you know you didn’t
(14:34) even get notified that they stopped working I don’t know that that’s happened in awhile but it has happened and then if you have a role your own approach you know and the mood changes something or infuse some soft changes something then you have to go back and rebuild everything yeah so it’s all turns out we’re gonna be employed forever that’s really well and incident I mean that’s that’s the issue here and we’re talking about we’re talking about a you know a big there’s there’s it’s a
(15:05) big system right with a lot of developers in it and and in this particular case most likely we’re talking about a developer that is really not thinking about the big picture that we just described on this on this call on this on this on this podcast right so though right there right but but you know a developer is is just thinking about okay how do I get version how do I get versions working right outside of the WordPress repo so they put in what they thought was a little solution and now it’s a big problem right and it’s
(15:35) not something you just do flip a switch and fix right this is gonna be there until everybody’s updated their infused whoo plug-in right this is this is a that also presents itself into not only a communication with the users problem because now it’s like you have to communicate to all the users that they need to update without alarming them it also becomes a PR issue and a marketing issue because now you’re like whoops we made a mistake or even a your security issue as well exactly in a security issue it’s all it becomes it
(16:11) touches them you got a scalability issue right you’ve got all kinds of issues RL that URL could get hacked that they’re testing and it could go back and inject into that site it’ll you know somebody else clever enough to make that happen that’s why whenever I’m or something new functionality and the beauty of open source is this we have that access of source code I like to take a look at how people is doing this kind of stuff yeah pipin does it do a version control what is software these things but they read
(16:42) the code right it’s cool right Manny you know you and and you know we do the same stuff we do reviews for all our plugins for our clients before we install them but we’re we’re not the norm in the WordPress ecosystem right the norm is somebody just sees a piece of functionality they want and they install plug-in that’s the noise let’s install it that’s right I highly recommend that this session because was what kept San Diego 2016 where people did AMA four baths there was one of the best what cat
(17:19) videos ever you know where he got bombarded by questions or he developers how to do things the right way so this is really good yeah yeah and in no way am I am I suggesting that infused whoo did anything malicious right this wasn’t a developer being malicious in any way an infused whoo wasn’t being evil right it’s just a mistake yeah well this is also part of the the my Appy my app but myopic view point it’s easy for you to sell totally not the really narrow focus of developers when they’re working on their
(18:00) problem because it’s like what you just said you know that developers sitting behind their desk and they’re given a problem and they just have to solve that little piece of the problem and you know not thinking about how that interacts with the sights or any of that they’re not they’re not paid to do that they’re not paid to think you know what they’re paid to solve that one problem and I think that it’s that kind of isolated approach but that’s happening everywhere like in developer offices across the
(18:26) board you should architect before the developers start working on code you need Aaron say look we have these vetted plugins or themes or whatever and this way of coding and boom and eval that’s a great point but we’re talking about we’re talking about 55,000 plugins in the repo most of these plugins even the premium guys are two guys in a in a bedroom or a garage somewhere right they don’t have the budget for a solution they have time to email out to companies like ours for example we get everyday
(19:03) emails from plug-in developers saying can you please read you my code for security for you know potential risks so if you put a plug-in up there you should be responsible for the people getting hacked or not cuz of your code it’s not okay to just say oh this site is hacked I’m not gonna go to the site anymore I mean what is responsible mean in that case like responsible like financially liable like sorry using a free plugin but still you’re responsible for these no well then yes you should mean financially I mean so what up to what
(19:41) cost thing that America man yeah say people say he’s got an interesting point I mean this this is a plugin that does affect the bottom line right this does affect it affects reporting it affects how they communicate out with their customers right it affects our getting job marketing can do it was miss or of the out of the workflow because something didn’t connect like now those that customer base is like upset so they have to you know marketing has to figure out why these people have not gotten this information and faster so let me
(20:18) switch gears a second because I ran into two very similar issues on the same project this week right and the other issue is with WooCommerce admin does anybody played with WooCommerce admin earning your keep this week I am I definitely am so WooCommerce admitted is in beta right and so I I don’t expect the plug-in to work right and so it says very clearly on the WooCommerce admin page do not install this on a production site right however well commerce turned on something this week or this in the past couple of weeks that shows you a
(20:53) notification in your dashboard says have you tried WooCommerce admin right and not only is it saying you tried it it gives you a way to install it and activate it right in the top of the dashboard I’m actually no making that one real that’s like and so well it’s not while it’s not production site ready it is asking people to install it and if you go to the plugin page burg oh yeah if you go to the if you go to the the plugin page for WooCommerce admin there are over a hundred thousand active
(21:26) installs of this ball oh my gosh it’s not so the plugin page says do not that run this on a production site but it shows up on your production site and asks you to install it okay so I consider that I don’t that’s that’s that’s malevolent I I considered I consider that but this should be reported so here’s the problem so I actually discovered a critical issue inside of WooCommerce admin right and so it seems like an inch case but it’s not and so what I was doing is I installed it I looked I was looking at
(22:05) the WooCommerce legacy reports versus WooCommerce admin which is a new reporting tool and the numbers were not matching and I actually tracked it down and so what’s happening is yeah when you have an order that has more than one coupon applied to it it actually is counting that order twice actually it counts that orders met and with as many coupons you have attached that order right so if you have right and so let’s say you have a one order that’s a it’s in the system for a hundred bucks and
(22:39) you have another order that was is in the system for a hundred bucks but it’s got two coupons applied to it and it’s really fifty bucks right it’s not gonna show one hundred fifty bucks total and your gross sales show hundred it’s gonna say two hundred oh because it counts them all or twice and it’s doing it because of the way that they’re there they just messed up their joins in a sequel query I literally track it down to the line that’s that good job and so did you manage to tell them I did
(23:08) absolutely I opened up a ticket on this it seems like an entity case it’s not this happens more often than not and then with the sites that I’m we’re working on we were able to see this on every single on every single site so the numbers are too big right so so again I opened up I opened up a ticket that was three days ago there’s business so are you really this is not my sales I feel like I feel like on this one I was just talking into a vacuum that’s when you hit the Twitter but like at that point it’s like it
(23:46) whose responsibility is it to raise the alarm about this stuff you know what I mean like you’re doing something that is right big thing but like as if Steve were to write this code himself I mean you still have to kind of look at this from that perspective that that you’re the one that implemented this code right Steve so that should have been tested I had not implement this code on a production oh well I know but like the person who would have implemented that code on the site shouldn’t they have
(24:17) tested that to make sure that the coupon system actually were real do adding to coupons double my sales like who is even gonna think to make that test and again I you know I I nobody nobody people but it’s there sorry I just want to say I think people assume you know psychologically when you pay money and you buy a premium plug-in automatically you you’re gonna have less expectations of errors you know security issues just because hey I’m paying money I’m I’m sort of a protected in a way this is
(24:58) like a professional product this is what I’m always telling my clients is that the you know everyone thinks the Internet is so stable and like you know it’s like oh this just works and everything and I’m like yeah one freakin semicolon and the whole thing just it’s go ahead cos Weebly is as somebody who has free plugins available in the repo they actually expect the exact same thing on free plugins they expect things to draw yeah to work flawlessly to be perfect and the second they find a bug
(25:34) for it to be fixed no matter how thin the person who is writing the code and stretch basically yeah I think demand would probably be the better word an indignant that it’s not being fixed at that moment and of course they don’t know what’s wrong they’re not coming like Steve with like a here’s the problem I found in your join code you know but it’s not even that it’s like you know fix this problem and they can’t even give you screenshots or tell you what the problem is yeah my site don’t work yeah I think I
(26:06) always meet ups for people to support the people that do the free plug-ins to that donate something pay them them coffee or something and even though some power this plugin does 90% of what I want what do you want you know they don’t understand the way that the fact that you know cost per is over here he’s you know that’s not even his job to make you know a plug-in or whatever and he’s the managing and creating this plugin like that awareness is like just not there I just want to clarify that you know what
(26:49) commerce admin and WooCommerce are free right those are free plugins but those are those are starts are supporting a huge ecosystem and lots of people’s businesses I mean people are running their businesses on Commerce and this is the next yes this is the next generation of of the reporting tool for WooCommerce by the way congratulations on the issue no bus so just great I just ran it it’s like then you give like every single detail oh yeah how to do it that’s awesome anybody does know I told them go to this line and fix this
(27:27) thing I never ignored you for three days mm-hmm to be fair to the responses are mean to be fair they were a problem where in the WooCommerce admin plugin if you stayed on one of the reporting pages over the matter of a few hours it would send requests back to the API over and over and over again I think someone reported that there were over 14,000 requests back to the API after just leaving a tab open for over three hours yeah awesome Wow again I’m look I’m not expecting something jump but to jump immediately on the thing that I that I
(28:08) reported right but my point in bringing this up is that my worry is that it’s it’s installed on over a hundred thousand sites are ready right and it’s not production ready and they’re promoting it yes that’s a that’s a big deal I mean that’s kind of what it is it’s not like it’s not like some of the plugins that are in there which think it’s not promoted and it’s for devs only and and the notification doesn’t say have you tried this plug-in do not do this on a production site it just have
(28:39) you tried this that’s so bad it really it’s very Gutenberg II Gutenberg II I think it’s the we’re late for yeah it’s it’s like a it’s like a black fly in your Chardonnay seriously [Music] too late it really is I don’t mean to pick you apart you see but I can we had some other stuff to talk about regarding WooCommerce stuff and I and I think you know myself yeah I myself don’t do any WooCommerce work but I’m I’m very much so interested in how you guys are navigating these waters to talk about it
(29:27) WooCommerce is important because WooCommerce is the main thing holding up WordPress in comparison to Shopify and yeah that is a ever crumbling bridge that is like WooCommerce has to be strong it has to be like flawless and that is because it is literally that you know one to one solution and that’s what that’s why people are making the switch because of you know weird stuff like this and you know that’s not to say that Shopify doesn’t have those issues but they’re just they’re they’re they’re
(30:02) marketed differently right because it’s all-in-one and it’s you know a thing you don’t have to do it yourself but I mean I’m sure they they have problems you know but this this WooCommerce is important because of that specifically more important than some of the other premium plugins and and the the equivalent of what we’re talking about in the commerce ecosystem is the is the WooCommerce add-on store and maybe that’s a topic for a different I export all the data to another table and
(30:38) I remember their different way and then I do my own phrase on that because is the way and now it’s changing a little bit you know I know we are are a fine but that’s what I do and then it was flawless because I have the data the way that I want queries you know I want to remind worst week ever taught some commerce J’son even are supposed to say something about the hummus and CBD stuff no that’s next time won’t get background to it thank you very much folks for coming on and hanging out with us on the
(31:13) show we really appreciate it go over to our website at debut are equal comm / subscribe where you learn how to subscribe to this stuff talk to y’all later you have a good one

Show More Show Less

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.