I just don’t use ThemeForest.
Look. I think Envato is actually pretty awesome. They’ve made a way to help people monetize development within WordPress. I’m all about that! I want to see people making a living from WordPress and I want people to be able to succeed and make WordPress even better. A number of people I know who are currently successfully running their own WordPress related business got started over there.
So why don’t I use their products? I haven’t had a need to. I don’t use WooCommerce either, or their themes. There’s nothing wrong with that. But there is a ‘problem’ with Envato, or rather there’s one with ThemeForest, and it’s the same problem as we have on the WordPress.org plugin repository.
The last (and possibly only) time I mentioned them, I said I had an issue with their lack of upgradability. If I buy a theme or a plugin, I can’t easily get updates. I’m stuck on the old way of download when I get an email. There’s no way to do it easily from inside my dashboard. This is a problem of our own creation. Ten years ago, that was normal. Today, we have a reasonable expectation to easily upgrade WordPress, it’s themes and plugins.
I happen to know Envato’s working on it, so I still look forward to their solution.
But they have the exact same problem as we have with the WordPress.org plugin repository: crap code.
You see, there’s only no practical difference between the WPORG repository and ThemeForest and how it handles reviews except they actually may be checking on every upgrade. If you didn’t know, ThemeForest does review things. But they do it exactly like we do! They read the code, they test it, they look for evil things, and they approve or not.
Theme review on WPORG is a tighter ship than plugin, for a few reasons, but frankly I doubt the overall quality of code on WPORG (plugins) or ThemeForest is all that different. We’ve had some pretty insane vulnerabilities in plugins, after all, and the WPORG repository doesn’t have a great way of dealing with them. But to say that you don’t trust ThemeForest because the code quality is bad while simultaneously using any free plugin from ORG is naive at best.
The constant problem we have with plugins, and one they have with ThemeForest themes, is that we allow a lot of different types of code. In being liberal like we are, we can allow for a lot more creativity and expression and, well, art. The downside is that there’s a practical limit to what a human being will be able to catch. We’re like the TSA. We try, but we’re fighting a loosing battle and that’s why we’re always going to miss things and we’re always going to be running behind and cleaning up.
And worse they have the same problem with any code they yank. How do you upgrade everyone? When is it right and safe? When is it an overstep? Weighing security risks with information with compatibility is complex. For the WordPress.org repository, we have a long way to go before we’ll be able to push minor security updates like core can… at least not without a lot of fear and consideration. We’re on the road there, though, so one day you may wake up to a plugin magically secured on your site.
Oh and as a reminder? If you see a WordPress.org plugin hosted that is insecure or doing evil things, email plugins@wordpress.org with the plugin URL and all the possible information about how it’s insecure. If you know how to hack it, please tell us exactly what you did. You make it faster for us to sort things out.
For Envato, you can report these things via their Helpful Hacker program.
Comments
4 responses to “I’m Fine With Envato”
In my experience, the code quality on Theme Forest is lower than in the dot org repo. Most of the stuff on there looks like someone barfed up code into a zip file and uploaded it.
@Ryan Hellyer: I suspect the percentage is about the same, once you consider the actual volume. We have some pretty derp plugins that aren’t insecure, but still make me sigh a lot.
I think this is a bit of an over statement. The main difference between WPORG and ThemeForest, in terms of crap code, is that with I can test WPORG material in a development environment with WP_DEBUG set, etc and they can’t hide bad programming.
Of the six websites that I manage, and the hundreds of dollars spent, four of them I started with ThemeForest themes. Now, only one still uses a ThemeForest theme, four use WPORG themes, and one is a custom theme. If only they would utilize WP_DEBUG.
My expectation of paid themes is that most of the notices and errors that occur on a clean install without any plugins active should already be squashed. I shouldn’t have to walk the developer through how to fix their product, especially when I paid for a working product. And I’m not just talking about simple bug reporting.
On the other hand, I feel obligated and honored to help out developers on WPORG in both themes and plugins.
@Lucas: Well you’re just weird. 🙂 I mean that in the best way.
Most people demand free plugin and theme devs be at their beck and call and adhere to their wildest ideas.
My personal issue with ThemeForest is the same as all paywalls. I can’t get at and test first. Annoying. But again, if you think everyone on .org (plugins, not themes) tested with WP DEBUG, or that just by being on .org they’re inherently ‘better’ than ThemeForest, yeah. No. Not the case. Believe me. We have crap code on .org all over the place.