The Security of a Lifetime License

StudioPress ups and downs the value in their pro-plan, making me think about the hidden value of a lifetime license.

A few years ago, before I started working for DreamHost but after I decided I wanted to do WordPress all the time, I bought the StudioPress All Themes Package. For $500, it gave me a lifetime access to all their themes, all their future themes, support, and more. So I tucked away all my ad and ebook income for a while and bought it the day before a 50% deal hit. Of course, right? Brian being a wonderful guy, saw my amused tweet and credited me the difference.

Since then, I’ve pretty much been a nothing but StudioPress shop. Almost every site I run on WordPress is using StudioPress themes. I’ve gotten free upgrades for all their themes, free versions of the ‘pro’ themes (all the HTML5 friendly ones), and it’s very much been worth it to me.

But licensing is a strange subject. Chris Lema recommends charging annually (instead of monthly). And while I have a lifetime subscription, the unlimited free support will be leaving this world soon. From what I’ve heard, this only impacts support. To be honest, I’ve filed less than ten support tickets in five years. And it’s not because I’m savvy. There’s very little that I need help with to use Genesis themes. They have pretty darn good directions on how to reproduce their demo sites, they have code snippets, and they have a friendly self-help forum.

Basically, this code is tight. Right now I’m using the Generate Pro Theme on this site, but I also bought Utility Pro theme from Carrie Dils (worth it). The child themes rarely need updating, and all I ever have to worry about is the parent Genesis theme being updated, which is easy as pie. They have their own updater.

My friend Amanda Rush (also a StudioPress fan) wonders if this heralds the end of days of unlimited forever support and licenses. I suspect so. Will I be annoyed if I have to start paying for updates? Maybe, but mostly because I have a serious concern about security.

Let me paint a picture for you. I get a free parent theme or plugin, it could be Genesis (the StudioPress parent theme) or WooCommerce (a popular ecommerce plugin), and I purchase an ‘add on’ of a child theme or an extension plugin. I pay for a year, and I’m happy. The add-on does what I wanted, I get my updates, and everything’s cool. Then one day, 370 days later, there’s a major issue. A massive security hole and suddenly my site is vulnerable!

My license has run out.

Do I get the update or not?

Do I get notified of the update or not?

I’ve seen this play out over and over again with sites like CodeCanyon and ThemeForest. How do people who have purchased a product get alerted properly and given the ability to update? We’re spoiled because if Jetpack or WooCommerce itself has a critical hole, those plugins are free in the WordPress.org repository. And I know, from working on that team, that if there’s a big enough issue, then the free plugins get updated and the update is pushed out to everyone. It’s rare, but when it happens, it’s for the benefit of everyone involved.

The sad truth is most one-off shops can’t do that. WordPress.org can update all branches of your plugin. If you’re properly using versions for your plugins and themes, then you can release version 2.3.1 to fix a bug, but also fix that bug on 2.2.4 and 2.1.9 and so on. And yes, WordPress can push those branches (2.3 and 2.2 and 2.1) so even people on older versions can get fixed.

To the best of my knowledge, no one else does that yet.

And, perhaps worse, some won’t even consider letting you have the security update because your license isn’t up to date.

All that said… Should you buy it, knowing you may not get support and updates forever? Yes. Right now, the StudioPress Pro Plus All-Theme Package is on sale. $262.46 for every theme plus third party themes. The sale goes on until the 16th, so grab it this weekend.

It’s an investment I’ve never regretted.

5 Comments

  1. Hi!
    Good post! It brings up a subject that I’m not infrequently up against.

    I have built lots of WordPress sites for my clients and sure I care about their websites, but I care about my clients as well!

    The work I do for my clients I do with the “…got run over by a truck” school of thought. If, for whatever reason, I am no longer in the picture to work on my clients’ sites, I’m concerned about how they’ll fare without me. Call me a softie! LOL

    I make a point of being sure they have all logins and passwords. I leave notes in the WordPress dashboard of customizations I’ve made that might not be immediately intuitive to someone working on the site other than me. (OK… that helps remind me of what the heck I’ve done as well… 😉

    Whenever I can I use items from the WordPress repository. They are free, vetted by the good WordPress folks and as updates become available they are indicated as such within the website. (There remains the problem of abandoned plugins and themes that at some point I hope WordPress addresses – [yes… I know… “There’s a plugin for that”] -But that’s a different topic)

    But… Sometimes it takes a premium theme or plugin to do what needs to be done or is just plain wanted by the client. The distant problem that is always in the back of my mind is “the long haul”. What position is my client in when no longer associated with me?

    While it’s not as “profitable” to me, when I use a “Premium” theme or plugin for a site, I ask my client to make the purchase (or they’ll have me do it for them with their information) so that they own the rights to said theme or plugin.

    Ethically, I have difficulty purchasing a Developer license for a plugin or theme and my client not owning the rights to something I’ve put on their site. If I disappear, my client should be the one getting notified by the Premium source. If I have been run over by a truck, I won’t be relaying that update information to my (former) client any time soon!

    As you alluded to in your post… It would be nice if the Premium theme and plugin people came up with a way to address the problem and allow a website owner AND their web developer to be co-recipients of updates and support? Or, if someone with a Developer license installs something on a website that the owner of that website gets some sort of transfer of rights.

    Third party rights is an elephant in the room that I wish the Premium would somehow address!

  2. Hey Mika.

    There’s a deep problem here. Me, you and other consumers of your blog are in a good position to understand it and come up with mitigating strategies. Great.

    Our clients?
    That’s a completely different story.

    By-and-large, SMB’s simply aren’t realistic about the technicalities and costs of website software maintenance. So when their website software needs to be upgraded they often feel dissapointed.

    If they are on a hosted platform, there is no such problem. But if they’ve been sold on self-hosted WordPress or any other CMS… then there will be downstream issues related to the clients expectations.

    Vendors of themes and plugins in the WordPress ecosystem generally don’t care about this problem. Which is fair enough, because they are selling to developers. Not the end-clients of developers.

    Some plugin and theme shops are starting to deal with this issue:
    I understand that Formidable Pro are working on a system that will allow devs buy a license for the product, and then hand over responsibility for billing to the client.
    Formidable Pro also offers ongoing updates for free after a license expires. The customer will only have to re-purchase a license if they need support.

    At least one theme shop I know of sells a yearly license for access to all of their themes. After the year you can still access updates and new themes. Again, you only re-purchase a license if you need support.

    I naturally gravitate to these services because the pricing model is a bargain. But a major motivation is that this eases licensing headaches for small businesses.

    I guess a major issue for the plugin vendors is if they want to deal with the third party problem then they have to do more work, while still working in competition with vendors who aren’t putting in that work.

    I’d like to hear from commercial WordPress software providers on this issue.

  3. When Gravity Forms found a vulnerability in their code base, they did in fact update all the various branches of their versioned releases. So they’re a company that has done the thing you’re mentioning above.

    Here’s a crazy data point just for giggles. What they found that surprised them, when they were upgrading deployed code, was in the comparison of out-of-date versions between people whose support accounts had expired vs people who had active accounts.

    More people with active accounts had older (and out of date) code deployed than those who had inactive accounts.

    It suggests several things worth thinking about when it comes to security. But that’s for another post at another time. I just found it very interesting.

    All that said, thanks for a great article (as usual). And I agree that the StudioPress deal is a good one!

    • @Chris Lema: Note that Gravity Forms’ database of who has what version of what add-on on what site is pretty spotty though. Every time I’ve submitted a support ticket, that form shows me the installed add-ons with their versions as they know it, and I don’t think it’s been right yet.

      Maybe that’s because I largely report problems found integration testing against new versions in test environments, but I’m sure I’ve picked live sites too when reporting bugs, and still get that. It could be due to updating sites from version control (git / svn), or it could just be that their version intelligence gathering is broken.

    • @Chris Lema: That’s pretty cool, though as Ross notes, it’s spotty. Still, spotty is better than naught…y?

      More people with active accounts had older (and out of date) code deployed than those who had inactive accounts.

      To be honest, that doesn’t surprise me. People who are capable and savvy, i.e. the people we don’t need to worry about because they know about how serious plugin updates are, are the ones who are going to actually take care of things.

      Maybe a different way to look at it would be this. I flip and flop about paying for my support licenses every year. When they’re about to expire, I think that I’ve not talked to their support in 12 months. And if I don’t need to pay to get upgrades, I’m not gonna. I’m going to keep updating and not worry. Save money by being smart. But if I don’t know how to debug code, I doubt I would stop paying. it’s a failsafe I need. It lowers my risk.

      And the irony that those people lower their risk by keeping support and raise it by not upgrading because they don’t want to break anything…

      Not lost 🙂 But it totally makes sense to me. It’s safer and easier to pay for support than it is to risk the upgrade, since I doubt Gravity Forms would fix j-random plugin on my site that breaks when I upgrade. Totally understandable.

Comments are closed.

%d bloggers like this: