GPL, Licensing, Plugins
comments 7

Readers ask: About reselling commercial plugins (updated)

The questions

Following the posts on WordPress themes, the GPL and the conundrum of derivative works and A reader asks: Selling ThemeForest themes outside of ThemeForest, two people from countries far apart have asked me similar questions (albeit possibly from opposite perspectives) regarding the reselling of GPL’d plugins.

The first person asked this (I’m paraphrasing):

‘If someone purchases a plugin (or theme) from a commercial plugin (or theme) provider, and then translates it, changes the code and puts it in a marketplace to sell, would that be permissible under the GPL? I’ve seen outfits doing this and I’m not sure how they can do it.’

The second person asked this:

‘As a plugin developer, how can I protect my plugins to prevent people from reselling them, bearing in mind that many plugins are largely PHP/HTML/javascript code with minimal CSS and graphical elements or, in any event, with CSS and graphical elements that might easily be replaced. In these circumstances, a ThemeForest-style split licence might not have much effect. In these circumstances, how can a plugin developer protect its position?’

Reselling commercial plugins

In substance, I’ve already given my thoughts on the first question in previous posts. The short version is this: if the plugin in question is 100% GPL-licensed then, yes, that would be permissible under the GPL. This is one of the freedoms that the GPL confers on recipients of GPL’d software. However, the person who translates it, changes the code and sells it, would need to be careful:

  • to comply with the GPL’s notice and other requirements;
  • not infringe any trademark (if one exists) or other branding rights;
  • not pass off any relationship with the original plugin developer or its business that doesn’t exist;
  • not breach any fair trading laws that might apply in the person’s country; and
  • not infringe any copyright in non-code files that accompany the plugin that are not under the GPL (e.g., help files), if that is in fact the case.

As I’ve said in a previous post, though, I’m not sure how good a business model this would be, given:

  • the likely absence of support, product activation keys and updates; and
  • my view (which may not be shared by everyone) that many if not most people prefer to buy themes and plugins from those they trust and from whom they receive great service, which will usually be the original developers.

What do some of the plugin shops think about this?

When writing this post, it occurred to me that it’d be great to get the views of some of the better known plugin shops (or, in some cases, theme and plugin shops). With that in mind, I approached five of them. So far I’ve received substantive responses from three of them.

Elegant Themes


A helpful representative of Elegant Themes said this:

“All of our products are 100% GPL. We attribute much of our success to our yearly subscription model and our amazing support. We also require a current subscription to use our Updater plugin for themes and plugins.”

In response to a follow-up question as to whether the business had ever encountered people reselling its themes or plugins and, if so, whether that was a significant problem for the business, he said this:

“Yes, people reselling happens frequently. It is just not worth it for us to deal with. Our customers stick with us for our good service.”



Timothy Bowers, of WPMU DEV, said this (this is his personal opinion and I’ve shortened it in minor respects):

“Hey Richard,

Thanks for getting in touch.

Being GPL and being a business that needs to make profit can be tough for some to handle.

For years we didn’t really pursue people distributing our stuff, but then we had some issues, we found some copies being distributed were injected with malicious code, some more serious than others. One example that always comes to mind first was a copy of our PopUp Pro plugin, someone uploaded a free copy to It had code that would send registered members account details from a WordPress site to a remote email address, luckily the guys and gals at are pretty good about simply ripping something off, and serious about security, they removed that pretty quickly. Another instance I’ve seen was when activated it would elevate accounts to an admin or super admin status (Multisite), then send home the address of the site so that they could then log in and do whatever they want on your site.

Distributing our stuff didn’t and still doesn’t damage our business, in fact it often brings new people to us that have found us by pirated copies that broke their site due to either having malicious code or simply being outdated. Many, many thousands of people sign up to us to ensure they have the latest, most secure version, and more importantly for the majority, our support. What was potentially damaging was people distributing our stuff with malicious code included, especially if they use that code on their clients websites and then later the client hired someone new that would claim our code has security issues when in fact it was due to a malicious redistributor. Without trying to label, it often seems to be prolific in the lower budget markets where people hire someone for a few hundred dollars to build a site that an experienced developer would charge triple or more for. I guess you get what you pay for sometimes.

We now actively pursue sites doing this, we do that on grounds of trademark/brand infringements … .

Whilst being GPL in code, our service is not. We encourage people to use our software to build their sites, to build their clients sites, and make great stuff with it. We don’t however encourage lazy people to simply resell our stuff because they can’t be bothered to do any real work, or get a real job.

… It’s paramount we protect our users from dodgy downloads that could compromise their site, and most importantly the data of their customers. If they continued to try, we’d submit documents to their card issuer or Paypal to prevent them using our service, this could negatively affect their accounts with those third parties if they persisted.

One thing the consumer also needs to recognise is how sustainable they want their business or personal site to be. By not supporting the real developers, the real companies, and going to the lazy crew (those just reselling without doing any real work) they run the risk of creating a future environment that is unsustainable for business. This [is] especially true for the smaller development companies selling a plugin/theme or two. If those developers and companies can’t turn a profit to pay wages and live life, they will stop creating the very products others rely upon. If that hurts too many companies, and WordPress starts hemorrhaging great creative people, it creates a worrying future for our platform.”



Magnus Jepson, co-founder of WooThemes, said this:

“We have noticed more and more websites reselling our WooCommerce extensions in the last couple of years.

Both WooCommerce and WooThemes are registered trademarks, allowing us to protect our brand. Reselling GPL software may be within the rights of the GPL, but using our registered trademarks in doing so is not allowed. It seems this fact is being ignored by all re-sellers who think they are running a legal business.

Reselling unmodified GPL software for profit is not only hurting our revenue, but also our brand perception. It causes confusion amongst our customers, and we have several support tickets with customers asking for help with plugins they bought from other websites.

This leaves us with a confused customer, when we have to inform them that they didn’t buy this from us, and therefore can’t get automatic updates and support.”

Magnus followed up his first message with positive comments about the GPL:

“I forgot to mention the positive sides of us adopting GPL 🙂

Adopting the GPL has been an overall positive experience for WooThemes, allowing us to receive contributions from developers around the world, and building our product into more of a community project, along the same lines as WordPress.”

Thanks to Elegant Themes, WPMU DEV and WooThemes for taking the time to respond to my questions.

Protecting a plugin developer’s commercial position

Turning to the second person’s question, there are a number of things one can say.

Split licence insufficient?

First of all, the view that a split licence wouldn’t provide sufficient protection is interesting. I imagine that might depend on the nature and complexity of the plugin but it’s interesting nevertheless. It would be useful to hear the views of other plugin developers on this point.

It’s also interesting because, from what I’ve seen so far, outfits that are buying plugins then selling them at steep discounts are only taking and selling fully-GPL’d plugins. I’m not aware of them doing the same with split-licensed plugins. That said, I’ve not taken a deep look into the range of sites doing this. Perhaps they are doing this or perhaps there just aren’t that many split-licensed plugins out there.

Proprietary licence?

If a split licence wouldn’t provide enough protection and if the lack of access keys for updates, support etc wouldn’t suffice (perhaps because some users wouldn’t care), a plugin developer might wish to explore the feasibility of taking the position that its plugin is not a derivative work of WordPress (or any other GPL’d code) and, on that basis, to apply a more restrictive / proprietary licence to the plugin. One can’t say in the abstract whether this position would be legally defensible for a given plugin as so much would depend on the context and the plugin’s content. For this reason, one can’t say in the abstract whether the plugin developer would need to apply the GPL to at least certain portions of the plugin. As many readers will know, just as with themes, this issue is hotly debated in the WordPress community. See, for example, the last few paragraphs of this post and the Enrique piece to which it links (which is about plugins, not themes).

Damned if you do and damned if you don’t?

The challenge a plugin developer in this situation faces, I think, is that if s/he takes the non-GPL/proprietary path, s/he risks being criticised by those who think the GPL applies to the plugin or at least portions of it or, a separate point, that this approach violates WordPress community norms (which is not a legal point at all). That, in turn, might affect the developer’s sales (I don’t know whether it would, but it might). It is also possible that WordPress core contributors could take legal action against the plugin developer for GPL violation. I think that’s fairly if not highly unlikely though because it would be costly, the legal outcome would be uncertain (and thus such an action could backfire) and legal proceedings could generate unhelpful rifts in the WordPress community at a time when WordPress competitors appear to be demanding a bit of respect.

At the same time, not taking this path and applying the GPL 100% would expose the plugin developer to potential resale by people trying to make a quick buck. If the resellers are not doing anything along the lines listed in my comments on the first question (which might be a big “if”), there may be little the developer could do about it. Such are the freedoms of the GPL. And I haven’t even got into the legal and logistical challenges that may exist where the reseller lives in some far flung country.

What I’m about to say will be controversial, I’m sure, but one option might be to apply a split licence to the plugin (following the distinction drawn in the Software Freedom Law Center’s opinion on WordPress themes and the GPL) and ensure it contains a good number of non-GPL’d components (assuming this is possible), to the extent that this can be done without doing anything that people might consider to be a breach of the GPL. This still runs the risk of violating what some if not many consider to be a WordPress community norm but, at that point, we’re into the realm of opinion and normative behaviour, not law.

Note also that the proprietary side of a split licence could be drafted to be fairly liberal or permissive but to prevent the kind of reselling we’re currently talking about. It wouldn’t have to be as restrictive as the ThemeForest split licence.

At the end of the day, this is really a judgement call for the plugin developer (taking legal advice from a lawyer within his or her jurisdiction where required and bearing in mind GPL requirements if and when they apply).

I’m not advocating any particular approach here. I may have my own preference as a plugin purchaser but that’s not relevant to this post.


Sometimes legal rights or commercial positions are better enforced or protected by highlighting certain behaviours publicly than by taking someone to court. You need to be careful to use the right language and not to say anything that is defamatory of your target and, I suggest, you also need to respect the freedoms of the GPL, but, in appropriate cases, it can be effective, not to mention a hell of a lot cheaper.

Take, for example, a reseller who is injecting malicious code, pages of backlinks or something similar into a plugin it is reselling. In that kind of scenario, public condemnation may be quite appropriate, so as to protect users, the plugin’s brand and the developer’s commercial position.

GPL freedoms versus API or activation key restrictions

A potentially important point to note is the distinction between GPL freedoms and contractual restrictions a developer can legitimately impose on the use of activation or API keys that provide access to automatic updates and support. These keys don’t prevent people from using distributed GPL’d code in accordance with the freedoms conferred by the GPL. Rather, as noted, they provide access to the likes of updates and support. This approach is not contrary to the GPL.

Many well-known plugin developers expressly prohibit a user from sharing his or her activation or API key. I mention this because, if a reseller were sharing an activation or API key when not permitted to do so, the developer would be able to pursue the reseller for breach of contract.

For example, the Gravity Forms Terms and Conditions say this:

“… You may not share or resell access to your support license key.”


“Support is offered via a support license key. Purchasing a support license key gives you access to our support forums and documentation. Purchasing a developer support license gives you access to our Priority Support Ticket system.

License holders cannot distribute, freely giveaway, or resell their license key. The license key is only transferable by contacting us and requesting an official transfer of the license to a new owner. …

Only the license holder is permitted to request support or access support resources.

License holders are not permitted to re-post support forum content or documentation on any external websites, social media outlets, etc. Posting screen captures of this content is also prohibited. Violation will be grounds for immediate termination of the support license and all access to support content and product updates will be discontinued.”

Similarly, the WPMU DEV Terms of Service say this:

“Some of our services such as Anti-Splog, WP Smush Pro, Integrated Video Tutorials and Auto-upgrades require the use of an assigned API key. You may only use your API key on sites that belong to you or those of your clients. You must maintain an active subscription with WPMU DEV to make use of API services. API based services may only be accessed by our plugins designed for that purpose. You may not resell, share, or publish your API key. Violation of any of these terms will result in the immediate termination of API access and/or your WPMU DEV membership. We also reserve the right to suspend API access to users that use an unusual amount of API requests or resources that we feel may impact the services to other members.”

I suggest it may be commercially important for commercial plugin developers that issue activation or API keys in connection with their plugins to include such provisions in their terms of use so as to prohibit – legitimately – behaviours that threaten their legitimate commercial interests.

Note that some resellers appear to be wary of these terms and take care not to breach them by not sharing their activation or API keys. Instead, they seem to maintain their own memberships or subscriptions with the plugin developers and then make the updates that they receive available to their customers.


One final point to note is that I have seen some theme and plugin shops being (in my view) deliberately vague or silent about what licence applies to their themes or plugins. They don’t say the theme or plugin is GPL licensed but they don’t say it’s not, they don’t specify any alternative licence either and they sometimes use ambiguous language as to what people are paying for. This could make it legally challenging for certain resellers to take the themes/plugins and resell them. Personally I think this is poor practice but it seems pretty clear, in my view, that some businesses are doing this strategically in an attempt to protect their commercial position. (To be clear, I’m not referring to any of the plugin or theme shops I approached when writing this post. I have certain smaller operators in mind.)

That’s it for this post. It’d be great to hear what other people (particularly developers) think about this subject. All the best.

(Featured image: Blan-k /


Leave a Reply

Your email address will not be published. Required fields are marked *