Automatic Updates For Private And Commercial Plugins

Last updated on June 26, 2015.

Since time immemorial, only plugins hosted in the official WordPress.org plugin directory have supported automatic updates. Now, I’ve written a PHP library that you can use to add automatic update capabilities to any plugin. Public, private and commercial plugins alike – all can now enjoy the benefits of automatic update notifications and one-click upgrades.

The custom update checker integrates closely with the upgrade system already built into WordPress, producing a seamless user experience. Observe :

An upgrade notice for a privately hosted plugin.

An upgrade notice for a privately hosted plugin.

The version information window with placeholder data

The version information window with placeholder data

Download

License

This library is released under the MIT License and is distributed free of charge. If you find it useful, consider making a donation.

Quick-start Guide

This section describes the quickest way to get automatic updates working for your plugin. Here’s what you’ll need to do: create a metadata file for your plugin, host it somewhere publicly accessible, and tell the update checker where to find it.

Lets start with the metadata. Copy the JSON code below into a new file and replace the placeholder values with your plugin’s info.

{
    "name" : "My Cool Plugin",
    "slug" : "my-cool-plugin",
    "download_url" : "https://example.com/plugins/my-cool-plugin.zip",
    "version" : "2.0",
    "author" : "John Smith",
    "sections" : {
        "description" : "Plugin description here. Basic HTML allowed."
    }
}

(This is the minimum amount of data required to make automatic updates work. In most cases, you will probably want to add a couple more fields. See the metadata docs for a full list.)

Most of the fields should be pretty self-explanatory, with one possible exception – the “slug”. WordPress expects all plugins that support automatic updates to have a unique textual identifier called the “slug”. Normally, slugs are assigned by the official plugin directory. For a private/commercial plugin that’s hosted elsewhere you’ll have to make something up. If unsure, just use the plugin’s file name without the “.php” extension (my-cool-plugin/my-cool-plugin.php becomes my-cool-plugin).

Upload the metadata file you just created to your web server. It doesn’t matter where exactly you put the file or how you name it. The important thing is for its URL to be accessible from wherever someone might install your plugin.

Next, copy the “plugin-update-checker” directory from the client library archive to your plugin’s directory. Then fire up your favourite code editor and add the following lines to the top of your plugin file:

require 'plugin-update-checker/plugin-update-checker.php';
$MyUpdateChecker = PucFactory::buildUpdateChecker(
    'https://example.com/path/to/metadata.json',
    __FILE__,
    'your-chosen-slug'
);

If you followed my advice and used the plugin’s file name as the slug, you can omit the third parameter of the PucFactory::buildUpdateChecker() call.

Tip: Sometimes you’ll run into a situation where another active plugin is also using this update checker. As a result, there could be several different versions of the library loaded at the same time. The above code snippet will always give you the latest available version. This can be a problem if your plugin expects an older version and is not API-compatible with the latest version.

To use a specific version of the update checker (e.g. the one included with your plugin), instantiate the PluginUpdateChecker_x_y class directly. Replace x and y with the major and minor version numbers:

//Use version 2.0 of the update checker.
require 'plugin-update-checker/plugin-update-checker.php';
$MyUpdateChecker = new PluginUpdateChecker_2_0 (
    'https://example.com/path/to/metadata.json',
    __FILE__,
    'your-chosen-slug'
);

And that, believe it or not, is it.

The PluginUpdateChecker class will handle the rest. It’ll check the metadata file every 12 hours and, if it discovers that a new version has been released, twiddle the right bits in the undocumented WP API to make it show up as a standard upgrade notification in the “Plugins” tab. Assuming you’ve provided a valid download_url, users will be able to install the update with a single click.

Tip: When creating the ZIP file for an update, put all plugin files inside a directory. The directory name should match the plugin slug. Do not put the files at the root of the ZIP archive – it can cause subtle bugs and errors when someone ties to install the update.

The rest of this post will be devoted to a more in-depth discussion of the update checker class and the metadata format.

The PluginUpdateChecker class

This class is the core of the update checker. It’s also the only part of the updater that you should need to deal with unless you decide to  extend the library yourself.

Class constructor

All configuration settings should be specified by passing them to the PucFactory::buildUpdateChecker() factory method, or directly to the PluginUpdateChecker constructor. Both takes the following parameters:

  • $metadataUrl – The full URL of the plugin’s metadata file.
  • $pluginFile – The path to the plugin’s file. In most cases you can simply use the __FILE__ constant here.
  • $slug – The plugin’s ‘slug’. If not specified, the filename part of $pluginFile (sans “.php”) will be used as the slug.
  • $checkPeriod – How often to check for updates (in hours). Defaults to checking every 12 hours. Set to zero to disable automatic update checks.
  • $optionName – Where to store book-keeping info about updates. Defaults to “external_updates-$slug”.

checkForUpdates()

Manually trigger an update check. This is especially useful when you’ve disabled automatic checks by setting $checkPeriod (above) to zero. This method takes no parameters and returns nothing.

addQueryArgFilter($callback)

Register a callback for filtering query arguments. Whenever the update checker needs to retrieve the metadata file, it will first run each filter callback and attach the query arguments that they return to the metadata URL. This lets you pass arbitrary data to the server hosting the metadata. For example, commercial plugins could use it to implement some kind of authorization scheme where only users that have the right “key” get automatic updates.

The callback function will be passed an associative array of query arguments and should return a modified array. By default, the update checker will add these arguments to the metadata URL:

  • installed_version – set to the currently installed version of the plugin.
  • checking_for_updates – set to 1 if checking for updates, absent otherwise (i.e. when loading data for the “Plugin Information” box).

This method takes one parameter – the callback function.

addHttpRequestArgFilter($callback)

Register a callback for filtering the various options passed to the built-in helper function wp_remote_get that the update checker uses to periodically download plugin metadata. The callback function should take one argument – an associative array of arguments – and return a modified array or arguments. See the WP documentation on wp_remote_get for details about what arguments are available and how they work.

This method takes one parameter – the callback function.

addResultFilter($callback)

Register a callback for filtering plugin info retrieved from the metadata URL.

The callback function should take two arguments. If the metadata was retrieved successfully, the first argument passed will be an instance of PluginInfo (see the source for a description of this class). Otherwise, it will be NULL. The second argument will be the corresponding return value of wp_remote_get (see WP docs for details). The callback function should return a new or modified instance of PluginInfo or NULL.

This method takes one parameter – the callback function.

Metadata format

The automatic update system uses a JSON-based file format to describe plugins.  Essentially, the entire file is one big JSON-encoded object (AKA hash-table or associative array). Each field – or array key – represents a piece of information about the latest version of the plugin. The full description of all available fields is here.

For the sake of simplicity, both general metadata and update-related information are stored in the same file. If this is undesirable, you can replace the plain JSON file with a script that checks for the presence of the the “checking_for_updates” query parameter and emits just the update-related fields if its set to “1”.

Notes

Your plugin must be active for updates to work. The update checker is just another piece of PHP code loaded and run by your plugin, and it won’t be run if the plugin is inactive.

One consequence of this that may not be immediately obvious is that on a multisite installation updates will only show up if the plugin is active on the main site. This is because update notifications usually appear in the network admin, and only plugins active on the main site are loaded in that case. The main site of a WordPress network is the one that was created first and has the path “/” in the Sites -> All Sites list.

Related posts :

496 Responses to “Automatic Updates For Private And Commercial Plugins”

  1. Jānis Elsts says:

    @Ghost1227:
    Is your metadata file still valid JSON? You can check it using http://jsonlint.com/

    Other than that, I can’t think of anything at the moment.

  2. Ghost1227 says:

    That’s it! Had an extra comma. Thanks!

  3. Ghost1227 says:

    One more question… if you have multiple plugins, does it just use standard json formatting? ie;

    [{plugin 1 stuff},{plugin 2 stuff}]

    I’m trying to set it up this way, and it doesn’t seem to like it…

  4. Jānis Elsts says:

    No, right now each instance of the update only works with one plugin. If you have multiple plugins, you’ll need to create separate instance of PluginUpdateChecker for each plugin, and point each of them to different JSON file.

  5. Ghost1227 says:

    Ah, that explains it.

  6. Tammy Hart says:

    This seems like what I’m looking for, but I am concerned about a suer being able to look at the plugin, visit the json file themselves, and then guessing the download url’s for other plugins they haven’t purchased. Is there a way to avoid that problem?

  7. Jānis Elsts says:

    What I would do is this:

    1. When someone purchases a plugin, give them one or more randomly generated registration keys (either one per customer, or one per site).
    2. Modify the plugin to append the registration key to the download URL.
    3. Instead of a static .json file, write a small script that checks the key and only lets people with valid keys download the plugin.

    I hope that helps.

  8. Tammy Hart says:

    that makes sense, but it’s over my head. :S Thanks.

  9. Tammy Hart says:

    Jānis, Is this something you’d be interested in building for me (for pay, of course). If so, please get in touch with me, same email I use to comment. Thanks.

  10. Jānis Elsts says:

    Sure. Sent you an email.

  11. Dalton says:

    Hi Janis,
    I’m wondering if anyone has experienced any compatibility issues with this class and WP 3.4.1? We just just noticed that some people’s plugin updates aren’t working correctly (the file gets unzipped with a .tmp extension in the plugins directory and doesn’t re-activate properly) and can’t think of what else might have caused it. Just checking!

    Thanks,
    Dalton

  12. Jānis Elsts says:

    No, I haven’t heard of any such issues.

    It also seems unlikely that the class could cause updates to fail in that particular manner. The update checker only handles the update-checking part, not the installation. If an update is available, it hands the version info and download URL to WP core and lets it do the rest. It doesn’t participate in the actual update download & installation process, so it should (in theory) cause any problems there.

  13. Dalton says:

    Thanks for getting back to me. I thought that was the case, but I figured it couldn’t hurt to ask in case anyone else had a similar problem. It’s unclear why WP isn’t unzipping our updates correctly any more, but I’ll keep investigating.

    Thanks again for the excellent code.

  14. Kirstin says:

    Hi Janis,

    I too am interested in the same code as Tammy except for commercial themes. Could you email me a bid on what you would charge to build the code, etc. for security keys built into the themes so that when they go to update, they will only be able to update from a validly purchased theme?

    Thanks,
    Kirstin

  15. Matt says:

    This is pretty awesome! I used it on a recent plugin and it worked perfectly. However every plugin I’ve tried it on since, it didn’t work. I observed some strange behaviour and was hoping you could help figure it out:
    1) If I change the ‘slug’ in the method call in plugin B to the slug I used in plugin A (the one that worked), even with a different update JSON file, it worked.
    2) However, the “newest version” number for plugin A was 1.2 and for plugin B was 1.8, and the same-slug working version on plugin B shows the “latest version” to be 1.2

    This is very odd and I am scratching my head… However not a single other method I have tried even worked the first time, so I’m hoping you can advise me and I can use your class on all projects.

    THANKS!

  16. Jānis Elsts says:

    A couple of basic things to check:

    – Is the JSON file valid? Run it through http://jsonlint.com/
    – Is the slug in the JSON file equal to the one you used in the plugin? (It should be).
    – Is the path to the main plugin file correct?
    – Did you remember to use a unique variable name for your plugin checker instance?

    Also, you should definitely use a different slug for each plugin.

  17. Byron says:

    I’m running WP 3.3.1 and seeing something similar to Dalton. I wrote my own plugin and when updating the file gets unzipped with a .tmp extension in the plugins directory. However in my case it does re-activate properly and continues to work. If I rename the directory by removing the .tmp directory I get this error “The plugin plugin-name.tmp/plugin-name.php has been deactivated due to an error: Plugin file does not exist.”

    If I change the version number and do a second update it reactivates OK and stays in the same directory with the .tmp extension so it would seem that the plugin is happy to stay in the .tmp directory.

    I’ve tried deleting the plugin and re-uploading but when I do the update exactly the same thing happens so it would seem that there is a problem with later versions of WP.

  18. Byron says:

    OK my mistake, I had the zip file named correctly but I did not have a folder inside the zip file with the same name to contain all the folders and files for the plugin.

  19. jazer says:

    Hi Janis,

    How far back is this compatible?
    The script works great on my plugin. But I’m a bit concern with its backward compatibility with other wordpress installation.

  20. Jānis Elsts says:

    In theory, it should work with anything from WP 2.8 to WP 3.4.x. However, I have not actually tested it with anything older than 3.0+.

Leave a Reply