Changelog

Over the past few weeks, we’ve gradually been rolling out a new system to identify and block card testing attempts. We already had a system like this in place, but after a few recent attacks, we recognized it needed a complete overhaul to work more intelligently.

Our CTO, Dror Yaakov, has been leading the development of this system. To test its effectiveness, we ran it in “observation” mode over the past few weeks. After gathering enough data and proving its effectiveness, we’re finally letting it out at full capacity. Our hope is that it will better serve our partners to detect attacks and prevent financial losses.

From under the hood

While developing this system, we combined our collective years of experience to come up with the best possible strategies. We learned many things in the process.

Redundancy is good

An attacker is usually smart enough to rotate a large set of emails and IP addresses, among other things. Tracking just one or a few of them is usually not enough. We’ve found that the more redundant the system, the better it is at detecting such parameters.

reCAPTCHA can be bypassed

While Google reCAPTCHA is no doubt an excellent tool to prevent automated submissions, we’ve found it can be bypassed, although this doesn’t come easy or cheap. Relying on reCAPTCHA alone as the ultimate security measure is almost never enough. It’s better to have a two-factor authentication system where real human intervention is always required.

Traffic monitoring works best when everything else fails

A very sophisticated attack can fool even a very strong system. In such cases, having another redundant system to monitor traffic and spikes helps a lot with identifying such attacks.

The above are only a few of the strategies our new system implements. We hope it gives your users a better checkout experience. If you face any issues, please don’t hesitate to contact us at [email protected].

We’re super stoked to announce the immediate availability of localization in the Freemius Checkout App.

Besides English, the Freemius Checkout App can now be used in any supported localization. Our system is capable of handling any language, even selecting the exact locale of a language (for example, French spoken in Spain vs French spoken in Mexico).

Since this is a brand-new feature, the language selector UI is opt-in only for now. Please read on to find out more.

Loading the Freemius Checkout in your language

You can now pass a special URL Query Parameter locale to instruct the app to display a specific language when loading or linking the Freemius Checkout. For example, if the URL of the checkout is something like this:

https://checkout.freemius.com/mode/dialog/plugin/:plugin_id/plan/:plan_id/

You can now add the query parameter, which would result in this:

https://checkout.freemius.com/mode/dialog/plugin/:plugin_id/plan/:plan_id/?locale=es_ES

For the Freemius JavaScript SDK, you can simply pass a new parameter, either when configuring the handler or when opening the pop-up:

<script>
    var handler = FS.Checkout.configure({
        plugin_id:  "xxxx",
        plan_id:    "yyyy",
        public_key: "pk_xxxxxxxx",
        image:      "https://your-plugin-site.com/logo-100x100.png";,
        // Set the locale of the checkout pop-up
        locale:     "es_ES";
    });
    
    $("#purchase").on("click", function (e) {
        handler.open({
            name     : "My Awesome Plugin",
            licenses : $("#licenses").val(),
            // You can also override it here.
            locale   : "es_ES";
        });
        e.preventDefault();
    });
</script>

Supported Values of the locale

For the time being, the locale supports the fully formatted language and country code. For example:

• es_ES – Spanish / Spain.
• en_US – English / US.

We have the following locales available for the time being.

• English – US (en_US)
• German – DE (de_DE)
• French – FR (fr_FR)
• Spanish – ES (es_ES)
• Italian – IT (it_IT)
• Dutch – NL (nl_NL)
• Bengali – IN (bn_IN)

All of the translations are AI-generated and are currently marked as beta (more on this later). If you wish to improve it or add more languages, please send us an email at [email protected] and we can provide you with the source POT and PO files. Depending on requests, we might add more languages/locales in the future.

Auto-selecting language for your users

We also support a feature to automatically select the best language for your user, based on browser information and geolocation. To start using this feature, you can enter one of the following values in the new locale URL parameter.

• auto: Will automatically select the best available language for the user. However, this won’t select languages that are marked as AI-translated or beta for the time being. If we identify a locale that we don’t support right now, we’ll keep showing the English language.
• auto-beta: Same as above, but will also select a language marked as beta. When a language marked as beta is selected, the UI will also show it (as in the screenshot above).

Example:

https://checkout.freemius.com/mode/dialog/plugin/:plugin_id/plan/:plan_id/?locale=auto-beta

FAQs

I don’t see the language selector UI as shown in the image

Since this is a new feature, it is currently opt-in only. You have to specifically pass the locale parameter either in the URL or through the JS API.

I chose auto, yet the language (XX) is not visible in the Checkout App

It’s possible that we haven’t translated the language applicable to the geolocation. If a user requires a different language, we’ll revert to English and still show the language selector UI. Please check the list above to see what languages are available.

Backend Changes

• Following a suggestion from a partner, we’re now logging a new event called user.billing.tax_id.updated. This event is logged when either the developer or the user changes the tax ID associated with the user’s billing. If you need to sync your own system with the changes in the tax ID of a user, you can hook into this event from the Developer Dashboard.
• We fixed some SEO-related issues in our blog.

User Dashboard Changes

Following user complaints, we’ve added a password visibility button in the User Dashboard’s ‘login’ form and the ‘change password’ form.

This helps our users determine if the password is correct when trying to log in.

As part of our internal housekeeping effort to pay the tech debt we accumulated over the years, we’ve been hard at work to upgrade all dependencies in the Developer Dashboard app. We’re glad to announce it’s been accomplished. The app is now a little faster and contains less JavaScript (talk about dropping support of IE 8 from old dependencies 😅).

During the process, we also realized we weren’t properly utilizing the file upload mechanism in various places. We made significant improvements in that area too.

Adding filters and supporting drag and drop to file uploads

…from places where you can upload image files, for example:

• Creating a new product
• Updating a product or store’s icon
• Updating your profile picture
• Uploading banner images and screenshots for add-ons

They now support drag-and-drop for better UX. Also, when selecting a file from the Upload button, it will filter out unsupported files.

Improved UI for add-ons, banner images, and screenshots

If you go to Settings on add-on pages, you’ll see we’ve improved the UI for uploading:

• Banner images
• Card banner images
• Screenshots

They still support drag-and-drop and feature a nifty file selector.

Fixed permission issues that arose when developers or support staff were logging in

The new Multi-store Dashboard would sometimes give prompts related to permissions when developers or support staff were logging in.

We’ve fixed this regression, improved which pages are rendered for team members, and enhanced navigation to relevant pages when switching between products.

Fixing MailChimp integration issue

Our MailChimp integration was not working properly for the Multi-store Developer Dashboard. If your MailChimp list had groups, they weren’t being shown in the UI.

Thank you to our partners who made us aware of this issue. We’ve pushed a fix to mitigate it.

Housekeeping

• All our AngularJS and related dependencies are up to date.
• We’ve significantly improved the build and dependency management process, which has led to better DX (Developer Experience) and less JavaScript.
• We now have an integration testing framework for the Developer Dashboard to help us develop features more confidently.

For historical reasons, we didn’t reveal the download link and license key in our checkout form. The assumption was that anyone with access to the email address would have access to the license key and the download link. By not revealing them during checkout, we automatically verified the email. This also reduces fraud.

While this works for WordPress plugins and themes, it can add an unnecessary step for static products like widgets and templates. Customers usually want to download them right away and they don’t need the license key to activate them.

Following requests from our partners, we’ve started showing download links for all static products right after the checkout.

We still don’t reveal the license key. If we see more requests related to this feature, we will add support in our Developer Dashboard, where our partners can choose if they want to reveal the download link and – possibly – the license key right after the checkout.

This week, we’re releasing some minor updates to the new security layer we’ve been working on. This system is there to protect us and our partners from ever-increasing card testing attacks.

The new system is still running under observation mode. It’s already providing us with plenty of valuable information and we’re growing confident about its robustness. We hope to bring it out of observation mode soon and put it into production.

This week, we’re releasing some updates to the Freemius backend and API. They are:

• Improvements to the new security layer from the observational data we collected.
• The ability to add custom localhost URL patterns for licenses migrated from other platforms. This feature was requested by our partners.
• Some housekeeping and internal changes.

Please stay tuned – we’re preparing for some big changes in the Checkout App (no teasers at the moment 😄)

Phased rollout of a new security layer in the checkout process

This week, we’re rolling out a new security layer that our CTO Dror Yaakov has been working on. It will prevent card testing attacks more accurately while letting legitimate purchases pass through.

We’re doing this in a phased manner to avoid surprises and to thoroughly test the system. Only a small percentage of requests will run through the new layer. Once we have enough data, we will let the system handle more requests, eventually replacing the existing one.

Other changes

• Some SEO-related updates to the blog.
• Improvements to some internal apps.
• Improved the checkout app’s email validation system.

Freemius Backend

• The developer billing update/creation endpoint now supports country names with commas.
• ‘Support specialist’ and ‘Developer’ roles in the Team now have permission to update the billing of users.
• The checkout and pricing apps are now running GA4 instead of GA3 (soon to be deprecated).

Freemius website and blog

• Some optimization with the website and blog caching to make them load faster.
• Various SEO work (thanks to our new team member Ymreb Concepcion).

Developer Dashboard

• Updated legacy GA3 to new GA4.
• Some in-house updates.

User Dashboard

• We’ve updated legacy GA3 to the new GA4.

Backend changes

• Minor edge case fix in the weekly reporting system.
• Data sanitization in some internal systems.
• Fixed a minor edge case issue in PayPal dispute sync system.
• Fixed a glitch in the password reset mechanism where the reset token in some cases would get invalidated prematurely.
• Enriched the ‘new license creation’ endpoint with a new parameter to optionally white label the license when creating it.
• Updated the system to inherit the white label property when creating child licenses for items in a bundle.
• Increased max file upload size for static files to 120 MB.

Developer Dashboard

• Increased max file upload size for static files to 120 MB.
• Improvements in the instructions inside the Webhooks Integration page.
• Made the payout email notification read-only, since we want to notify developers and send instructions for the invoice.
• Changed read-only notification configurations to be ‘checkable’ only if they were previously off.
• Removed the unnecessary button from the ‘create license’ dialog.

This weekend, it’s our pleasure to announce a wholly reskinned and modernized Developer Dashboard.

The entirety of the application has been reskinned. When you log in for the first time, the system will try to detect your color preference and automatically set the light or the dark theme. You can click on the sun/moon icon beside the Freemius logo to toggle the theme as you please.

Here are some notable pointers.

Modern and better icons set

Our designer Vitalii has worked hard to create modern and meaningful icons for the actions/information the Developer Dashboard provides. Here are some examples:

Redesigned SDK integration page

We have refreshed the design of the SDK integration page to elucidate the steps you need to take to integrate your product with Freemius.

Redesigned Plans page

We’ve made it easier to create new pricing variations and bulk licensing on the Plans page.

.These are but a few of the Developer Dashboard’s new improvements. Please login to your Developer Dashboard now and give us a shout on how you like them.

• Date-time arithmetic audit.
• Bypassed WAF when accessing the checkout in sandbox mode.

This week’s changelog comes with many new features in the Developer Dashboard.

Supporting multiple Foreign Exchange currencies

After we introduced a “Foreign Exchange – USD” virtual currency to display transactional data on the new “Sales Analytics” page, we received a request to support other foreign exchange currencies too. This week, we are releasing that feature.

Apart from the “FX-USD”, you can convert your transactional data into any of the currencies Freemius supports.

Subscriptions and Payments tabs on the Users page are now open by default

Feedback from our partners made us realize that Subscriptions and Payments are the primary things one wants to see when accessing the Users page. It was hidden behind an accordion, which you had to click to view information.

To save you the hassle, those sections are now open by default and load as soon as the licenses are loaded.

Other changes

• Fix: In some cases, the same currencies appeared multiple times in the filtering UI.
• Fix: Internal pub/sub architecture of the app.
  • In some edge cases, the plugin would not display when navigating between pages.
  • When navigating to one store away from another’s product, the state held incorrect data.
• Fix: Race condition when loading subscriptions/licenses of a user.
• Fix: Incorrect URL in the share menu.
• Fix: Login reCAPTCHA not showing up, due to a race condition in loading the script.
• Update: Improved validation in the login/registration/password recovery form.

Following many requests from our partners, we’ve implemented a self-service system to add or update “Bank Wire” payout methods in our Developer Dashboard.

Until now, our partners had to send us bank details manually if they wished to have payouts via bank wire. But with this update, you can do it yourself from the Developer Dashboard’s Profile page.

Changing payout methods to wires

Go to My Profile at the top-right corner of the Developer Dashboard and scroll to the section that says Payout Method(s). Under the Payout Method column, you’ll find that selecting Bank Wire (or Wise) will open a popup where you can enter your bank details.

All of your details are saved securely in our server under heavy encryption.

Setting different bank accounts for different currencies

At Freemius, we support selling in three currencies.

You can choose to…

• Use the same bank account for different source currencies and convert them to the same target currency. In this case, Freemius will do the conversion for you (if applicable).
• Use different bank accounts with a different combination of source and target currency and let your bank do the conversion (if required).
• If your bank account supports different target currencies, then you can configure the same bank account to get paid in multiple currencies too.

You can set up three bank accounts if you’re selling in all three currencies.

For existing partners with wire payouts

We have imported data for all of our partners who are already using the wire payout. You will see the form already populated with the bank account details you shared with us.

Freemius Backend/API

• Supporting API for developers to manage their own bank accounts for payouts.
• Fixed some date/time-related logic in the backend.
• Implemented functionality to handle rare edge case products where the configured slug is not the same as the WordPress.org slug.
• Disabled sending the activation email during an uninstall opt-in event.
• Improved some internal logic related to webhooks processing.

Developer Dashboard

• Fixed some styling and behavioral issues in the New Products form.