Miscellaneous updates

  • Made a security improvement in our API layer.
  • Added the HttpOnly cookie-based sign-in to our Multi-Store Developer Dashboard.
  • Fixed a few regressions and bugs in the Multi Store, in preparation for bringing the Multi Store Developer Dashboard out of beta.

Expiring Trial notification enhancements

As part of our automated marketing efforts, we send out a reminder email to customers with expiring trials. However, if the product was uninstalled or the website was deleted, the links in the marketing email – which pointed to the user’s WordPress Dashboard – became ghosted, resulting in broken upgrade links. This is how the email looks when linking to the WordPress Admin Dashboard.

Freemius Expiring free trial notification email with WP Dashboard links

We fixed this issue by proactively checking if the site is active. Only once and if we have confirmed this do we include the WordPress Dashboard links. If the site is inactive, we link to direct checkout (in the context of the license), making sure that the user can always update their package should they change their mind.

If Freemius finds the site to be inactive, the email will look like this:

Freemius Expiring Free trial email for ghosted sites

Please note: If the user activated the trial and then requested a data erasure, we respect their decision. Since we do remove this type of data from our database, we do not send any emails. This behavior has not changed.

Adding team member in Free Product if it has at least one Add-on in Revenue Plan

Previously, you could use the “Team” feature in Freemius if you’ve been selling your products with us (i.e, if your product is in the Revenue Plan). But we understand that many of our partners have a main ‘Free Product’ with one or many ‘Premium Add-ons’.

To simplify team management – provided that you’re selling at-least one Premium Add-on on a Revenue plan with us – you can now use the “Team” feature with the parent product too.

Freemius Team Settings

Go to the Developer Dashboard > Settings > Team to get started.

Premium only JavaScript code stripping

We’ve been stripping premium-only JavaScript code written in between <fs_premium_only> and </fs_premium_only> comment tags. For example:

(function($){
    /* <fs_premium_only> */
    // ... my premium only code ...
 
    /* </fs_premium_only> */
})(jQuery);

Also, as a recommendation for minifiers, we mentioned the following:

module.exports = {
  optimization: {
    minimizer: [
      new UglifyJsPlugin({
        uglifyOptions: {
          output: {
            comments: /\<\/?fs_premium_only\>/i,
          },
        },
        extractComments: true,
      }),
    ],
  },
};

But in some cases, if you had other preserving comments with the /*! style, we didn’t properly take care of that. With this update, we will now be stripping all JS codes between /*! <fs_premium_only> */ and /!* </fs_premium_only> */ tags.

Miscellaneous improvements

  • Fixed some edge case issues where a Developer wouldn’t be getting their Weekly report emails.
  • Improved resilience in communication between our API servers and the database.

Developer Dashboard security improvements

We now only use a secure httpOnly cookie for the Developer Dashboard. The change is transparent and you shouldn’t notice any changes. Please be aware of the following:

  • If you select the ‘remember me‘ option during login, it will remember you for the next 7 days.
  • If you do not, you will be logged out as soon as you close the browser window. This may play out differently if you’ve configured your browser to restore ‘sessions’.

This change won’t revert if you’ve been using your Developer Secret Key to communicate with the Freemius API.

Disclaimer in review forms and emails

When a user leaves a review – either via email or the form – we now make it clear to them that the review will be publicly visible.

Here’s how it looks in the review email:

Freemius Review EmailAnd here’s how looks in the review form:

Freemius User Review Form

Checkout enhancements with third-party cookies

After the recent update of the third-party cookie policy in Safari and Firefox, the PayPal express checkout momentarily stopped working in WordPress Dashboard in these browsers. We promptly pushed a fix to remedy this.

Additionally, we also worked on various performance and internal enhancements.

Release Override Protection

Added protection from mistakenly overriding existing releases by prompting the developer with a confirmation dialogue box after uploading a version that already exists.

Freemius Release override protectionIf you’ve been using Freemius API for automated deployments, and if you want to override a release, you’ll need to send a PUT request mentioning the version number explicitly. Also, please note that we validate the version number accordingly to semver v2 when version is expressly mentioned.

Deployment now supports Update URI

WordPress 5.8 introduced a new Update URI header/ This should prevent WordPress from mistakenly downloading an update from WordPress.org when the plugin is not originated from wp.org, and therefore end up overriding the plugin with a different one.

Our WordPress SDK prevents such a situation from happening. Still, if the plugin is deactivated (i.e. the SDK is not executed as part of the updates logic), this problem can occur.

I’m happy to share that Freemius’s deployment mechanism now officially supports the Update URI header and works as follows:

  1. Add (or override) the Update URI header for paid versions with https://api.freemius.com to prevent the problem.
  2. If the Update URI header was already added before deployment to Freemius, it will be stripped from the free version when pointing to freemius.com. This is because we don’t support updates of free products, and also because we want to make sure that wp.org updates will work as expected.
  3. For now, if there’s a custom Update URI header that is pointing elsewhere (not to freemius.com) keep it as is in the free plugin version, assuming you had a good reason to custom set it.