Minor versions usually don’t deserve a blog post, and neither does this one, but for now is still a good time to talk about it. Let’s look back at 2025 and early 2026 regarding the secupress.me website and the troubles it went through. It’s late March 2026, things are already much better, I’ve patched a lot of things, and I’m making sure the product works well. And finally, some very good news for the last quarter and 2027.
edit ps: If you have the pro bug where the update is requested in a loop, do it one last time, it’s fixed.
Quick Changelog for v2.6.1
2 improvements, a few fixes including 2 important ones.
First important fix is correcting the fatal error is_processing() on the malware scanner page that SecuPress displays even though it’s not the main cause. Why? And why didn’t I fix it before? Well, I don’t actually have a bug. Install SecuPress Pro on a clean installation, activate it, visit the malware scanner: everything–works–fine. The error actually comes from other plugins (hello WooCommerce mainly) that include the same library as me (the async background one), but with an outdated version. My plugin has it updated, so I call a method that doesn’t exist in their file. They chose to include their outdated file everywhere all the time. So when I call the method, it’s not the right file that’s included beforehand. So it’s really their fault. I ended up having to patch to both have the library updated AND call the old deprecated method…
The second important fix is stopping the use of the host $IP command, which on some servers consumes too many resources over time, as the processes are never terminated, causing the site to crash at the host. I’ll talk about this again later.
Regarding improvements, there’s the improvement in malware scanner performance concerning the database. It will be faster while consuming fewer resources. SQL queries have been split into several smaller ones instead of one big one with joins.
The other improvement is stopping the ping to google.com (non-EU) and replacing it with a ping to secupress.me (EU) to better comply with GDPR. Nothing sensitive was being transmitted, except your domain name, the fact that you use WordPress, and the version of WordPress (as with any remote call using the WordPress HTTP API, it’s native).
That’s some good positive stuff!
Let’s take a coffee break…
The changelog is already done, but the article continues, I need to give you a kind of report on what happened, is happening, and will happen. TL;DR: The past is past, the present is pleasant, and the future is better.
Report on v2.3
Let’s quickly go back to this point, you’ll see the connection. The SecuPress plugin in version 2.3 was started in April 2023 and released in free version in March 2025 and pro in July 2025. And it was a disaster, because who spends about 2 years developing a version to have a changelog as long as your arm? No one, because you shouldn’t do that. Despite months of debugging, free beta, help, re-debugging, feedback, and patches, it took 21 different versions to finally achieve stability. A nightmare. All negative.
Fortunately, the end of the year was much cleaner and calmer with 3 versions 2.4, 2.5, and 2.6 from September to January 2026, confirming its well-deserved stability. The change that interests us here is the new API route concerning license keys. We’ll come back to this.
Before 2.3 with EDD
Let’s quickly recall that EDD (Easy Digital Downloads) is the e-commerce system used by SecuPress since forever (2016), and there has always been this recurring problem:
1/ Desynchronization between EDD and Stripe/PayPal in both directions, resulting in customers having paid subscriptions that remain with an “expired” status. The opposite also exists, failed payments that leave subscriptions active, but to the customer’s advantage, so I don’t complain.
Since EDD 3.0
September 2023, EDD moves to 3.0, the troubles begin. Why? Because it’s only if you use EDD and its extensions (Recurring Payment, Software Licensing, etc.) exclusively, and nothing else that’s not official, that you don’t use their hooks, that you don’t extend the functionality yourself, that everything goes well.
But a site like SecuPress requires modifications to its core, and since 2016 we’ve been touching all of that, we’re developers, we know how to touch, we’ve adapted to our needs. The remote data system is homemade, we have our own functions and queries that touch EDD, etc.
But when EDD goes from “it’s a CPT with meta” and therefore native use of WP functions to “well no actually we have our own dev, our own tables, our own getters/setters”, it suddenly becomes more complicated, technical debt increases.
You might say “but no, there’s backward compatibility”, yes, if you don’t have homemade dev, no homemade SQL, but we do.
2/ Hooks that have been deprecated, but nothing in the changelog, others are renamed, same thing. Bit by bit we discover things that no longer work, that need to be debugged and redeveloped.
Then we discover that license keys expire even though the subscription does not expire, why? A license key doesn’t have an expiration, it’s the subscription that does, right? No. The two are now separate, so we have to quickly find a way to return the same subscription status when reading the key status. EDD has no hook at this point, it’s a variable in an object, it’s calculated, period. Figure it out.
3/ License keys can have a different expiration than the linked subscription.
Frustrating, isn’t it?
Report on 2025
At the same time as the 2.3 release in early 2025, emails stopped working, or rather being forwarded to Helpscout, our support ticket system. At first, I just saw less support, until I realized that “no support” was too strange to be normal. After back and forth with the awesome support of o2switch, the problem was magically fixed (yes, I know nothing about mail servers, I couldn’t say!).
Once the emails were “reconnected”, I had to manage to go into Horde to read the emails and not Helpscout, a nightmare.
This was followed by July/August when I was less present, but since 2.3 was stable, it was reassuring. “And there is the drama” 3000 spams received in a short time on the two mailboxes. Not 2759, but exactly 3000, 1500 per mailbox, without being hacked, it looks too much like targeted spam on us…
But almost nothing goes to the real spam box, it’s not ads for blue pills or Vouis Luiton bags, no, fake partnership requests, fake invoice requests, fake support requests, but no email or name matches, no one gives enough details to whatever, it’s vague, it’s basically spam.
You should know that the volume of SecuPress support is relatively low, 2 hours a day are enough, sometimes too much, and most tickets are “where is my invoice?” or “I paid but it’s expired”, it’s rarely the product itself, which is doing fine.
Sorting through these 3000 emails took me forever because at the same time I was developing, answering, sorting. I tried to get help with support by recruiting, but the requested remuneration of 1200€ for 2 hours of work per day, 5 days a week, is too high, that’s equivalent to 4200 (gross) for 7 hours of work per day, for support, who can afford to pay that rate?! So I do it alone, but I’d like that to change too, I need to see how and with whom.
Money money money, must be funny…
Report on January, February, March 2026
During this first quarter, I still had a backlog of support from the end of the year, I was struggling to respond as much as possible, to close as many as possible, it’s holding up, the 2.7 dev is in progress, no one is waiting for it anyway, everything is fine on that front. A beta version will arrive and if it can be released by September, that’s great.
Spoiler for the 2.7 http logs
That’s when I (again) updated EDD, because yes, it’s important to stay up to date right? but with EDD it’s always a risk… “And there is the drama“, we had duplicate sites in the licenses, sites without “www” saw their “www” added, thus filling their license for nothing by 50%.
4/ Duplicate “www” sites reappeared in licenses.
Customers can delete a site from their customer interface, normally, unless EDD makes a change in front/back behavior on the delete link that causes a fatal error due to homemade dev? Yes, EDD did that…
And even after fixing the fatal error, sites can no longer be deleted because the permissions have changed, you have to find the right hook to run our code before their, duplicate THEIR code and add permissions for customers to delete their own site… The fatigue is real.
5/ Impossible to delete a site from your account on your license.
Once fixed again, another issue and as always nothing in their changelog, we notice it gradually or by chance or if it bothers customers:
6/ Deleting a site no longer removes it from the database, it sets it to activated=0 then they filter on =1 to get the real list, everywhere, all the time.
But my homemade devs don’t filter this useless status, if it’s not present it’s no, there it was “yes” so “already existing” was returned since if I check if “21douze.fr” is in the list? “Well yes” of course, but it can be deactivated, I’ll still say OK, I have to go back through the theme files, mu-plugins, plugins, homemade dev everywhere to look for where we get a site via its URL and add this filter.
But this led to other issues in homemade apps, the best solution was finally to hook to add the deletion in the database, as before.
7/ Validating a license no longer automatically adds the site, you have to do it separately afterwards.
While the logic would suggest that a site installing a version of SecuPress pro should be added to the license key, no, it just validates that the license is valid, the site is not added to the database. But the site is validated on the customer side, who won’t have the count in their key. Either they don’t pay attention and validate 10 on a key of 5 possible, or they want to delete it but it’s not added.
Again, we discover this step by step, we have to understand why, where it’s done, hook, add the site manually to the database when for 10 years it’s been like this… $technical_debt++;
Come on, I still have license errors, pros that no longer want to reactivate after a voluntary deletion of the key, or sites that no longer validate the pro. “And there is the dr…” yeah okay. In the database, EDD has always added a trailing “/” when it saves a site in the database, then it adds this “/” during its searches, etc., and hop magic:
8/ EDD no longer adds a trailing “/” when saving URLs in the database, even though it has always done so for over 10 years with us.
But in my hooks/scripts/SQL queries I force a trailing “/”, so I can’t find what I’m looking for, I return “false” for nothing. I have to go back through the theme files, mu-plugins, plugins, homemade dev everywhere to look for where we add a “/” (try searching for “/” in your devs to see…).
FRUSTRATING, RIGHT??
And when it’s not EDD?!
Big drama and it’s not even EDD: The secupress.me site goes down. Emails, FTP, and the database remain accessible, no PHP error logs, no fatal error, no 500 error, just inaccessible. So no new purchases possible, licenses can’t be validated, sites can’t be deleted, no support or contact page. Renewals happen but the synchronization will bug again…
After several back and forth with the awesom’again support of o2switch, we have trouble understanding why I have an excess of ongoing processes. If it were PHP I’d have a log, but here nothing. There are 2 leads after several days of testing and debugging.
a/ On one hand, the old URL of the SecuPress API from 1.0 to 2.2 is being hit too often (twice a day / per site), loading a WP for nothing each time, filling the processes (hello host). Sites still on 2.2 and all sites using a pirated version modified to work without a license (aka “nulled“, with the malware risk inside of course) hit it, the worst being the nulled ones because it’s non-stop in a loop for them, they are never validated, so they keep retrying in a loop in a loop in a lo… It had to be cut off, it’s been a year since 2.3 was released for free, I cut off the URL https://secupress.me/key-api/1.0/ (410 Gone now). Phew!
b/ On the other hand, “host $IP” commands (there you go) from SecuPress that never terminate, also filling the processes. It’s the plugin that launches these commands, it had never caused issues before, but now it does. I modified the code in this 2.6.1 to avoid its use, it’s better…
Better? Don’t move. Pro customer sites see their license key disconnected several times a day, the pro version then behaves like a free version, 2FA is disabled. Once the key is revalidated, you also have to revalidate the link in the 2FA email. Well, when you have 1 site it’s not very fun already, but agencies that are customers with more than 50, 100, 200 sites, that’s more than annoying, how much time to go through so many sites? Several times a day? While managing customers complaining that 2FA is down? Oh my god, what a huge nightmare, it’s my fear, that my product, which is there to secure, and thus prevent the site from being inaccessible, ends up being the one that makes the site inaccessible in a way. But why, actually??
9/ Different JSON response from EDD
I don’t have the details anymore, but basically in the plugin I do a ! empty() which was not empty before, and now returns “false”, but “false” is empty… we no longer pass through the usual condition, the code continues and ends up returning an error code site_is_pro=0, making the plugin think the site is not valid as a pro site. Hop the key is disconnected, this is set in a cron that will do the manipulation in a loop until I change the response from the remote site.
Willy Bahuaud from Wabeo came to report this to me on Slack and stayed with me to debug the API live until we understood exactly where between EDD, the plugin, my devs, who needed to fix it (I don’t count on EDD for the slightest fix, they manage well!) and where. He found it before me, we fixed it, everything went back to normal. Thanks my friend Willy.
By the way, in this 2.6.1 I modified the behavior of the 2FA module validation so that it doesn’t re-email every time it gets disconnected by the key/license, but only manually.
FML
Report from April to September 2026
I’m speaking in the future tense here because it’s late March 2026 as I write this article. It’s decided, I’m leaving EDD as soon as possible, it won’t be easy, but I can’t and don’t want to endure this anymore. Revenue dropped by 10% in the first quarter due to the product’s image, the time people lost because of the errors, the site being down with no purchases, and my lack of communication didn’t help, the priority being to fix all this and not spend my time saying “I’m going to fix it, we’ll find a solution, thanks for your patience” in a loop. To all those who experienced inconveniences, I apologize.
The goal is to eliminate licensing and billing issues, to offer a better customer experience, and to reduce support and therefore frustration. This reflection leads me to validate what I also started last year: redesigning the front-end site in v2, it dates back to 2016, so it will be redesigned by Dareth N., the moodboard will be validated in April to be developed by September in testing and end of the year in production.
The back-office will also need to be revised, without EDD, and here a magic happens where Loïc Blascos has just created a homemade plugin he uses for his new product Unblock (and also that of Maxime BJ with Modern Fields) that replaces EDD and also allows migration! SecuPress.me will also use this! Everything happens at Stripe (even if it’s PayPal!), no more sync issues, disconnected keys, invoices… the dream.
But I also need a unique dashboard, I’ve been promising it for several years, like a WP Umbrella but focused only on SecuPress (no backups, updates, etc.) and here we have Willy again who did this dev for himself and he’s willing to adapt it for SecuPress, that’s great. We will then be able to interact from a single interface on all the sites in our fleet, scan, (de)activate features, fix, etc., all remotely on secupress.me.
It’s late March 2026, things are already much better, I’ve patched a lot of things, I’m making sure the licenses don’t cut off for nothing, I’ve set up live sync with Stripe to get the true status of the licenses, then it syncs the forgotten renewal invoices. It helps!
Let’s take a breath.
WordCamp Rennes 2026
https://bretagne.wordcamp.org/2026/ That’s where it’s happening. Since this camp is on 18/09, I thought it would be great if with friends Loïc, Dareth, Willy we could have a live work session before the contribution day. And as at every WordCamp I take a big BNB where I invite people, it was all set, we’re going to do this: in the days leading up to the camp, we’ll go into rush mode and make sure we have a test secupress v2 site with everything we’ve talked about. Everyone is OK, it’s really a star alignment, I love it, it boosts morale.
By the way, there are still spots in this BNB, come on Twitter in DM or Slack WPFR in DM to join 😉
Report from October to December 2026
(Future vision mode) WordCamp Rennes has passed, the v2 site is in testing, it’s coming out for Christmas and to celebrate the 10th anniversary of the plugin which is moving to 3.0 at the same time.
It would be nice to see someone who knows the WP communities both in France and beyond the oceans to better market the product, integrate with friends’ products, and integrate them, etc., I have an idea, we’ll see. Same for support, how to manage not to be alone without getting ripped off.
Futuristic Report for 2027
Everything is back in order, the site is doing well, the plugin is doing well, revenue is doing well, support is better.
Thank you for reading, thank you to all those who supported me during these difficult times, there will be others, that’s life, we always get through it, it’s never a fatality, but support is important. Of course, I understand departures and anger, it remains less constructive but not everyone works that way!
