Skip to Main Content

Are all WordPress Plugins and Themes Open Source? It’s not a simple answer.

Recently, I’ve been seeing a lot of posts on reddit telling users that they can do whatever they want with WordPress themes and plugins, and demand or pirate free copies of paid themes and plugins, because they’re all GPL licensed. Unfortunately, this isn’t the whole story. I figure it’s time to clear the air about how this all works.

Note: I am not a lawyer, and one of the most important things to take away from this article is that you shouldn’t make your own legal interpretations without the support of a lawyer, specializing in intellectual property law.

What is the GPL, and how would it effect other people’s licenses?

WordPress itself is licensed under an open source license called the GNU Public License Agreement (GPLv2), which contains a requirement that “derivative works” be also licensed as GPL. This requirement reads as follows (note section 2b, in particular):

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

ADVERTISEMENT:

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License

Now, this section fairly clearly describes modifying the original codebase to create a new work, and distributing that work as a whole, which is a fairly separate concept from a plugin or theme system where addons are installed, managed, and removed separately from the main program, without fundamentally transforming its core operations. use published hooks, actions, and public functions to interact with the original program, and are distributed independently from the program itself. However, this is not the way many people in the GPL community interpret this clause.

Ambiguity arises from the fact that PHP is a scripting language, rather than a compiled language, so sections of code can be distributed completely separately, but they have access to the same objects, functions, and data as the original program, despite not being distributed with the program. This concept wasn’t common at the time that the GPLv2 was written, so it isn’t well defined by this license.

Why would plugins and themes be “derivative works”?

Although the GPL itself is unclear on the matter, there are several supporting documents provided by the Free Software Foundation that interpret their intended application of the GPL. On their FAQ page, they state:

When is a program and its plug-ins considered a single combined program? (#GPLPlugins)
It depends on how the main program invokes its plug-ins. If the main program uses fork and exec to invoke plug-ins, and they establish intimate communication by sharing complex data structures, or shipping complex data structures back and forth, that can make them one single combined program. A main program that uses simple fork and exec to invoke plug-ins and does not establish intimate communication between them results in the plug-ins being a separate program.

If the main program dynamically links plug-ins, and they make function calls to each other and share data structures, we believe they form a single combined program, which must be treated as an extension of both the main program and the plug-ins. If the main program dynamically links plug-ins, but the communication between them is limited to invoking the ‘main’ function of the plug-in with some options and waiting for it to return, that is a borderline case.

Using shared memory to communicate with complex data structures is pretty much equivalent to dynamic linking.

This pretty clearly would apply to plugins and themes. However it is important to note the use of “we believe”. This is not an actual term of the license, but an interpretation of the license’s terms, that is subject to the opinions of the author or group.

ADVERTISEMENT:

It is also important to note that the FAQ also states:

Runtime libraries are “System Libraries” as GPLv3 defines them. That means that you don’t need to worry about including their source code with the program’s Corresponding Source. GPLv2 provides a similar exception in section 3.

You may not distribute these libraries in compiled DLL form with the program.

Which becomes extremely confusing when you consider new Operating systems like Node-OS, where every library provided by the OS is interpreted, and memory and functions are directly shared with programs.

There are also valid counter-arguments to be made in support of the integrated view of plugins and themes.

So is there an official opinion on themes and plugins?

In 2009, Matt Mullenweg reached out to the Software Freedom Law Center, to get a legal opinion on whether themes (and by extension, plugins) are derivative works or not. Their response was a slightly guarded yes:

it is our opinion that the themes presented, and any that are substantially similar, contain elements that are derivative works of the WordPress software as well as elements that are potentially separate works. Specifically, the CSS files and material contained in the images directory of the “default” theme are works separate from the WordPress code. On the other hand, the PHP and HTML code that is intermingled with and operated on by PHP the code derives from the WordPress code.

[…]

In conclusion, the WordPress themes supplied contain elements that are derivative of WordPress’s copyrighted code. These themes, being collections of distinct works (images, CSS files, PHP files), need not be GPL-licensed as a whole. Rather, the PHP files are subject to the requirements of the GPL while the images and CSS are not. Third-party developers of such themes may apply restrictive copyrights to these elements if they wish.

ADVERTISEMENT:

Finally, we note that it might be possible to design a valid WordPress theme that avoids the factors that subject it to WordPress’s copyright, but such a theme would have to forgo almost all the WordPress functionality that makes the software useful.

It’s important to note that this review was of WordPress 2.8 RC1, which had no javascript at all in its themes, and specifically excluded CSS and images from GPL requirements. Assuming that JavaScript would have been excluded by the same logic, there are certainly themes and plugins that are almost wholly unencumbered by the GPL, since they interact with WordPress entirely through the REST API, aside from minimal initialization code.

It’s also important to note that this is an informed legal opinion, not a legal ruling. So it would be risky for developers to license their PHP under non-GPL compatible terms, but it doesn’t legally change the terms of their licenses if they do so.

The official company line from the WordPress theme handbook is:

If you plan to distribute your theme, it is a good idea to license it fully under the GPL, so others can enjoy the same freedoms that you did when creating it.

Which is hardly a clear and direct demand on developers.

Has this ever been tested in a court (aka is there legal precedent for the interpretation above)?

As far as I can tell, there has never been a verdict, or even a case regarding the licensing of WordPress themes and plugins. The closest example was in 2010, when Chris Pearson of Thesis Theme and Matt Mullenweg (co-creator of WordPress) got into a heated twitter war over the closed license of Thesis Theme at the time. Legal threats were brought up, but eventually Pearson re-licensed his theme as Split-GPL, before any action was taken.

This isn’t a great example, however, as his theme contained subclassed components like a custom nav-walker (which were legally ruled on in a case involving Java code), and functions that copied WordPress core code verbatim, which clearly forces derivative status, regardless of the core question.

Regardless, as it was never brought to court, the situation remains legally ambiguous.

So, who doesn’t fully GPL license their code?

Many themes and plugins distributed via the popular Envato marketplace are licensed under a “Split license”, where the PHP is GPL licensed, and the CSS, JS, and media included in the plugin or theme isn’t. This is clearly supported by the Software Freedom Law Foundation’s interpretation of the GPL, Matt Mullenweg is against the practice, but clearly doesn’t have a legal reason for this, just an ideological one. Regardless, split licenses are common and defensible.

ADVERTISEMENT:

Beyond this, we get into the more questionable realm of developers who actively apply non-GPL licenses or who Do not honor the terms of the GPL. In the first case, there are a few popular themes and plugins that either don’t list their license or actively post a restrictive license.

Can I ignore the rules of a non-GPL-compatible license?

The right and responsibility to enforce license compliance lies with the developer of the original GPL code (in this case, the WordPress Foundation or Michel Valdrighi, author of the original B2 platform). Just claiming that a license is invalid, as a user, doesn’t make it so. All licenses must be treated as valid by users, or you face possible legal action. If you discover an improper license, you can forward it to the WordPress Foundation, and they can decide whether to attempt to enforce the terms of their license.

From the Free Software Foundation’s GPL FAQ:

Who has the power to enforce the GPL? (#WhoHasThePower)
Since the GPL is a copyright license, the copyright holders of the software are the ones who have the power to enforce the GPL. If you see a violation of the GPL, you should inform the developers of the GPL-covered software involved. They either are the copyright holders, or are connected with the copyright holders. Learn more about reporting GPL violations.

Does the GPL let me force a developer to provide me their plugin/theme for free?

No. From the Free Software Foundation’s GPL FAQ:

If I distribute GPL’d software for a fee, am I required to also make it available to the public without a charge? (#DoesTheGPLRequireAvailabilityToPublic)
No. However, if someone pays your fee and gets a copy, the GPL gives them the freedom to release it to the public, with or without a fee. For example, someone could pay your fee, and then put her copy on a web site for the general public.

If I bought the plugin or theme once, can I force the developer to provide me with future updates free?

No. The GPL says nothing about making future updates to code available to current users, so if your license doesnt include updates, or limits the term for which you will receive updates, after that you will need to purchase future versions.

are GPL clubs legal?

This is a very gray area. If they provide only GPL-licensed software, then they are legal. However, the vast majority of so-called “GPL clubs” offer plugins and themes that are split-licensed or closed licensed. If they do so, they are committing software piracy.

You can usually verify that a GPL club is sharing software illegally by searching for “Avada”, “Visual Composer”, “WP Bakery”, “X Theme”, and “Thesis”. These are all popular split-license plugins and themes that are illegal to share in their entirety. Obviously, passing this quick test doesn’t confirm that a GPL club is operating within the law, but I have yet to see one that properly respects software licensing.

The takeaway for Developers

if you are writing code for WordPress either license the whole work as GPL v2, or a compatible license, or license your assets, styles, and scripts separately from your PHP, or interact with WordPress only via API. Anything else is just asking for future legal trouble, regardless of your opinion of how GPL applies to plugins and themes. That is, unless you really want to be the one to create precedent either confirming or refuting the SFLF’s interpretation of the GPL.

The takeaway for Users

Respect the license provided to you by the developer. If you believe it is in violation of the WordPress license, forward it to the WordPress Foundation, and let them handle any possible legal action. Don’t assume you can ignore a license, or you may end up in court.

Be very cautious of GPL Clubs. While the concept is valid, many implementations leave you with illegal copies of software or assets that are not GPL licensed.

15 Comments

    • gschoppe's profile image.

      while the facts are accurate, in that trademark can make re-distributing a named product illegal, even if it is GPL licensed, I disagree with the idea that this is somehow an attack on the rights of GPL users. GPL specifically doesn’t say anything about trademark, and most high profile software has both trademark and copyright concerns attached. This is why we have Chromium and Chrome, Firefox and IceWeasel, and many other instances of trademarked brands vs code-identical generics.

      I believe building and maintaining a brand name is a company’s right. Heck, even WordPress itself is trademarked by the WordPress Foundation, which defends their mark against misuse.

  1. zylstra's profile image.

    “I have yet to see one that properly respects software licensing.” Have you seen [url stripped by admin]?

    • gschoppe's profile image.

      I took a look at that site, and they are definitely listing themes that are split license as if they are GPL. Their blog posts Mark Jaquith’s article as if it is proof that all themes are 100% GPL, without taking into account that the author is the one who gets to make that decision and ignoring the free software foundation’s statements about assets, styles, and scripts.

      I would recommend steering clear.

      • zylstra's profile image.

        I searched for the examples in your article and didn’t see them listed. Can you name a split license product that they list? I figure I could find one, but I’m new to all this and it will take me a while to get up to speed.

        • gschoppe's profile image.

          The first one I saw, at a glance, was Artbees Jupiter. That’s a popular (although awful) theme on Theme Forest with a split license.

    • gschoppe's profile image.

      The license terms of any split-license theme is up to the developer. Be sure to read all licenses, and feel free to contact the developer, if you aren’t sure.

      That said, most split-license themes don’t care what you change on your own server, but only exist to regulate your ability to distribute the software to other people.

      When in doubt, contact the theme author by email, so you can get a written response, confirming what you can and cannot do.

  2. Martin Roberge's profile image.
    Martin Roberge says:

    Can anyone tell me if [link removedby admin] is legit. This is one of those GPL club you guys talk about. I am new to web programming and learning on my own. Full confession I did try the website, and built a website with woocommerce plugins they offer. Woo Commerce terms and conditions states “Our products are licensed under the GPL”. Reading more on this type of site, some say the files may have been tempered and may have malware. I did run a malware scan on my site with sucuri and it came back clean. How do you know for sure if your website is secure? Sure buying the plugin from woo directly would help but at 1000$ for all the plugins per year. Ouch. So far I have gotten all the updates within a week or two of seeing the notice new updates exist for your plugin. I would hate for client information to be compromised at some point. I am still in testing mode right now so no client info yet on website. Thanks for your help.

    • gschoppe's profile image.

      Honestly, there is no magic way to tell if a plugin has been modified by one of these GPL clubs to include malware. Automated scans can only find malware that matches specific formats seen elsewhere, and it is fairly trivial to include an exploit that won’t register in any scan.

      It is certainly possible that the plugins that you downloaded from non-original sources are fine, but it is adding one more group into the chain of people you have to trust to keep your site secure, and the added group has shown themselves to be more interested in making a quick buck than for developing tools for the WordPress community. That makes them very difficult to trust.

      If you are running an online store, and not making enough to cover $1000/yr licensing, then there is a problem with the business model involved. $1000 in licensing is equivalent to 10 hours of freelance work from a WordPress developer, yearly.

      Is your clients’ safety worth 10 hours of work? I’d say so.

      • Martin Roberge's profile image.
        Martin Roberge says:

        thanks for your reply gshoppe, much appreciate your input. I was just doing a favor for a friend who runs a small town gym. My take on risk management is if there is any remote chance that it could be compromised then don’t use them. I’d rather pay 1000$ a year then a lawsuit for data breach. Now lets say those plugin had malware and I built the site with it, if I buy the legit plugin from woo and replace the non-legit one with them, would I be okay or is the site still at risk? Does it mean I have to start all over?

        Thanks.

        • gschoppe's profile image.

          it’s a bit of a complicated situation. Technically, if you have malware on your site for any amount of time, it may spread itself well beyond the reach of the folder it was originally installed in. It might add files to other plugins, or to your uploads folder, or to non-wordpress-controlled areas of your site or it might add users code snippets to your database, or cron triggers to cause reinfection, or any number of other things.

          In most cases, removing the suspect plugin, followed by running your site through wpscan or a WordFence Pro file integrity scan will be enough to be relatively confident that the malware is gone… however, this is someone else’s business, that is gonna be dealing with customer data, including credit cards. Personally, I would kill it with fire and rebuild from scratch with properly licensed plugins and themes.

          It might be a 1 in 100 chance of malware actually having spread elsewhere in the site, and coming back to bite you, but if it were to happen, it would be a serious issue for you and a lot of other people.

          • Martin Roberge's profile image.
            Martin Roberge says:

            Again, thank you for your input. I’d rather it costing me time then a lawsuit and the embarrassment of building a bad website . I will kill it and rebuild from scratch. Thanks for your support.

Your email address will not be published.

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>