WordPress Plugin · v1.0.0 · Coming soon
Patch Gap
Find the plugins and themes nothing is updating. A lapsed licence makes a premium plugin go silent — and silence looks exactly like “up to date”.
- WordPress 6.2+
- PHP 7.4+
- GPLv2+
- Read-only
Free core coming to the WordPress.org plugin directory. This page is the plugin’s official home.
Your updates page says everything is fine. It might be lying to you.
WordPress.org plugins get a safety net: core checks them for updates automatically, and security plugins warn you when one is abandoned. Premium plugins get nothing. When a premium plugin’s licence expires, its key goes missing, it was hand-uploaded from a zip, or its vendor quietly disappears, the plugin’s updater stops answering — and here is the dangerous part: a plugin that cannot be updated does not show a warning. It shows nothing at all, which looks identical to a plugin that is perfectly up to date. So it sits there, frozen at the version it was when the licence lapsed, and never receives another security patch. Your dashboard stays green. Your fleet tool stays green. Nobody tells you.
29%
of all valid WordPress vulnerability reports in Patchstack’s 2026 security report are attributed to premium and freemium components — a majority of them the kind attackers automate at scale. Premium components are simultaneously the ones nothing version-checks.
How it works
It asks every update source whether it is listening.
Job one · Update coverage
Find out who — if anyone — is patching each component
Patch Gap forces every update source on the site to answer, then sorts every plugin and theme by who is actually responsible for patching it. It weighs four independent signals before it calls anything a gap, because a naive “is it in the update list?” check would scream about every custom plugin an agency has ever written.
- Covered — WordPress.org checks it, or a licensed vendor updater is responding.
- Gap — the component ships updater code but registered no update source. It will never be patched again.
- Bespoke — custom code with no updater and no licence. Listed, never alarmed.
7 components are receiving no updates from anyone
42 plugins and themes scanned · 3 licences expired. FACT checks are deterministic; ADVISORY results never drive the verdict on their own.
Coverage FACT
| Mailer Suite | Covered WordPress.org | |
| Shop Payments Pro | Covered vendor updater active | |
| Form Builder Pro | Gap — updater present but silent licence lapsed | |
| Slider Deluxe | Gap — declares an update source that never answers | |
| Gallery Classic | Abandoned upstream no release in 4 years | |
| Acme Client Tweaks | No updater bespoke — informational |
Job two · Licence roster
Name the licences that already lapsed
A gap appearing is usually the week a licence expired — the moment you can still fix it cheaply. Patch Gap reads the licence states your plugins already saved on your own site (Freemius, EDD Software Licensing, WooCommerce API Manager) and names expiry dates where they exist. It never asks for a licence key, never stores one, and never contacts a vendor to check.
- Expiry dates read from your own site’s options — never from a vendor.
- Detects silent updaters even when no licence information exists at all.
- Dismiss any finding with a note: an audit record that says “this one is deliberate”.
Licences readable on this site FACT
| Form Builder Pro | expired 12 Mar 2026 · EDD Software Licensing |
| Shop Payments Pro | Active · renews 4 Nov 2026 · Freemius |
| Slider Deluxe | No licence data stored on this site |
Never leaves your site
Licence information is read from your own options table and is never transmitted anywhere. Patch Gap never asks for or stores a licence key.
Read-only, always
Patch Gap never updates, deactivates, rolls back, or modifies any plugin, theme or setting. It asks every update source whether it is listening, and reports the answer. There is nothing it can change that could break.
It never sees your keys
It never asks for, stores, or transmits a licence key. It reads the licence status your plugins already saved locally — and detects silent updaters even where no licence information exists at all.
Bespoke is not a problem
Four independent signals stand between “absent from the update list” and a verdict, so what gets flagged is what is genuinely unpatchable — not the in-house plugin you wrote on purpose and never intend to update.
In the free build
Complete for auditing a site.
Nothing below is limited, metered, or unlocked by payment.
-
Update-coverage report
Every plugin and theme classified, with a plain-language reason and a headline verdict you can read in one second.
-
Licence roster
The licence states readable from your own site — active, expired, expiry dates — without contacting any vendor.
-
Abandonment cross-reference
WordPress.org components that stopped getting releases years ago, or were closed upstream, with the reason given.
-
Weekly re-check
An email the moment a component loses its update source — usually the week its licence quietly expired.
-
Site Health integration
Coverage surfaced inside WordPress’s own Site Health screen, at the recommended tier.
-
Dashboard summary widget
The current verdict and open gap count, at a glance on wp-admin.
-
WP-CLI
wp patch-gap scan — including --format=json, ungated and unmetered. Pipe the whole report into jq.
-
Dismiss with a note
Mark any finding deliberate and say why. An audit record, not a silenced alarm — and it survives re-scans.
Free vs Pro
Pro is for when the sites belong to clients.
The free build already audits a site completely. Pro is about the artifacts an agency needs on top: something to hand the client, something to invoice against, and somewhere to pipe it all.
| Capability | Free | Pro |
|---|---|---|
| Update-coverage classification for every plugin and theme | ✓ | ✓ |
| Licence roster with expiry dates, read from your own site | ✓ | ✓ |
| Abandonment & closure cross-reference for WordPress.org components | ✓ | ✓ |
| Weekly re-check + email when a component loses its update source | ✓ | ✓ |
| Dismiss-with-note audit trail, Site Health test, dashboard widget | ✓ | ✓ |
| WP-CLI scan, including --format=json | ✓ | ✓ |
| Sites your licence covers | One, complete | 5 · 25 on Agency |
| White-label client coverage report (PDF / print) | — | ✓ |
| Licence-renewal roster you can invoice against | — | ✓ |
| Slack & webhook alerts on new gaps | — | ✓ |
| REST coverage endpoint for fleet dashboards | — | ✓ |
Pro · founder pricing
Pro
$79/yr
Agency
$199/yr
14-day trial, no card required. Annual, in US dollars. There is no single-site Pro on purpose — the free plugin already covers one site completely. Pro is sold and licensed through Freemius, the merchant of record.
Questions people ask.
Why doesn’t WordPress warn me about this already?
Because WordPress cannot tell the difference between “this plugin has no update available” and “nothing will ever offer this plugin an update again”. Both look like silence. Patch Gap distinguishes them by asking who is responsible for each component, rather than whether there is an update right now.
Will it flag my custom plugins?
It will list them, but it will not treat them as a problem. Custom code with no updater and no licence is classified as “bespoke” — informational only. Patch Gap only raises a gap when a component was clearly built to receive vendor updates and then didn’t register one.
Does it need my licence keys?
No. It never asks for, stores, or transmits a licence key. It reads whatever licence status your plugins already saved locally, and — more importantly — it detects silent updaters even when no licence information exists at all.
How does it decide a plugin has a “silent updater”?
It reads WordPress’s own update transient — the same list your dashboard uses — to see which components a source is actually updating. For components that are updating nothing, it does a read-only scan of their code for the fingerprints of the common updater libraries: EDD Software Licensing, Plugin Update Checker, Freemius, WooCommerce API Manager, and hand-rolled update-transient hooks. A component that ships one of those was built to receive vendor updates, so if nothing is updating it, its licence has almost certainly lapsed.
Does it replace Wordfence, MainWP or ManageWP?
No — it fills a hole they leave. Wordfence’s own documentation states it does not version-check plugins outside the WordPress.org repository. Fleet tools show the updates vendors offer; if a vendor’s updater is silent, they show nothing. Patch Gap is the piece that notices the silence.
Can it break my site?
It is strictly read-only — it never changes, updates, deactivates, or rolls back any plugin, theme or setting, so there is nothing it can change that could break. A scan only triggers the same update check WordPress itself runs on a schedule.
Inherited a site you did not build?
Every agency does. Patch Gap tells you, in one read-only scan, which of its plugins nobody has been patching since long before you arrived — and which licence has to be renewed to fix it.