Builds By Luke
All plugins

WordPress Plugin · v1.0.0 · Coming soon

Patch Gap

Find the plugins and themes nothing is updating. A lapsed licence makes a premium plugin go silent — and silence looks exactly like “up to date”.

  • WordPress 6.2+
  • PHP 7.4+
  • GPLv2+
  • Read-only

Free core coming to the WordPress.org plugin directory. This page is the plugin’s official home.

Patch Gap icon

Your updates page says everything is fine. It might be lying to you.

WordPress.org plugins get a safety net: core checks them for updates automatically, and security plugins warn you when one is abandoned. Premium plugins get nothing. When a premium plugin’s licence expires, its key goes missing, it was hand-uploaded from a zip, or its vendor quietly disappears, the plugin’s updater stops answering — and here is the dangerous part: a plugin that cannot be updated does not show a warning. It shows nothing at all, which looks identical to a plugin that is perfectly up to date. So it sits there, frozen at the version it was when the licence lapsed, and never receives another security patch. Your dashboard stays green. Your fleet tool stays green. Nobody tells you.

29%

of all valid WordPress vulnerability reports in Patchstack’s 2026 security report are attributed to premium and freemium components — a majority of them the kind attackers automate at scale. Premium components are simultaneously the ones nothing version-checks.

How it works

It asks every update source whether it is listening.

Job one · Update coverage

Find out who — if anyone — is patching each component

Patch Gap forces every update source on the site to answer, then sorts every plugin and theme by who is actually responsible for patching it. It weighs four independent signals before it calls anything a gap, because a naive “is it in the update list?” check would scream about every custom plugin an agency has ever written.

  • Covered — WordPress.org checks it, or a licensed vendor updater is responding.
  • Gap — the component ships updater code but registered no update source. It will never be patched again.
  • Bespoke — custom code with no updater and no licence. Listed, never alarmed.
7 gaps

7 components are receiving no updates from anyone

42 plugins and themes scanned · 3 licences expired. FACT checks are deterministic; ADVISORY results never drive the verdict on their own.

Coverage FACT

Mailer SuiteCovered WordPress.org
Shop Payments ProCovered vendor updater active
Form Builder ProGap — updater present but silent licence lapsed
Slider DeluxeGap — declares an update source that never answers
Gallery ClassicAbandoned upstream no release in 4 years
Acme Client TweaksNo updater bespoke — informational
The Coverage Report — who is patching what, and who is not. Example data shown.

Job two · Licence roster

Name the licences that already lapsed

A gap appearing is usually the week a licence expired — the moment you can still fix it cheaply. Patch Gap reads the licence states your plugins already saved on your own site (Freemius, EDD Software Licensing, WooCommerce API Manager) and names expiry dates where they exist. It never asks for a licence key, never stores one, and never contacts a vendor to check.

  • Expiry dates read from your own site’s options — never from a vendor.
  • Detects silent updaters even when no licence information exists at all.
  • Dismiss any finding with a note: an audit record that says “this one is deliberate”.

Licences readable on this site FACT

Form Builder Pro expired 12 Mar 2026 · EDD Software Licensing
Shop Payments Pro Active · renews 4 Nov 2026 · Freemius
Slider Deluxe No licence data stored on this site

Never leaves your site
Licence information is read from your own options table and is never transmitted anywhere. Patch Gap never asks for or stores a licence key.

The Licence roster — read-only introspection of what your plugins already saved. Example data shown.

Read-only, always

Patch Gap never updates, deactivates, rolls back, or modifies any plugin, theme or setting. It asks every update source whether it is listening, and reports the answer. There is nothing it can change that could break.

It never sees your keys

It never asks for, stores, or transmits a licence key. It reads the licence status your plugins already saved locally — and detects silent updaters even where no licence information exists at all.

Bespoke is not a problem

Four independent signals stand between “absent from the update list” and a verdict, so what gets flagged is what is genuinely unpatchable — not the in-house plugin you wrote on purpose and never intend to update.

In the free build

Complete for auditing a site.

Nothing below is limited, metered, or unlocked by payment.

  • Update-coverage report

    Every plugin and theme classified, with a plain-language reason and a headline verdict you can read in one second.

  • Licence roster

    The licence states readable from your own site — active, expired, expiry dates — without contacting any vendor.

  • Abandonment cross-reference

    WordPress.org components that stopped getting releases years ago, or were closed upstream, with the reason given.

  • Weekly re-check

    An email the moment a component loses its update source — usually the week its licence quietly expired.

  • Site Health integration

    Coverage surfaced inside WordPress’s own Site Health screen, at the recommended tier.

  • Dashboard summary widget

    The current verdict and open gap count, at a glance on wp-admin.

  • WP-CLI

    wp patch-gap scan — including --format=json, ungated and unmetered. Pipe the whole report into jq.

  • Dismiss with a note

    Mark any finding deliberate and say why. An audit record, not a silenced alarm — and it survives re-scans.

Free vs Pro

Pro is for when the sites belong to clients.

The free build already audits a site completely. Pro is about the artifacts an agency needs on top: something to hand the client, something to invoice against, and somewhere to pipe it all.

Capability Free Pro
Update-coverage classification for every plugin and theme
Licence roster with expiry dates, read from your own site
Abandonment & closure cross-reference for WordPress.org components
Weekly re-check + email when a component loses its update source
Dismiss-with-note audit trail, Site Health test, dashboard widget
WP-CLI scan, including --format=json
Sites your licence covers One, complete 5 · 25 on Agency
White-label client coverage report (PDF / print)
Licence-renewal roster you can invoice against
Slack & webhook alerts on new gaps
REST coverage endpoint for fleet dashboards

Pro · founder pricing

Pro

$79/yr

5 sites · for the freelancer auditing the sites they manage

Agency

$199/yr

25 sites · white-label, for client care plans

14-day trial, no card required. Annual, in US dollars. There is no single-site Pro on purpose — the free plugin already covers one site completely. Pro is sold and licensed through Freemius, the merchant of record.

Questions people ask.

Why doesn’t WordPress warn me about this already?

Because WordPress cannot tell the difference between “this plugin has no update available” and “nothing will ever offer this plugin an update again”. Both look like silence. Patch Gap distinguishes them by asking who is responsible for each component, rather than whether there is an update right now.

Will it flag my custom plugins?

It will list them, but it will not treat them as a problem. Custom code with no updater and no licence is classified as “bespoke” — informational only. Patch Gap only raises a gap when a component was clearly built to receive vendor updates and then didn’t register one.

Does it need my licence keys?

No. It never asks for, stores, or transmits a licence key. It reads whatever licence status your plugins already saved locally, and — more importantly — it detects silent updaters even when no licence information exists at all.

How does it decide a plugin has a “silent updater”?

It reads WordPress’s own update transient — the same list your dashboard uses — to see which components a source is actually updating. For components that are updating nothing, it does a read-only scan of their code for the fingerprints of the common updater libraries: EDD Software Licensing, Plugin Update Checker, Freemius, WooCommerce API Manager, and hand-rolled update-transient hooks. A component that ships one of those was built to receive vendor updates, so if nothing is updating it, its licence has almost certainly lapsed.

Does it replace Wordfence, MainWP or ManageWP?

No — it fills a hole they leave. Wordfence’s own documentation states it does not version-check plugins outside the WordPress.org repository. Fleet tools show the updates vendors offer; if a vendor’s updater is silent, they show nothing. Patch Gap is the piece that notices the silence.

Can it break my site?

It is strictly read-only — it never changes, updates, deactivates, or rolls back any plugin, theme or setting, so there is nothing it can change that could break. A scan only triggers the same update check WordPress itself runs on a schedule.

Inherited a site you did not build?

Every agency does. Patch Gap tells you, in one read-only scan, which of its plugins nobody has been patching since long before you arrived — and which licence has to be renewed to fix it.