Skip to Content
DecisionsDeferred purchases (Patchstack + WAL Premium)

Deferred plugin purchases — Patchstack + WP Activity Log Premium

Context

The locked stack includes Patchstack (security) and WP Activity Log Premium (activity logging). Both have agency-tier licenses (~$1,000/yr and ~$199/yr respectively). The question: buy them now during build, or defer to launch?

Decision

Defer both purchases to ~1 week before site goes public (Phase 5 QA / Phase 6 cutover prep). During build, free / built-in alternatives provide sufficient coverage.

Rationale

During build (Phase 0 → Phase 5)

  • Staging is password-protected at the Nginx layer (GridPane basic auth). Public attack surface = zero.
  • GridPane 7G Firewall is active at the server level. Cloudflare WAF is active at the edge. Two security layers running today at no incremental cost.
  • WP Activity Log free version logs every meaningful event. Premium adds file integrity monitoring, email/SMS alerts, external storage, better filtering — all of which are useful but not critical until the site is live and the monthly client report skill needs to consume the logs.
  • A year of Patchstack license activated today would mostly run scans on a near-empty private site with no real value.

At launch and beyond

  • Patchstack becomes essential the moment the site goes public — virtual patching of WP/plugin vulnerabilities is real protection that GridPane firewall + Cloudflare WAF can’t provide.
  • WP Activity Log Premium becomes essential when the np-monthly-client-report skill in hangar needs to pull log data with proper filters and exports. Free version doesn’t expose enough.
  • At that moment, the recurring care plan revenue covers the license costs cleanly. Net spend after launch: $0.

Consequences

  • Phase 5 task list includes: “Purchase + activate Patchstack agency tier, upgrade WP Activity Log to Premium.” Track as a launch-readiness task, not Phase 0 task.
  • Pre-flight checklist updated to mark both as DEFERRED (not blocking Day 1 / Day 3 / Day 5).
  • If a security incident occurs during build (extremely unlikely given the layered private-staging protections), accelerate the Patchstack purchase. Otherwise, hold.
  • Pattern is repeatable for future clients — same deferral applies, same trigger condition (~1 week pre-launch), same economic outcome.
  • stack/overview.mdx
  • decisions/2026-04-27-license-centralization.mdx
Last updated on
Stack OverviewWS Form over Fluent Forms