Frequently Asked Questions

General

What is Troy?

Troy is an independent plugin distribution system for WordPress. Host your own plugin repository and deliver updates directly — no centralized directory required.

Why "Troy"?

Like the ancient city that withstood siege, Troy is built for independence and resilience. And yes, there's a horse involved—but this one's here to help.

Is Troy free?

Yes. The core is MIT licensed and always will be — free to use, modify, and distribute.

Who's behind Troy?

CyberWire B.V., led by Sybre Waaijer—the developer behind The SEO Framework.

Technical

Does Troy replace WordPress.org?

No. Troy only distributes updates and dependencies for plugins that explicitly opt in via a Troy header. Everything else continues through WordPress.org normally.

Can I host plugins on both WordPress.org and Troy?

Yes—this is a common and recommended setup.

Troy headers are inert metadata that WordPress.org ignores. You can publish the exact same plugin file on both platforms:

• Sites with Troy Client → updates come from your Troy Server.
• Sites without Troy Client → updates come from WordPress.org.

How it works:

1. Add a Troy header to your plugin (WordPress.org allows this — it's just metadata they ignore).
2. Upload to WordPress.org as usual.
3. Connect your WordPress.org plugin to Troy Server via Integrations.
4. Troy Server automatically imports new releases from WordPress.org.

This keeps both platforms in sync. When you release on WordPress.org, Troy Server auto-imports the new version within minutes.

WordPress.org's plugin validator doesn't flag Troy headers. Troy headers don't affect how your plugin functions on sites without Troy Client.

How is Troy different from Update URI?

The Update URI header is a WordPress Core header that's banned on WordPress.org. Even where you can use it, it has critical flaws:

1. WordPress.org can override it. If WordPress.org hosts a plugin with your slug, their update takes precedence — the Update URI filter never runs. This is a supply chain attack vector.
2. All your data leaks first. WordPress sends all installed plugin and theme metadata to WordPress.org before the Update URI filter runs. Your plugin name, version, slug, and site URL are already exposed.

Troy works differently:

• Proactive filtering. Troy Client removes Troy plugins from update requests to WordPress.org before they're sent. WordPress.org never sees Troy plugins.
• No override possible. Troy delivers updates through a separate mechanism, completely independent of WordPress Core's update flow.
• Inert headers. The Troy header is just metadata — it doesn't trigger any WordPress Core behavior.

Is Troy secure?

Troy takes security and privacy seriously:

• Encrypted in transit — All communication uses HTTPS exclusively.
• Privacy-preserving analytics — Statistics use rotating UUIDs and strip identifying information before transmission.
• No central data collection — Your plugin inventory stays between you and the plugin author's server.
• Fully open source — Every component is available on GitHub for independent security audits.
• No forced auto-updates — Troy Client blocks forced background updates for Troy-managed plugins, preventing supply chain attacks that push updates without your consent.

What about multisite?

Troy Client works on WordPress multisite. It requires network activation — single-site activation isn't supported.

Troy Server should also work on WordPress multisite, but we haven't tested it extensively. If you run into issues, please report them on GitHub.

Community

How can I contribute?

• Run a server. Every Troy Server strengthens the ecosystem. Get started.
• Contribute code. Bug reports, pull requests, and documentation — all are welcome.
• Sponsor. Troy is self-funded. If it saves you time or money, please consider backing the project.

Where can I get help?

• GitHub Discussions.
• Discord.