Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

404 to 301 Plugin Considered Harmful

This entry was posted in Research, WordPress Security on August 16, 2016 by Mark Maunder   47 Replies   

Yesterday we received a site cleaning request where one of our customers was seeing spammy links, Payday Loans in this case, injected into their WordPress website page content. The links were only appearing when the site was visited by a search engine crawler. This is common when a site has been hacked.

An extract from the customer communication with personal info removed:

We look after a clients website [website removed] and believe that has been compromised.

Specifically, the issue is that when google or bing’s search bots crawl the site, they see some text injected into the top of the homepage. I have been using a user agent switcher to verify it’s presence but it was first spotted when we did a pagespeed test here: [removed] and it showed in their ‘preview’ screengrab on the desktop view.

This text seems isn’t always present and when it is there it’s only on the home url (not actually the page eg. if you visit [page removed] it doesn’t appear).

[snip]

For reference, the block of injected text appears under the site header (navigation etc.) and also in the body of our exit-intent popup:

Make Ends Meet With Payday Loans

It is often very easy to face any financial emergency if you have adequate money to pay for them. But, this can seem all too impossible if you often live from one paycheck to another. How will you be able to pay for your urgent financial emergencies? Most often than not, you can’t. Face the reality, when your job is unable to pay for your financial emergencies, it is best to turn to payday loan providers out there.

[rest of content removed including link to payday loans site]

Screen Shot 2016-08-16 at 10.59.59 AMIt turns out that this is not a hacked site. It is content that is injected by a plugin called 404 to 301 plugin which has 70,000 active installs and has a 4.5 star review from 56 reviewers. When you install the plugin it asks you to agree to a long agreement which includes parts of the GNU general public license. But at the end it also includes the following text (you have to scroll down to find it):

 

Third Party Text Links

Third party text networks supply text for display in 404 to 301. These networks may collect your visitors’ IP addresses, in native or hashed forms, for purposes of controlling the distribution of text links. 404 to 301 collects anonymous aggregated usage statistics.

By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it. Your website’s layout, performance and interaction with human visitors should not be altered or affected in any way. Please note that this feature can be deactivated at any time under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN, without affecting any other feature available in 404 to 301.

404 to 301 – Copyright © 2016.

I’m reasonably sure that no sane webmaster would agree to:

  1. Cloaking, which is specifically banned by Google and will result in a search engine penalty.
  2. Allowing ads to be inserted into their site over which they have no editorial control, including PayDay loan ads.

We are contacting the WordPress plugin repository maintainers who will likely remove the plugin by the time you read this post. Now that you’re fully informed, we suggest you make up your own mind about whether or not you want to keep this plugin installed if you have it on your site.

As always we welcome your comments. Please note: We have disabled comments on this post due to the inflammatory nature of some of the comments we’re receiving.

All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.

Did you enjoy this post? Share it!


Your rating:

47 Comments on "404 to 301 Plugin Considered Harmful"

Gaurav Bhardwaj August 16, 2016 at 11:28 am • Reply

Those stupid spammers
Thanks wordfence I'm glad that i am using your plugin.

T.Kick August 16, 2016 at 11:29 am • Reply

So .... deactivating and de-installing removes any trace of the plugin, or any extra actions will be needed?

Keith Taylor August 16, 2016 at 11:59 am • Reply

If you use CloudFlare or cache plugin, clear all caches. I recommended using Google Search Console after deleting the plugin. Use the Fetch as Google function, then submit to index. Tedious, but good if your pages have been compromised.

estepix August 16, 2016 at 11:30 am • Reply

Good catch!!!

For any one reading this, if you want to get rid off that 404 to 301 plugin, you can replace it with the plugin "Redirection":

https://wordpress.org/plugins/redirection/

It does the same job (including 404 log management). I have been using it for a while and it does the job nicely.

estepix August 16, 2016 at 11:33 am • Reply

plus, it has 500k active installs and has been updated in the last two months ;)

btw: I have nothing to do with this Redirection plugin, I just thought some might find it useful

Ryan J August 16, 2016 at 11:30 am • Reply

Great catch!

Mike Baker August 16, 2016 at 11:31 am • Reply

Thanks for the heads up on this - I don't have anyone using this plugin, but I will keep an eye out for it.

Sonjay August 16, 2016 at 11:32 am • Reply

HOW in the name of all that's holy did the plugin writer decide this was acceptable?

Markus Hartmann August 16, 2016 at 11:33 am • Reply

Thank you very much for this information. I used this plugin on my website ... and deleted it already. Keep going on with your good work!

estepix August 16, 2016 at 11:36 am • Reply

Markus, have a look at the plugin Redirection, it might be a good replacement

Luke Cavanagh August 16, 2016 at 11:45 am • Reply

One of the best redirection plugins is Safe Redirect Manager.

Richard B August 16, 2016 at 11:39 am • Reply

More scum bubbling to the surface. At the very least WordPress.org should remove plugins that endanger a website's ranking.

Is this the only plugin from the author that does this?
https://profiles.wordpress.org/joelcj91/#content-plugins

Keep up the great work on exposing the bums.

Jim August 16, 2016 at 11:40 am • Reply

It's always important to ask yourself when installing any plugin, whether it be on WordPress, Android, etc.: How are the authors of this plugin making their money? There's no free lunch people.

Bradley G Tayloe August 16, 2016 at 11:45 am • Reply

Wow. I literally just installed this plugin on two sites in the last week looking for a good 404 plugin.

THANK YOU Wordfence!

BGT

Oka August 16, 2016 at 11:47 am • Reply

Thank you very much

Mark Arambula August 16, 2016 at 11:48 am • Reply

Thanks for the updates. I am very picky on plugins and this is one to be weary of.

Juliette August 16, 2016 at 11:49 am • Reply

Wow! Thanks for the alert on this!

Jordan August 16, 2016 at 11:49 am • Reply

"Please note that this feature can be deactivated at any time under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN"

This is obviously a dirty feature to make opt-out, but is there any reason to uninstall the plugin rather than just disabling cloaking? Are there other malicious things still active even if the feature is disabled via the admin?

Blurger August 16, 2016 at 11:57 am • Reply

The plugin author set the default to be opt-in. What is to say he doesn't install another "feature" that everyone auto opts-in to in a future release.

Curtis August 16, 2016 at 12:28 pm • Reply

Jordan...really? you would still consider using a plugin that uses this sort of technique as part of it's build? Where there is one issue there is bound to be another.

Why support a person or business that uses underhand practices? There are plenty more options from less scrupulous developers that should be used and supported instead.

sd142ppr August 16, 2016 at 11:53 am • Reply

IMPORTANT: The developers of the plugin have just this minute UPDATED and REMOVED the nefarious scripting element. They have stated that all tracking has been removed.

HOPE THAT HELPS!!
Stevo

Chris August 16, 2016 at 12:49 pm • Reply

I would still never trust someone that attempted it once.

Joel James August 16, 2016 at 11:54 am • Reply

Hi all,

This is Joel, author of 404 to 301 plugin.

Really sorry for the confusion and lack of security checking before my co-developer partner committing the code. Rectified the security risk and immediately removed the tracking code from the plugin.

You can update the plugin now and check check if everything works normally. I know how everyone feels about my mistake. I will never ever let someone else to commit code to my plugins.

David August 16, 2016 at 11:55 am • Reply

The plugin is still in the repository. That's good in that there's a link to the deceloper's other plugins. Perhaps the others are problematic?

https://profiles.wordpress.org/joelcj91/#content-plugins

Dan Moen August 16, 2016 at 12:36 pm • Reply

Hi David, we took a quick look at the other plugins and didn't see anything that concerned us.

Brett August 16, 2016 at 11:56 am • Reply

Thanks. Always glad I use Wordfence.

Chris August 16, 2016 at 12:00 pm • Reply

It looks like the author has removed tracking as of today https://wordpress.org/plugins/404-to-301/changelog/

Jay August 16, 2016 at 12:05 pm • Reply

Thanks for all you do to keep us clean!!!

Ed August 16, 2016 at 12:06 pm • Reply

Plugin last updated 19 minutes ago... Interesting!

Alvaro Gomez August 16, 2016 at 12:22 pm • Reply

Seroiusly dirty stuff. Do we need a police to patrol the updates in then repo now?

Jeff August 16, 2016 at 12:22 pm • Reply

As of 12:16 PM PT, the 404 To 301 plugin is still available on WordPress.org. I hope they don't consider this to be an "okay" practice because there is a way to disable it. Total BS.

Anca Mosoiu August 16, 2016 at 12:33 pm • Reply

Thanks for alerting us to this, WordFence! I went to check on the wordpress.org site, and the plugin developer claims this was caused by a "third-party developer" that he worked with, and that the code has been removed from the plugin:

https://wordpress.org/support/topic/cloaking-seriously

What a nasty situation.

Luke Cavanagh August 16, 2016 at 12:33 pm • Reply

The plugin was just updated 47mins ago, the tracking has been removed.

https://wordpress.org/plugins/404-to-301/changelog/

Jeff August 16, 2016 at 12:42 pm • Reply

Another great example of your 'value add' to the WordPress community. May you live long and prosper!

Robert Hudson August 16, 2016 at 12:43 pm • Reply

Wow...you now have a loyal customer. It makes you wonder what is hiding in all th plug ins. Shame on the developer. Thank you for exposing him. Please don't stop

Radu August 16, 2016 at 12:54 pm • Reply

Do you think this WP plugin is harmful even the "feature" will be deactivated under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN ?
Thank you for this post !

Ron August 16, 2016 at 12:57 pm • Reply

Here's a post where the author admits to the plugin doing this....

https://wordpress.org/support/topic/third-party-text-links

Now he's trying to lie his way out of it and blame a "partner developer".

Not likely. He just got caught be the AWESOME team at Wordfence and now he's trying to deny it.

Good riddance! Thanks Wordfence. :)

Joel James August 16, 2016 at 1:31 pm • Reply

Hi Ron,

I am not denying anything. I take the 100% responsibility for this. I apologise for my mistake, not reviewing the code inside my own plugin.

I don't know if people will believe what just happened. But it was actually what happened.

I removed the entire tracking feature, changed my wp.org password, ended partnership with the dev. And now I can assure you that this will never ever happen again.

Once again, I am not denying anything and I am sorry for the confusions caused.

Sue Berry August 16, 2016 at 1:15 pm • Reply

Great post - will delete app immediately. I guess we can't be too careful and I absolutely object to have any link to payday loans on my site. Thanks for the heads up!

Jay August 16, 2016 at 1:16 pm • Reply

@ Joel James (the plugin author): you're a fraudster.

1) in the changelog you only mention having removed the tracking code - no word about the ad-injection;
2) you claim your co-author inserted that malicious code (without you checking.... right). The only co-author mentioned is 'The Foxe'. However, in your profile, you link to his site (http://imgur.com/a/WgUNj) - which then links to social-media sites.... all in your name! He is just an alias of yours - that you use to blame in case you get caught. The first of your plugins is already outed - 8 more to go....

Jay August 16, 2016 at 2:09 pm • Reply

And, as always, kudos to Mark and the Wordfence team!

What frustrates the most about this incident is not just the fact that the author tries to make some money in a sneaky way, but that his method actually might hurt sites and their SEO - I have clients that pay a small fortune to get their sites optimized and just one (simple) plugin completely ruins that effort.

I don't know how WordPress checks its repository, but this should be a wake-up call - the vast majority of plug-ins are free - which in the end is not feasible for serious developers - as support costs them more than development.

Joel James August 16, 2016 at 2:14 pm • Reply

You are right. People feels like I am fraudster.

1) I just wanted to remove the malicious code first. So I immediately updated the plugin without explaining the issue in detail. I will be publishing a blog post about the issue soon.

2) Please note, both of these accounts are mine. As I mentioned in my previous comments in wp.org, we both used same account. We have only used my primary account for committing that changes.

Yes. It was my BIG mistake giving access into someone else to my account. Now people are not going to believe my words. My hours of work for the community is going to be marked as Fraud.

I can only ask you to review the current versions code, and I can assure you that only I will have the access to my wp.org account from now on wards.

Jay August 16, 2016 at 3:01 pm • Reply

Well..... I can only suggest you come "completely" clean - with a post, updated WP.org page etc. Clearly you now have everything against you, but 70K people using your plugin you must be doing something right - it is now a matter of convincing them you can be trusted (again).

Good luck.

Stefan August 16, 2016 at 1:18 pm • Reply

Hi - I've been using this plugin for a while on several sites and have not been notified by any of my security measures. So I was shocked to read your review.

However, I also want to give a programmer who donates his work for free the benefit of the doubt, and sure enough he has pointed to it https://wordpress.org/support/topic/third-party-text-links?replies=3

You may call me naive, but I like to trust the guy, as I trust you. I guess it's a matter of reviewing the update, isn't it.

Thanks guys for your excellent work!

Tom Kenning August 16, 2016 at 3:40 pm • Reply

But he wasn't doing it for free, who knows how much money he was making from hidden ads. And in that link you've given it shows he knew what was in the Ts&Cs but completely denied the existence of ads, saying there was random text inserted that Google bots can see, why would there need to be random text. Seems to me he knew then that his plugin was inserting specific links not random text.

Lisa August 16, 2016 at 3:16 pm • Reply

Yikes, with over 70,000 installs I hope Wordpress to notify people!!!

Jarem August 16, 2016 at 4:20 pm • Reply

Thanks wordfense, good job!

Leave a Reply

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.