404 to 301 Plugin Considered Harmful
Yesterday we received a site cleaning request where one of our customers was seeing spammy links, Payday Loans in this case, injected into their WordPress website page content. The links were only appearing when the site was visited by a search engine crawler. This is common when a site has been hacked.
An extract from the customer communication with personal info removed:
We look after a clients website [website removed] and believe that has been compromised.
Specifically, the issue is that when google or bing’s search bots crawl the site, they see some text injected into the top of the homepage. I have been using a user agent switcher to verify it’s presence but it was first spotted when we did a pagespeed test here: [removed] and it showed in their ‘preview’ screengrab on the desktop view.
This text seems isn’t always present and when it is there it’s only on the home url (not actually the page eg. if you visit [page removed] it doesn’t appear).
For reference, the block of injected text appears under the site header (navigation etc.) and also in the body of our exit-intent popup:
Make Ends Meet With Payday Loans
It is often very easy to face any financial emergency if you have adequate money to pay for them. But, this can seem all too impossible if you often live from one paycheck to another. How will you be able to pay for your urgent financial emergencies? Most often than not, you can’t. Face the reality, when your job is unable to pay for your financial emergencies, it is best to turn to payday loan providers out there.
[rest of content removed including link to payday loans site]
It turns out that this is not a hacked site. It is content that is injected by a plugin called 404 to 301 plugin which has 70,000 active installs and has a 4.5 star review from 56 reviewers. When you install the plugin it asks you to agree to a long agreement which includes parts of the GNU general public license. But at the end it also includes the following text (you have to scroll down to find it):
Third Party Text Links
Third party text networks supply text for display in 404 to 301. These networks may collect your visitors’ IP addresses, in native or hashed forms, for purposes of controlling the distribution of text links. 404 to 301 collects anonymous aggregated usage statistics.
By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it. Your website’s layout, performance and interaction with human visitors should not be altered or affected in any way. Please note that this feature can be deactivated at any time under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN, without affecting any other feature available in 404 to 301.
404 to 301 – Copyright © 2016.
I’m reasonably sure that no sane webmaster would agree to:
- Cloaking, which is specifically banned by Google and will result in a search engine penalty.
- Allowing ads to be inserted into their site over which they have no editorial control, including PayDay loan ads.
We are contacting the WordPress plugin repository maintainers who will likely remove the plugin by the time you read this post. Now that you’re fully informed, we suggest you make up your own mind about whether or not you want to keep this plugin installed if you have it on your site.
As always we welcome your comments. Please note: We have disabled comments on this post due to the inflammatory nature of some of the comments we’re receiving.
All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.
Those stupid spammers
Thanks wordfence I'm glad that i am using your plugin.
So .... deactivating and de-installing removes any trace of the plugin, or any extra actions will be needed?
If you use CloudFlare or cache plugin, clear all caches. I recommended using Google Search Console after deleting the plugin. Use the Fetch as Google function, then submit to index. Tedious, but good if your pages have been compromised.
For any one reading this, if you want to get rid off that 404 to 301 plugin, you can replace it with the plugin "Redirection":
It does the same job (including 404 log management). I have been using it for a while and it does the job nicely.
plus, it has 500k active installs and has been updated in the last two months ;)
btw: I have nothing to do with this Redirection plugin, I just thought some might find it useful
Thanks for the heads up on this - I don't have anyone using this plugin, but I will keep an eye out for it.
HOW in the name of all that's holy did the plugin writer decide this was acceptable?
Thank you very much for this information. I used this plugin on my website ... and deleted it already. Keep going on with your good work!
Markus, have a look at the plugin Redirection, it might be a good replacement
One of the best redirection plugins is Safe Redirect Manager.
More scum bubbling to the surface. At the very least WordPress.org should remove plugins that endanger a website's ranking.
Is this the only plugin from the author that does this?
Keep up the great work on exposing the bums.
It's always important to ask yourself when installing any plugin, whether it be on WordPress, Android, etc.: How are the authors of this plugin making their money? There's no free lunch people.
Wow. I literally just installed this plugin on two sites in the last week looking for a good 404 plugin.
THANK YOU Wordfence!
Thank you very much
Thanks for the updates. I am very picky on plugins and this is one to be weary of.
Wow! Thanks for the alert on this!
"Please note that this feature can be deactivated at any time under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN"
This is obviously a dirty feature to make opt-out, but is there any reason to uninstall the plugin rather than just disabling cloaking? Are there other malicious things still active even if the feature is disabled via the admin?
The plugin author set the default to be opt-in. What is to say he doesn't install another "feature" that everyone auto opts-in to in a future release.
Jordan...really? you would still consider using a plugin that uses this sort of technique as part of it's build? Where there is one issue there is bound to be another.
Why support a person or business that uses underhand practices? There are plenty more options from less scrupulous developers that should be used and supported instead.
IMPORTANT: The developers of the plugin have just this minute UPDATED and REMOVED the nefarious scripting element. They have stated that all tracking has been removed.
HOPE THAT HELPS!!
I would still never trust someone that attempted it once.
This is Joel, author of 404 to 301 plugin.
Really sorry for the confusion and lack of security checking before my co-developer partner committing the code. Rectified the security risk and immediately removed the tracking code from the plugin.
You can update the plugin now and check check if everything works normally. I know how everyone feels about my mistake. I will never ever let someone else to commit code to my plugins.
The plugin is still in the repository. That's good in that there's a link to the deceloper's other plugins. Perhaps the others are problematic?
Hi David, we took a quick look at the other plugins and didn't see anything that concerned us.
Thanks. Always glad I use Wordfence.
It looks like the author has removed tracking as of today https://wordpress.org/plugins/404-to-301/changelog/
Thanks for all you do to keep us clean!!!
Plugin last updated 19 minutes ago... Interesting!
Seroiusly dirty stuff. Do we need a police to patrol the updates in then repo now?
As of 12:16 PM PT, the 404 To 301 plugin is still available on WordPress.org. I hope they don't consider this to be an "okay" practice because there is a way to disable it. Total BS.
Thanks for alerting us to this, WordFence! I went to check on the wordpress.org site, and the plugin developer claims this was caused by a "third-party developer" that he worked with, and that the code has been removed from the plugin:
What a nasty situation.
The plugin was just updated 47mins ago, the tracking has been removed.
Another great example of your 'value add' to the WordPress community. May you live long and prosper!
Wow...you now have a loyal customer. It makes you wonder what is hiding in all th plug ins. Shame on the developer. Thank you for exposing him. Please don't stop
Do you think this WP plugin is harmful even the "feature" will be deactivated under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN ?
Thank you for this post !
Here's a post where the author admits to the plugin doing this....
Now he's trying to lie his way out of it and blame a "partner developer".
Not likely. He just got caught be the AWESOME team at Wordfence and now he's trying to deny it.
Good riddance! Thanks Wordfence. :)
I am not denying anything. I take the 100% responsibility for this. I apologise for my mistake, not reviewing the code inside my own plugin.
I don't know if people will believe what just happened. But it was actually what happened.
I removed the entire tracking feature, changed my wp.org password, ended partnership with the dev. And now I can assure you that this will never ever happen again.
Once again, I am not denying anything and I am sorry for the confusions caused.
Great post - will delete app immediately. I guess we can't be too careful and I absolutely object to have any link to payday loans on my site. Thanks for the heads up!
@ Joel James (the plugin author): you're a fraudster.
1) in the changelog you only mention having removed the tracking code - no word about the ad-injection;
2) you claim your co-author inserted that malicious code (without you checking.... right). The only co-author mentioned is 'The Foxe'. However, in your profile, you link to his site (http://imgur.com/a/WgUNj) - which then links to social-media sites.... all in your name! He is just an alias of yours - that you use to blame in case you get caught. The first of your plugins is already outed - 8 more to go....
And, as always, kudos to Mark and the Wordfence team!
What frustrates the most about this incident is not just the fact that the author tries to make some money in a sneaky way, but that his method actually might hurt sites and their SEO - I have clients that pay a small fortune to get their sites optimized and just one (simple) plugin completely ruins that effort.
I don't know how WordPress checks its repository, but this should be a wake-up call - the vast majority of plug-ins are free - which in the end is not feasible for serious developers - as support costs them more than development.
You are right. People feels like I am fraudster.
1) I just wanted to remove the malicious code first. So I immediately updated the plugin without explaining the issue in detail. I will be publishing a blog post about the issue soon.
2) Please note, both of these accounts are mine. As I mentioned in my previous comments in wp.org, we both used same account. We have only used my primary account for committing that changes.
Yes. It was my BIG mistake giving access into someone else to my account. Now people are not going to believe my words. My hours of work for the community is going to be marked as Fraud.
I can only ask you to review the current versions code, and I can assure you that only I will have the access to my wp.org account from now on wards.
Well..... I can only suggest you come "completely" clean - with a post, updated WP.org page etc. Clearly you now have everything against you, but 70K people using your plugin you must be doing something right - it is now a matter of convincing them you can be trusted (again).
Hi - I've been using this plugin for a while on several sites and have not been notified by any of my security measures. So I was shocked to read your review.
However, I also want to give a programmer who donates his work for free the benefit of the doubt, and sure enough he has pointed to it https://wordpress.org/support/topic/third-party-text-links?replies=3
You may call me naive, but I like to trust the guy, as I trust you. I guess it's a matter of reviewing the update, isn't it.
Thanks guys for your excellent work!
But he wasn't doing it for free, who knows how much money he was making from hidden ads. And in that link you've given it shows he knew what was in the Ts&Cs but completely denied the existence of ads, saying there was random text inserted that Google bots can see, why would there need to be random text. Seems to me he knew then that his plugin was inserting specific links not random text.
Yikes, with over 70,000 installs I hope Wordpress to notify people!!!
Thanks wordfense, good job!