We will always put our customers and community first

On Tuesday we published a blog post about the 404 to 301 plugin inserting ad links into page content that only search engines could see. This is a technique called cloaking and will incur a penalty from Google.

Since then we have received some criticism from the maintainers of the WordPress plugin repository for the way we handled this. We have also received some criticism from the community for victimizing a plugin author.

I’d like to share a few additional facts and then explain why I wholeheartedly stand by our decision to publish and the way we handled this.

  • The plugin inserted links to websites into page content that would only show up when Google or another search engine crawled the site.
  • The content was hidden to the site owner or anyone who did not visit the site with a search engine user-agent (browser identification string).
  • The plugin asked you for permission to do this by displaying terms of service that described exactly what it was intending to do. The ‘cloaking’ portion of the terms of service was at the end after a long copy of the GNU general public license that was included. It was below the fold in a scrolling element, so would not have been noticed by anyone who didn’t scroll down. (See below for screenshot)
  • On further investigation the ad domain, which is wpcdn.io, serves up three things:
    • The Payday Loan content we already disclosed. (See below for content)
    • A link to an adult UK based escort service. (See below for censored screenshot and content).
    • A string of text that is somewhat unique: sdf98jhk (See below for content)
  • If you google the string of text it returns 8,620 results and these appear to be WordPress sites that have had content injected by this plugin and that content has been indexed by Google. Random checks confirm that these sites are running the affected plugin. This confirms over 8,000 sites at a minimum were affected.
  • Sadly if you google the adult domain that is being served, it appears to have infected many other websites including a school’s site that is now serving adult content to Google. (See below for screenshot)
  • The ad domain was registered on January 14, 2016.
  • The plugin author’s account was used to upload the changes.
  • We were alerted to this plugin by a customer and upon investigation found that their site was surreptitiously serving up blackhat SEO content.

This was not a vulnerability

This is not a security hole in a plugin that requires the usual ‘responsible disclosure’ to the plugin author. This was a plugin that had malware pre-installed by the author’s account and was active on over 70,000 websites.

It was urgent that we notify the community and our customers about this so that they could immediately react and limit the damage.

The fact that the terms of service in the plugin actually ask for permission to engage in cloaking (see below for screenshot) indicated to us that this was done with the plugin author’s blessing, rather than being a case where a plugin author’s account was hacked. The exact wording from the ToS was:

“By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it.”

We were under absolutely no obligation to look after the plugin author’s interests when we discovered this because it wasn’t a security hole that was accidentally written by the author. Someone had intentionally placed spam on a large chunk of the WordPress community’s websites and was profiting from it. The terms of service indicated it was intentional.

We needed to react quickly and that’s what we did.

How we handled this incident

On Tuesday this week Wordfence immediately notified our large security mailing list about the problem by posting on our blog and sending out an email linking to the post.

We also notified the plugins@wordpress.org email address about the issue.

We made no attempt to notify the author. Presumably he already knew he was doing bad things based on his terms of service.

What happened once we sent out the notification

We were criticized for our approach by the WordPress.org plugin repository maintainers. We were told we should have contacted the developer first. Then if they don’t reply or we can’t find out how to contact them, we should contact plugins@wordpress.org second. And only then should we post, preferably after something has been fixed.

I strongly disagree with this approach and stand by our actions because this was a plugin that had malware intentionally pre-installed by the author. Why notify the author that they’ve been discovered?

It seems more helpful to put the community in the driver’s seat. Let them take immediate action to limit damage that has already been intentionally done to their websites and their Google reputation. And then worry about the plugin author’s interests.

And so that’s exactly what we did. We sent out an immediate notification to the community and included plugins@wordpress.org in that notification.

What has the plugin author done?

The plugin author now says that he has removed the malicious code as per his changelog. We have not independently verified this.

The author has posted a blog post which you can find here:

https://thefoxe.com/blog/404-to-301-plugin-detected-by-wordfence-here-is-what-actually-happened/

We are intentionally not linking to the post to avoid promoting his website.

The post starts by saying “There are people, making money from other’s mistakes, instead of correcting them.”.

We’d like to point out the author was making money by surreptitiously injecting spam links into website content and as a side effect, destroying those website’s search engine rankings. How are we obligated to correct his greed and lack of morals?

He was “shocked” that he received negative reviews of his plugin. We’d like to point out that there may be justification for those reviews.

The author says “I found that the links and ads are being shown at the top of the page content instead of showing small credit text at very bottom, for crawlers.”. This suggests he knew he was cloaking, was doing it intentionally and thinks the problem is that the ads appeared to regular browsers too (in addition to search engines). We’d like to suggest he read up on what cloaking is and why it’s bad.

He blames another developer who isn’t named, conflates security vulnerability with intentional malware, paints himself as the victim, accuses us of censoring his comments on our blog (we didn’t) and claims we profited by demonizing him.

Final thoughts

I created Wordfence because my own personal site was hacked by the Timthumb vulnerability back in 2012. I discovered the vulnerability which was a zero day, I wrote code that patched timthumb and then went on to lock myself in a room and code for 8 months straight to create Wordfence to help prevent this from happening to anyone else ever again.

Today, Wordfence is a team of more than 20 highly trained and qualified individuals that come from a wide range of sectors in the security profession and community. We provide a world-class firewall that is free for the community and open source. We invest heavily in providing additional free resources to help the community like our free WordPress security Learning Center and like the prolific free support we provide on the wordpress.org forums.

I know what it feels like to have someone intentionally install their own malicious code on your site and profit from that code. It hurts your livelihood and reputation and it was such an awful experience I’ve dedicated my career for the last 5 years to making sure that does not happen to anyone else.

That is what happened in this case.

In this case we were under no obligation to protect the plugin author’s interests. We notified the community first and we did it loudly. My team and I stand by our actions and we will do it again if we discover anyone else intentionally installing malware on community or customer websites.

We will always put our customers and the community first.

I welcome your comments but I’d like to ask you for a favor: Please avoid any witch-hunting or personal attacks on any individuals involved in this, including the plugin author and anyone else associated with the plugin or this incident.

Yours Sincerely,

Mark Maunder – Wordfence founder/ceo.

References:

The link to a UK based adult escort service that was being injected under certain conditions:

Censored screen capture of the home page of cityofescorts, an adult site injected into content by this plugin:

The payday loans content that was being injected under certain conditions. This affected our customer in the initial report and is how we discovered the issue:

Payday loans content

The text “sdf98jhk” that was being injected under certain conditions and that allows you to find affected sites using a google search.

sdf1

The section (once you scroll down) in the terms of service of the plugin that describe that the plugin will be cloaking content on your site.

 

Google results for the adult website that was being injected by this plugin. It looks like a schools website is now serving adult content to google and we haven’t been able to confirm if this plugin is the culprit or it’s other malicious code.

Did you enjoy this post? Share it!

Comments

284 Comments
  • Thanks for the quality post. I will be placing this plugin on my watchlist and will be advising my clients about these events.

  • Keep up the good work Wordpress Security team. You did what was needed and exposed someone who's practices were less than forthright.

  • I appreciate the course of action you took and feel you did the right thing. Thanks for providing this service.

  • I'm not the best tech wiz in the world but will say this - everything you do to keep our websites safe and operational is appreciated.

    Those who may take you to task for acting first are part of the same group of people who would wonder where you were if you hadn't.

    Thanks to your team.

  • Well done. We're fairly new to Wordfence, but already it has improved the quality and security of the sites we develop and manage for our clients.
    In a sense, this is a case of a hacker "cloaking" himself as a plugin developer. Your actions are thoroughly and fully justified — and appreciated, at least by us.

  • Thank you Mark. Your plugin has my back, and I have yours.

  • Mark, you did great work with exposing this plug-in and I'm glad that you are standing up to any abuse you are taking due to it. Thanks for all that you do.

  • Thank you for your tireless efforts.

  • Thank you for taking quick action! You are under no obligation to protect a questionable plugin when the evidence leans towards malicious intent on the author's behalf.

  • My site was negatively affected by this plugin—THANK YOU for bringing this to light in the way you did. I fully support this method and must say that I LOVE WORDFENCE. Let this be a lesson to any other developers who would try similar devious things!

  • Thank you for doing what you do! I appreciate that you put your customers first.

  • You guys were in the right. It was much more important to alert everyone to this enormous issue, than to help the plugin developer and Wordpress maintainers save face. Good work.

  • Wow is all I can say! Thank you word fence!!!

  • Excellent! Thank you very much for having good morals and sticking with good business principles.

  • Mark, as always, thanks for keeping us lot safe!

    Appreciate all the hard work you guys do for us.
    Regards,
    Rich.

  • Thank you for notifying us of the potential dangers! Our site was not one of the ones that had installed the fore-mentioned plug ins. If you hadn't brought it to our attention, who knows what would have happened.

  • Also note that the changelog for when he removed the malware says:

    Serious issue fixed - Usage tracking script was being detected as spam.
    Removed tracking completely.

    If you never used the plugin or heard about it, you would think it's an innocent bug fix.

  • You did what was the right thing to do and all I would do is to offer you my sinciere gratitude.

    Thanks You !

  • You guy's are great! Forget about the criticism.

  • I really can't see how you'd take any criticism for this. This is a huge find and it's great that you've shared this information with everyone. I'm sure many designers are in such a hurry to make their sites work that they could easily overlook what this plugin was doing, and I am positive that there are many other novice designers who could have easily overlooked this as well. I never used that plugin myself, but I've used similar plugins in the past.

    I want to thank you for making this information available for free, and I regularly check your blog posts as a precaution. I use the free version of Wordfence on a number of sites, and the free version alone has saved me quite a few times. Keep up the amazing work-

  • Thank you for the manner in which you handled this situation. I feel that you handled it appropriately and should be commended for it. I rely on your advice each week and support your product because of the top notch integrity by which you work.

  • You did the right thing. As a Wordpress publisher who works his rear off defending against broken plugins, bot probes and just about any other time stealer you can think of, we need more proactive take downs of lamers posing as plugin authors. In fact, more plugins should charge money so they can put in the time to give us top quality, I'd rather pay for a plugin that's good, then spend hours dealing with a "fug-in" like this.

  • You absolutely should have reported this. Many end-users would have never known, and they could be trying to rid themselves of that sort of stuff on Google for months. Keep up the good work!

  • Well stated, Mark.

    Wordfence's actions were entirely justified.

  • Hi
    Well I don't see what you did wrong - I would advise the maintainers of the Plugin Repository to do their job and keep the repository safe rather than allow a plugin that admits straight up it will inject spam links into your page.

    And the author isn't upset about anything apart from being found out. As was pointed out, the fact it is included in the agreement means he knew about it. The fact it was at the bottom of a lengthy agreement and was turned on by default means he knew it was a scummy, unscrupulous thing to do.

  • This is 100% the plugin authors fault which he attempts to diminish fault by easing the blame in the direction of his invisible partner and how WordFence handled the situation.

    WordFence contacting WordPress.org was the responsible thing to do. It is the responsibility of WordPress.org to contact the plugin author.

  • Thank you for putting the community and your customers first. It is for this type of protection that I purchased your product for two websites.

    Whether this was a purposeful activity or not, your actions taken is what the users need and want.

    Thank you again.

  • That's why I love you guys! Wordfence is mandatory on any website I do or work on. Keep up the good work. Your loyalty is to us your users not some plugin developer who seems shady based on your evidence.

  • I've never used that particular plugin, but I'm happy you're looking out for the little guy and think you're doing a great job. Thanks!

  • For what it's worth, I think you guys handled the situation perfectly and professionally. It's laughable that the plugin author is trying to play the victim because his scam was revealed. Keep up the good work batman

  • This blog explains why I am a Wordfence evangelist. I trust your company to stay on top of security issues and operated with integrity and professionalism.

    Your first responsibility was and is to your customers, not to a plugin author. This issue didn't affect me, but I want to say thanks for doing the right thing with speed and grace.

  • You did exactly the right thing in the right way and I applaud you. Not only do you publish a great product, but you also act in the best interests of the WordPress community.

    Kudos!

  • I think you do a great job but obviously it's not out of the kindness of your heart.

    Problem is WP and it's plugins and the lack of quality control and authoritive supervision.

    But hey it's free and away they go.

    Prevention is better than cure or a on call doctor.

    I still think your the best thing for WP users since sliced bread because to be honest there would be a lot more hacks as probably 65% of WP users do not have a clue about even basic site security.

    Trust me, I host hundreds of them and always point out that your plugin is a basic must.

    Thanks.

  • As a former compliance officer in the financial industry I applaud your efforts to inform and protect your user community. There are a lot of unscrupulous plugin providers who seek to harm the sites of unsuspecting WordPress admins.

    Since discovering Wordfence I use it on all of our websites. While I have yet to pay a subscription myself, I highly recommend all of my clients pay for Wordfence subscriptions to help safeguard their sites.

    I believe the maintainers of the WordPress plugin repository are using faulty logic. Their number one goal should be the same as Wordfence's; to protect their community of users of the WordPress platform. To protect malicious plugin creators over the security and reputations of WordPress webmasters is reprehensible.

    Thank you for all your efforts to help protect all WordPress websites with your plugin. It has become a required plugin for all our websites.

    Thank you,

    David Hubbard

  • I think you handled the situation properly, and thank you for your diligence!!

  • I for one am very thankful for the eagle eye and excellent work that the entire WordFence team is doing. I support your decision. Having gone through several issues of my sites being hacked in the past, and having no apparent help from WordPress (which is very odd to my way of thinking), I was very pleased to come across WordFence. It's important to note that I have had no issues since installing it. I support the decision to out this spammer. Thank you for protecting us!

  • Hi Mark, I think every Wordfence customer would back you up on your approach to this. Personally, I am very grateful that you pointed out the cloaking.

    I did not read the minutiae of the terms and conditions and assumed that Wordpress.org does its own vetting before promoting plugins. Obviously this is not the case and there is a lesson to be learnt there.

    Chris

  • We live in a strange era, where people are more concerned with the rights of the perpetrators than those of the victims

    • No kidding. Also, it looks like Wordpress.org is shielding this plugin from most of the negative ratings that were given after this issue was discovered, what is up with that Wordpress.org?!?! That's pretty blatant censorship! My 1 star review was removed, probably along with many many others.

  • Thanks for all you do!

  • Nice update. I agree wholeheartedly. Bit of a reminder for those of us (especially myself) who boldly click that accept button without really scrutinising the small print.

    The author may have removed it but I don't like his approach. Uninstalled on all my sites.

  • The developer also says he shared his repository credentials with the other author: " Instead we used same account (my account) to commit both his code and mine." So even if he isn't making up the unnamed author, he has painfully shown that he doesn't understand basic security principles. All things considered, you absolutely did the right thing by notifying the public.

  • Absolutely Fascinating. You've earned yourself a customer for life. Excellent way to handle the situation.

  • Keep in mind that for every person who raises a fuss over the way you handled this issue, there are dozens of us who don't bother getting involved in those discussions but appreciate the way in which you handled it. Hopefully the plugin author will be banned from the WordPress plugin repository for his actions.

  • Keep up the great work, Wordfence!

  • As a website owner and manager for a large number of sites, I welcome your notification of the problem. I want you to be honest and help me protect my site and those of my customers.

  • Thanks for all you do! I have Wordfence on every site I manage, some paid versions, some free, depending upon the client. It's an incredible service you provide and I appreciate it. I think you handled the situation above in the right manner.

  • From what I understood from the blog, he did not know there was ads. You have taken his words out of context. Here is the full context of the quote you took from him.

    "Yesterday, someone noticed that this plugin is injecting third party ads and links to the front end when search engine crawlers were visiting their website. These links were detected by spam filters. So 404 to 301 became fraud; so am I, the developer. I found that the links and ads are being shown at the top of the page content instead of showing small credit text at very bottom, for crawlers. So, he made changes in his server to send ads & links as response. Yes, I clearly understand that this is cheating and someone who does this should be called as spammer. But in this case, I was honestly not aware of this. I take the blame for that. Changes were not a result of the plugin code, but from his server."

    When he said "the ads" he meant the ones that people found and told him about. He clearly stated "I was honestly not aware of this. " Do not attempt to defraud him even more. This seems like you are just covering yourselves.

    • Did you fail to read that he wrote it into his own terms of service for his plugin? That's part of the plugin itself, not some accident sitting on a 3rd party server. He knew ahead of time it was happening.

    • I have a simple rebuttal to this comment of supposed defamation to a questionable developer and his ethics. Why would you if you did not know there were ad's stored in code to be injected would you state such in Terms of Service agreement? “By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it.”

      Please do not defend a coder when they knowingly added code that was malicious or in least unethically provided. Though sadly, many do not read fully the Terms of User/Service due to nature that they read like a VCR manual and typically are normal errata use by coders and the open source community repetitiously.

      Simply put, my thoughts lie in the realm that 1) Wordpress.org repository took the big business mentality approach to this and 2) the coder should never have been allowed into the repository and should be blacklisted and expunged with plugin from Wordpress.org repository. I doubt that will happen. But one can wish.

  • Thank you for sticking to "what's right". Thank you for speaking out. Thank you for helping protect the WordPress user community.

  • Yea - I completely stand behind what you guys did. Spam and malicious code is already bad enough without plugin authors adding to the mess.

    Regardless of whether this guy was a 'victim' or not, the fact remains that _he_ published a plugin with malicious code, _he_ authorized it's public availability and _he_ approved the TOS that was included in the plugin. Even if he was working with another developer who somehow managed to get this code in there, and write the TOS, the person publishing the plugin is responsible for what it does, and if he doesn't read the TOS, or doesn't understand what it means (the TOS clearly states that it's going to do this), then he may not be in the right line of work.

    It's a lousy situation, for sure, for all involved, but perhaps this will be a valuable lesson - read the blasted TOS. Perhaps even I'll start =D

    Again - I appreciate your alert on this, and I hope that you'll continue to announce any and all instances where something similar may happen.

  • Good on you, Mark.

  • I so appreciate what you did that words can't cover it all. I think .org is wrong. If someone is doing something this clearly they don't get a 2nd chance to "fix" it and then come back with something else.
    WTG~

  • The author of the plugin has no right to complain. Thank you for catching this guy and his sneaky, malicious link-injection.

  • Well done sir. We all appreciate you having our back.

  • Thanks for the explanation Mark (although it's a messed up world where you have to actually explain doing the right thing).

    .org needs to know when to back off and let things happen. This was clearly one of those cases.

    The owner of this plugin clearly knew what he was doing, clearly chose to trick people into signing off on it and is (hopefully) now done in the WP community. There should be NO second chances for something as blatant as this.

    The fact that it's an escort service being spammed just puts this on a whole new level of malice. If any large company was using that plugin I would expect them to sue him into the stone age (although I can't imagine that's the case - it's a rather trivial plugin after all).

    I, for one, believe you did EXACTLY the right thing in this case and I would expect that you do exactly the same thing in the future where there is obvious intent.

    The plugin team needs to mind their own business when it comes to something like this. The ONLY thing they should have done was nuke the plugin (and ALL of this author's other plugins) from .org IMMEDIATELY! Maybe they should be working on a way to auto-detect stuff like this in plugins uploaded to .org instead? (although I have no idea if that is even remotely possible now or ever).

    Thanks for keeping guard Mark. You and your team are very much appreciated.

  • Thank you Wordfence for exposing the scoundrel developer who was injecting unwanted code to make money I am glad you are loud and proud. My site has been hacked numerous times previously one jihadist who put up up torture and mess on my url. Another scum bag was trying to cloak a gambling site on my URL, I got penalised by Google because of it! I earn 100% of my money through my site, I pay bills, look after my wife and kids and family through sacrificing to be organically listed on on page 1 of Google. When I was Penalised it was like an instant sacking for no reason. These people don't care who they hurt or crush to make a quick buck. I hope the plug in and the developer gets blacklisted! Thank you again Wordfence! When my site was hit by Google you guys looked at the back end of the site, and gave me invaluable advice on what to do to fix it completely free. Thanks for exposing these moral-less idiots who ruin people's businesses, and sites at whatever cost! We support you Wordfence keep up the good work

  • I totally agree with the way Wordfence did.
    Shame on the plugin developer. He is totally malefactor.

  • It is because of your forthright and ethical actions that I am an advocate for all websites that use Wordpress to actively install the PREMIUM version of Wordfence. Kudos for your actions! Keep up the good work. I don't really care about a plugin developer's feelings as an afterthought when they do something that wreaks havoc on my site due to their incompetence.

  • Thank you for the post regarding the 404 to 301 plugin. I use WordFence on every website I host (some paid, some free) and sleep so much better at night knowing you guys are doing the job you do. I completely agree with how you handled this situation and frankly a bit disappointed with WordPress.org plugin repository maintainers response. Keep on exposing the trash in our industry...please!

  • I back your approach 100%, thank for you letting us know.

  • Mark - I personally would like to applaud you and the entire Wordfence team for handling this the way you did. I'm a Wordfence paid subscriber and it's actions like this that make me proud to support you and your mission.

    Whistle-blowers always face criticism. It's rarely justified and it wasn't justified in this case. You should sleep well at night knowing you did the right thing for your clients and the Wordpress community at large.

  • Thanks for your work and well done! I perfer your active approach and in such a case political correctness has no leg to stand on. In fact, I'd prefer it if you guys shoot first and ask questions later ...

  • Just want to say that I stand by the Wordfence team on this. I had a corporate site have a similar issue a year or so back as a result of a disgruntled webmaster who placed malicious code in the theme that did this very thing. It caused our rankings to drop, several SERP pages removed, and it was only discovered when google labelled our site as hacked and un-safe to visit. Proper code auditing and testing could have caught this intentional code injection if it were a so called accident. Last, it may teach us all to take agreeing to permissions and TOS a bit more seriously even though proper reading, understanding, and agreeing usually needs a lawyer to translate TOS agreements.

  • Your decision here was not only correct it was the only decision an organization in your line of service could make and still maintain your integrity. I have often and will continue to recommend Word Fence to other website owners and administrators.

  • I glanced over these comments and they are 100% in agreement with what you did, as I am.

    I understand this isn't a "security" disclosure, but to the extent it's related, responsible security disclosures are designed to protect the community and they assume the innocence of the plugin author. This author was not innocent, in the least, and he knew it.

    Thank you!

  • As the owner and maintainer of a number of sites, both for myself and clients, I appreciate the information and am in complete support of your actions.

  • Thank you so much for the hard work, Wordfence is a fantastic plugin. I fully support your view.

  • Thank you, thank you, thank you!

    As a developer with many clients on WordPress sites, I wholeheartedly agree with everything about the way you handled this issue.

    Malware in a plugin could adversely affect my clients, and by extension, my own reputation. I'm recommending to every client that they sign up for your premium version, and installing at least the free one on all of the sites I support.

  • Personally I think that any plugin/theme author that misleads/misdirects their customers as to what their product does deserves to be called out for it, even more so if it hides activity that is considered malicious by the community (and this activity is 100% considered malicious by the web design community).

    As a builder of websites and webmaster of over 30 WordPress sites I truly appreciate having Wordfence protecting my sites and having the staff go to bat for us "little guys" in situations like this. Just by virtue of following your blog over the last couple of years I have greatly increased my understanding of web security and the types of issue WordPress websites face in the "wild."

    Thanks for all of the hard work and a great plugin, keep it up!

  • Personally, I think you made a great choice. When something like this happenns, it is important to prioritize the ones who are affected the most. In this case, the plugin did enough harm to the websites reputation, so there was no need to give it even more time.

    By the way, you have a really great service, and I apreciate you do this much for the community. Thank you!

  • Hi Mark,

    I think you handled this matter very well and I'm disappointed that the WordPress repository didn't see it that way as well.

    BWs
    James

  • You rock! Thanks for putting us first.

  • Wordfence and mark maunders team are the good guys the wordpress repository people are fools keep up the great work mark!

  • There's a reason responsible disclosure is a thing. You didn't follow it, and then got flak for not following it. The political reasons for doing so are understandable, but alerting to an actual security vulnerability in this fashion creates known 0-day bugs, which will be exploited across the internet, and which *will* cause more sites to be exploited.

    It may be better to follow responsible disclosure standards in all eventualities, especially when the issue you've discovered could still be the result of a plugin author loosing the credentials to their account. This is not because your actions in this instance were indefensible, but because your actions in this incidence follow a pattern which would, at very best, be at extreme risk of causing further nasty ramifications for a real security vulnerability.

    Finally, to act as a devils advocate, it is not without precedent that bad-actors would create public cloaking elements, such as a terms and conditions acceptance page, to mask or defer blame onto another. Indeed, this may be the point -- as a smear campaign, it would work quite well.

    tl;dr: You were given grief because your actions follow a dangerous pattern, even if they weren't dangerous this time.

    • This wasn't a vulnerability. Please read the post above.

      • I did read it. I obviously didn't explain my reasoning well enough.

        You did not get flak in this instance because you exposed a plugin up to no good. You did it because you did it in a way, that were it to be a real security vulnerability, would be extremely dangerous to everyone. For those who don't know who you are, or what you've done in the past, exposing a plugin without first quietly trying to get it fixed, even if in this case when it is totally without threat, indicates that you might expose a plugin in this fashion when it will cause damage.

        I'm not saying the flak you've taken due to this was correct. I am also saying it was not badly intentioned, or indefensible.

        I'm saying that you did something that raises very large red danger flags, that you might do something the wrong way when it actually does matter, because you did it this way in a situation where it doesn't. Now I know, and trust that you'll make the right calls in this fashion. But lashing out angrily at everyone who tries to say "This is not the right way to do it" is at best, ugly. There's a reason "responsible disclosure" is a thing.

        • You did not get flak in this instance because you exposed a plugin up to no good. You did it because you did it in a way, that were it to be a real security vulnerability, would be extremely dangerous to everyone.

          You've created a fantasy situation (a straw man) imagining what could have happened if this were a vulnerability and how much trouble we'd be in if it was. It wasn't. Lets stick with reality here.

          We practice responsible disclosure and we hold ourselves to the same high standards as we do everyone else. We even occasionally disclose on ourselves: https://www.wordfence.com/blog/2016/05/xss-vulnerability-wordfence-6-1-1-6-1-6-severity-6-1medium/

        • "For those who don't know who you are, or what you've done in the past, "

          Ummm....have you been living under a rock dude?

          WF is responsible for a TON of responsible disclosure in the past and would expect that to continue for a very long time.

          It was disclosed to WordFences CUSTOMERS through a blog post and an email. Why would you assume we don't know who he is?

      • I don't know. Maybe I shouldn't have said anything at all. I guess I was just responding to the unending wave of praise I see here, trying to act as a devils advocate. I'm grateful for your amazing work, the internet is a safer place because of it.

        • That would have been a smarter move. :)

    • Are you serious?

      It was MALICIOUS INTENT - NOT a "vulnerability".

      Please tell me you have nothing to do with WP in any official capacity....

    • Mark literally says "This was not a vulnerability" in bold letters in the post.

    • What are you yapping about? Did you even read the post? This is not a case of unintentional security vulnerability. It is intentional cloaking. I fully support Mark and Wordfence's handling of this matter, they have done a great job!

    • ...speechless!

  • There are no,words to explain how grateful we are as a community for the tireless and often thankless work you do. It is entirely down to your plugin and your countless hours of dedication that my sites are so safe, and I feel your approach to highlighting this issue was entirely,appropriate; given the clear evidence which suggests the concerns raised were intentional and not accidental.
    I am surprised at the Wordpress repository's response given the evidence presented. if anything, your due diligence and the fact you clearly put your customers and users first above all else, demonstrates to me that you are a morally and ethically guided organisation committed to doing right by your customers. I feel you have personally put me first as one of thousands of users over and above all else in this matter and it is for this reason alone I will be upgrading to premium.

    Thank you guys. Words aren't enough. And to those criticising you for your approach; learn from the wordfence guys and do the same in future!

    Thanks again.

  • I also think you did exactly the right thing. If Wordpress are complaining, they are the ones who need to reassess their quality and standards. I always believed that using them would offer a certain level of protection, but if they're allowing blatant abuses like this to get through then I can no longer trust that the products they offer are secure. They should be acting in the best interests of their users, allowing this plugin to go through their systems should be considered a failure on their part.
    Well done for acting on this, and thank you for all you do to keep our sites safe. Now I'm going to go and double check every plugin and theme I have to make sure Wordpress hasn't served me any other nasty little surprises.

  • I personally feel that more should be done by WordPress.org plugin repository maintainers to make sure that the plugins that are available on their repository is doing what it is supposed to do! I have had so many bad experiences with bad wordpress plugins that I started to look at other systems to build sites on.

    I don't think you need to defend your decision on how this was handled. More brands need to adopt this name and shame to protect attitude you have shown.

    Well done Mark and the Wordfence Team!
    Really appreciate your stance to online security!
    Keep it up!

  • Your response to this situation is EXACTLY why I trust and use Wordfence and will continue to recommend Wordfence and Wordfence Pro to all of my clients. The fact that anyone in the WordPress community would attack your behavior or defend the behavior of someone intentionally injecting malicious code into people's websites is beyond me. Thank you, thank you, thank you for notifying all of us and for handling the situation so quickly and professionally. Your hard work and diligence are appreciated to no end!

  • I think what you guy's do and have done has been 100% correct and for the greater good of the WordPress community. Too many WP Plugin developers write plugins half-baked and without any further updates leaving basic WP users open to download useless plugins.

    GOOD CATCH Wordfence and that's why ALL my clients use Wordfence by default.

    Brilliant work.

  • Mark,
    You and your team's integrity and ethics are of the highest standards. Gratitude is the opposite of fear, and to which the universe should graciously bestow onto you all for your actions. Actions with this case and at all times that I have had the honor of being apart of your Wordfence community. Ultimately it's not the what, it's the who. Thank you all at Wordfence, from deep down, for being a living example of the best who I know and cherish.

    Jenny K

  • It seems that the WordPress.org Plugin team wants to wish away this incident as though it didn't much matter, as Lead Plugin Wrangler Ipstenu (Mika Epstein) quickly closed off comments saying:

    "Okay, everyone stop it.

    The developer is aware, the plugin team is aware, and apparently everyone is aware. So the people who need to know are discussing the situation like adults. Stop attacking. People make mistakes.

    I'm closing this post and will be deleting ones for people who have not actually used the plugin."

    (https://wordpress.org/support/topic/code-insertion-1?replies=8#post-8763060)

    I have to agree with Mark Maunder that the user community comes first rather than only "the people who need to know," as Epstein says. Also, the About WordPress page itself states:

    "We hope by focusing on user experience and web standards we can create a tool different from anything else out there."

    Clearly, the damage done by the 401 to 301 plugin malware went against both UX and standards. The WordPress Plugin team needs to learn from this, should be fully willing to shun substandard and nefarious plugins, and they should keep the discussions open and transparent for the community, rather than gathering their wagons around a rogue developer. And, if Mr. James is not the rogue one as he claims, why doesn't he reveal the actual source of this malware?

    Community First. Reputations are your own karma.

  • My site was hugely hacked on the 15th of august, BEFORE having Wordfence installed.
    I had to erase the entire site and rebuild it, to restart on healthy basis.
    Then I installed the free version of Wordfence, which is incredibly efficient. Thank you so much for your work!

  • Wordfence is awesome and you guys are awesome. I hope you make good money because you provide a valuable service to the whole Internet. You also deserve good karma for indeed putting your customers and users first. I use Wordfence on all my sites and I recommend it to everybody. This just gives me more confidence in you -- that you're looking out for me and for all webmasters and web users everywhere. Blessings upon you all!

  • Congratulations for standing by your guns. The very reason I subscribe to Wordfence is to protect my sites from exactly this kind of behaviour after suffering from an injection attack 2 years ago which resulted in hard won Google rankings being destroyed.

    To think that Wordpress may have any reason to defend such malicious code, whether or not there was a setting to disable it, is scary indeed.

  • Yet another example of why I use and trust Wordfence! THANK YOU!

  • Thank you, Mark and Wordfence!! You did exactly what you should have done. You are completely professional and provide a valuable service. I had a similar type of infection a few years ago from the official Wordpress plugin site, that took me a week or so to figure out as it was cloaked and only appeared sporadically. These bad developers know exactly what they are doing, and if you notify them prior to your clients, it is like the police notifying a criminal that they are coming to visit. Of course, the criminal will clean up their act.

  • You absolutely did the right thing. Screw the plugin author and Wordpress repository. I've lost 600 page sites to hackers and crap like this. Years of work gone.

    I have no sympathy for ANYONE who attempts to ride on my efforts to line his pocket.

    Yesterday I had to take my wife's personal email site down because of the LInkedin hack. The site was taking several MB/daily for a few text emails. It was easier to start over than track it down. In the last few months I've had to repair several other sites where the hackers got in because of the Linkedin fiasco. They got into our email systems. 60,000 spam emails out of one site alone.

    On a positive note I have noticed a real reduction in malicious download, fake login attempts and bad bots since installing the wordfence plugin a couple of months back.

    Thank you for your efforts.

  • Thank u very much ,i want to boldly tell you not fear anybody ,just make sure you continue report any security threat to us and wordpress.org community ,plugin author should be no 2 . Thank you for puting us first.

  • Thank you, Mark, for you and your team's efforts. I agree with your position on putting your customers and the community first. I am a satisfied and proud premium member.

  • I believe you did want was right and professionally handled in your original post. Too many people fail to scroll and read the entire T&C, if any. That is no excuse for someone to take advantage of that.
    Thanks for your dedicated work.

  • Bravo Mark... I'm with you 110%. WordPress.org plugin repository maintainers and the plugin's author's reaction was appalling! WordPress.org plugin repository maintainers should be kissing your feet for bringing this to their attention right away.

    You did the right thing... and we all thank you.

  • I support the action you took. Both Wordpress & plugins@wordpress should be thankful rather than critical.

  • Hi Mark, just want to leave a comment to show my support for you and Wordfence. You guys have done the WordPress community a great service!

    I completely agree with your assessment and actions towards this situation. I do NOT find the plugin author's explanation credible at all, the telltale sign is the paragraph about the cloaking tactic in his TOS. This was not an oversight, it was an intentional trick he was playing.

    I also find the WordPress Plugin Directory Maintainer's response ridiculous and perplexing. They have let in this really bad plugin and they should be thanking for discovering it and made their job much easier!

    Any way, please keep up the good work, we thank you and fully support you!

  • Responses like this are why I upgraded from the free version. Thank you for all you do.

  • And what would have happened, I wonder, if WF did not report this issue? I find it hard to believe that Mr. James had no idea his plugin was doing this. That is beyond naive that's stupidity. Hackers and spammers might be nice people, but they are still hackers and spammers. Nice people with squishy business ethics.

  • Thank you, Mark. You were 100% correct to do what you did – kudos. I just hope the Wordpress plugin maintainers are simply misunderstanding the situation.

  • A well-known antimalware and antivirus product defines "malware" as "an annoying or harmful type of software intended to secretly access a device without the user's knowledge.". A vulnerability assessment or pentratinon test is defined as "the process of identifying and quantifying security vulnerabilities in an environment... ...providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk."

    Wordfence was created to protect WordPress against exploitation by criminals and morally deficient exploitative operators against BOTH of these threats.

    Wordpress have not been lax in their self-appointed duty to inform the WordPress community about the risks and vulnerabilities of running WordPress sites. The WordPress Plugin repository admins should be grateful that WordFence are covering their backs.

    WordPress Plugin Respository admins, stop being PC "corporate lawyer" wannabees and say thank you that WordFence covered your sorry a**es.

    Carry on WordFence, you have my vote of confidence!

  • More than anything else, I've learned I can always trust Mark and his team at WordFence to protect our site.

    Thank you for everything you do.

  • Keep up the good work! I applaud your moving forward with this, and appreciate the early warnings. Wordfence ROCKS!

  • I think your actions were entirely reasonable. The author can claim innocence, but clearly he knew what he was doing, and that it was wrong.

    Well done - Wordfence is the first plugin I install on any site, and this is one reason why..

  • Sounds to me like yours was the right call. It also sounds like the plugin repository folks didn't review the issue very thoroughly before reacting to you, which is concerning. Quietly forcing the plugin author to remove the exploitive code from the plugin isn't enough. I don't like the message WordPress is sending by failing to take any kind of punitive action in a case like this. All the more reason WordPress users need to be informed when a plugin author has this kind of history. Thanks for bucking controversy to do the right thing.

  • I was hacked, incredibly bad by spam and close to a MILLION files on my server that lead to and linked from my site to spam sites.

    After that, I found Wordfence and the world has been a better place! I look forward to staying on top of security, I've become more security minded because of Wordfence and the work you do! I'm no expert now by any means, but highly informative post have lead me down a path to learn more.

    Being hacked sucks more than I could ever put into words. Knowingly creating a plugin to cause spam like this, is unexceptable and I appreciate the way you handled it!

  • Thank you! Great job of watching out for us!

  • Thank you for putting your members first and informing us immediately of this scum of the earth.

    I'm a starter upper and run the free Wordfence at the moment, but Wordfence is my security's backbone and the information that you guys provide is priceless.

  • Bravo! Mark.....Thanks for giving the Wordpress community the support and insight to this issue and the 1000's of other Threats found by hackers and stealth developers profiting from other Wordpress sites that are legitimate businesses around the world. The Wordpress.org should ban individuals found to abuse, hack, steal resources and causing harm to businesses through their deceptive PLUG-INS. It's intolerable to have this kind of behavior which really is disgusting by the Joel James developers of 404 to 301 plugin. This has affected the ranking of one of my major web sites for the past 6 months with Google! In effect Joel is a THEIF who stole business income from us all and profited by underhanded means. He should be banned from the Wordpress community for life!

  • You were absolutely in the right on this.

    As soon as I read your email the plugin was removed from all my sites even though the plugin dev had already updated with the code removal. He can longer be trusted.

    Good work Wordfence team.

  • Hi Mark,

    I learned too late that Wordpress on its own is not a secure software - since then I have been swearing to word fence on all my sites. I recently became a paying customer when you launched the improved WAF.

    Even with word fence protecting me from hundreds of attacks per day my biggest worry is always to receive a volnurability via plugin update - having a plunging with intentionally malicious code is just a nightmare beyond compare.

    I understand that the plugin team is reluctant to applaud you for exposing a clear weakness with the whole system. I am glad to see that you have the support of your large install base.

    Word fence is actually pretty damn cheap - I would gladly pay you twice should you decide to launch a service where plugins are reviewed by security experts before they are updated on my site. I think the star rating system in the repository is woefully in adequate to give you any indication of the quality/security of the coding. I also am not able to review this myself - I believe the minority of Wordpress admins are - so if you could launch such a service you have a customer!

  • You did the right thing. If you hadn't handled it this way, we website owners/designers would not have this real-world reminder of why we need to be so cautious/sparing in the use of plugins. I was surprised that WordPress Repository failed to detect the cloaking issue. I think they should thank you for bringing it to their attention. I certainly appreciate you bring it to our attention, thank you.

    • I agree! This is a reminder to be more careful about what plugins we allow on our websites and on our clients' websites.

  • I believe you did what was right! And I am thankful for your service. People can say they made mistakes but people can also lie. Which are we to believe?

    The people responsible for this malicious activity have lost my trust. And the people who are defending them appear to be ignorant and gullible, in my opinion.

  • I feel your response was appropriate and I appreciate the way you took action to protect site owners from something we might never have suspected from a plugin. Stand by you 100%.

  • I can understand why WordPress.org would not want news of malicious content in a plugin widely publicized. After all, there are already rumblings in the web development community that WordPress is a poor choice because it is "too easily hacked." They're just trying to protect their brand, after all.

    However, with events like summer of pwnage focusing on WordPress, and the number of WordPress sites online continuing to grow, transparency as a method of handling such growing pains is actually a much better alternative. What better way to let the community of WordPress users know they're supported that seeing that the community as a whole has a zero-tolerance policy for such behavior. Reputable plugin developers are also protected by such transparency, because they can develop quality plugins knowing that their peers are adhering to similar standards.

    Situations like this will ultimately make WordPress a stronger solution in the long run, even if it's a little uncomfortable right now. WordPress is still the best solution out there, and with good server management and attention to security, it's less hackable than other options. And what better way to pay attention to security than openly discussing what's been found.

    You've done more for the WordPress community as a whole by disclosing what you found than you would have had you kept it quiet.

  • It BLOWS MY MIND that this plugin is still on .org.

    WP should have immediately nuked it and every other plugin by this author.

    It's clear they're more interested in avoiding embarrassment than protecting users.

  • Thank you, for offering us an amazing service!

    Keep up the good work!

  • Would be disappointed if you hadn't handled this way.
    Thanks Mark.

  • Is WP suggesting that you place the author's reputation ahead of the security of how many thousands of site owners? Thank God for Wordfence!

  • BRAVO!! Excellent job notifying those of us who are working hard to maintain site security, site credibility and site reliability. We appreciate your efforts and tell you to keep it up!

  • I think the way you guys acted was exactly the way you should of. Thank you for helping make the internet a little safer.

  • As someone else said above, thanks for fighting for us small guys who work hard, every day, to make a living via the web. I use WordFence on all of our WP websites. You're invaluable!

    • I've couldn't of said it much better.

      • Intent says everything. The intention of this blog was to protect other users from an addon that could damage a website (especially site ranking). On the other hand, the intention of the author of the addon was to generate funds regardless of the price it would take to the websites it was installed on. The intention of the critics of the original blog posting is baffling. Yes, they want to protect fellow developers but, come on, hidden ads to generate revenue hidden below the fold of the user agreement isn't exactly transparent or, IMHO, honorable.

  • I can't find any angle in which your handling of this situation was inappropriate. I have a three-key license with Wordfence, and would expect nothing less than an immediate notification if a plug-in was potentially damaging my sites' SEO rankings in this way.

  • You did the right thing. I stand by your actions too.

  • Thank you for your response and your prompt message to your users. This why I use Wordfence. This guy can spin it all we wants, this stuff doesn't happen by accident and he surely benefited financially until he was called out.

  • Thank you - I wholeheartedly agree with the way you tackled this, WordFence.

    However, when you say that the code clearly wasn't injected by a third party hacking the author's account since he declared the 'cloaking' in the terms of service, there is a small hole in your argument. It is conceivable that a hacker added both the malicious code and the small addition to the terms of service - although I would agree that is incredibly unlikely since a hacker would not particularly want to draw attention to it.

    For security researchers, it is important not to make any assumptions about human behavior, that's all!

  • Mark, I'm thrilled to have you and your team working on my behalf, for free. There is not a shred of doubt that when the time comes, as it will, I will be buying Wordfence. Furthermore I will continue with wholeheartedly recommending Wordfence. You continue to show in word and in deed the utmost regard for your customers even if it means taking some pain. Top job, thank you.

  • Thanks Mark, love what you guys do here. Sad to see this plugin still on wordpress, it seems they contacted the author and he has since "updated" his plugin on August 17th with "no trackers". I am in no interest in testing if it removed the cloaking entirely, and certainly will not trust any other projects by the developer.

    The plugin I use, for those looking for one, is the forty four plugin. I have been very happy with it. I used 404 to 301 for a short while but I believe forty four to be better all around anyways.

    Cheers, Nathaniel

  • I add my commendation to this long list of praises. I deeply appreciate all that you are doing for the WordPress community. Thank you for keeping me and my clients safer. I rely on your plugin heavily. Keep up the good work! :)

  • Lets talk abit about "Responsible disclosure" as you say you did in this case.

    "Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software often require time and resources to repair their mistakes. "

    ALWAYS try to contact the developer first, no matter what kind of reason. That is responsible disclosure and that will not cause unneeded problems, lose of customers and/or lose of respect from customers/users of a given service.

    Now, i been using your plugin for awhile now, but stopped using it because of all of this. I do NOT agree with the way you did the disclosure of this.

    I hope you learn from all of this and handle the information better next time.

    t3h Jok3r

    • This was intentionally embedded malware as I mentioned in the post. Not a vulnerability. So suggesting we 'responsibly disclose' this is like saying that Norton Anti-Virus should contact a virus author before telling the user they're infected.

    • Three things. First, thanks to Wordfence for the hard work they do in identifying and solving these issues.

      Second, to the people who claim that this was done incorrectly (in particular the gentleperson who claims they will not use this product because of how it was handled) : I don't give a hill of beans about the developer who, by his own admission is either criminally stupid or lying. This was the deliberate addition of malware. If he had been contacted first, what makes you think he would have just not done this in some other, harder to detect fashion?

      Third, the entire idea of responsible disclosure pisses me off when it comes to issues raised by the authors themselves. Responsible disclosure presages two things. One, that the authors were NOT aware of the issue, and two, that the authors will react promptly to ensure it doesn't recur. The developer put this crap in here intentionally and was already aware, and I doubt if notified he would have stopped his antics.

      Anyone who decides they want to stop using Wordfence over this should expect no further business from me or anyone else who appreciates not being made a fool. In particular, the person calling themselves t3e Jok3r is most likely the developer themselves, given the completely unhinged rationale in that post.

    • You intentionally stopped using one of the top security services available for WordPress because you misunderstand the difference between intentionally putting malware into a product and inadvertently releasing code that could be exploited? Just to teach the developer a lesson about...something? If I even believed this comment was legitimate I would worry that your poor clients are relying on a developer who makes really bad decisions.

    • I think it's absurd that you would stop using Wordfence because of this disclosure. Wordfence is trying to HELP YOU, not hurt you! The people who are causing harm are the ones who are responsible for putting bad links on our websites—against Google's terms of service.

      And what proof do you have other than the plugin author's own word that it was an honest mistake? You do realize people can tell lies, right? You do realize that most criminals plead not guilty at first, right? Maybe it was a mistake. I can't say for sure. But it seems highly unlikely that it was as mistake, in my opinion!

      As for me, I will continue to use Wordfence. And it's obvious that many others will do the same. Thank you Wordfence!

    • Obviously flamebait people. Nobody is this idiotic in real life......ummmmmmmm........yeah.

  • RE:
    "The plugin inserted links to websites into page content that would only show up when Google or another search engine crawled the site."

    This is why I installed the plugin -- because Wordfence was detecting the Google Crawler going to links that did not exist on my installation. Since this plugin had so many installs and good reviews -- I thought it would solve the problem. Without information from WordFence - I would still be duped and that does not a happy designer or dev make.

    What the plugin author did was not only harmful to the WordPress community, it harms WordPress as a open source product, too. His plugins and anyone else who creates plugins or themes that render underhanded results under the guise of "community contributor" should be banned from the WordPress repository imo.

    Thanks so much for all you do to help the WordPress community. I have only the utmost respect for your contributions, educational posts, and the position you uphold here.

    Have a really good weekend and thanks for having our backs. ciao!

  • This was the correct response. The plugin repository maintainers are misguided in this instance. Thanks.

  • I agree 100% with how you handled this, Mark. There are no good excuses to The Foxe's actions or lack thereof. Keep up the good work!

  • 100% agree with everything you did.

  • You did the right thing! Thanks

  • Great work. Thanks so much!!!

  • Hi Mark,

    Thank you for your explanation. I know people are going to attack me here if I add a comment. But still I have to. After reading your explanation, I would like to support your act too. Yes, seriously (I know it's a self goal).

    I know, in this situation normally people will think, the way you thought. Yes, it is important to alert the community about the risk. I know how hard it is to think from the other side. Showing advertisements without users knowledge is always bad. But, adding adult content is a BIG unacceptable act. So what just happened with my plugin was completely wrong, and I accept that. As I have mentioned before, I am not denying this issue.

    I knew this plugin was showing credit text, but never knew it was showing these spam ads or adult content. I didn’t know showing credit text was cloaking(seriously). I misunderstood the guidelines and thought, showing credit text/links are not illegal(but I knew it was not recommended). That was the reason why I thought the ToS were right. Like I mentioned in my article, these spam content were not inserted directly from the code, but it was from his server. So I never noticed this big spam were coming out later.

    If your screenshots about the adult content is right, I understand how serious this was. But still, I did what I could, by removing the entire tracking feature and cancelling the partnership. I will make sure that this won't happen again.

    I know most of you are not going to believe my words. But this is the real truth. I request you to believe me, that I never knew about this spam.

    Thanks for taking time to explain this. And sorry for the troubles you had. I have added an update to my article, stating this same thing. Wish you all the best.

    (Sorry for the bad English).

    • Joel, if you knew adding a cloaked credit link isn't recommended, then why did you do it? Don't you think that you should always do what is best for the user? This is a trust issue. It appears you have selfishly put your own interests first. Who knows how many websites have been damaged as a result!

    • I'd only like to point out that the section of your article in which you voice your frustration that Wordfence has gained customers while you have lost customers is still up, even after your update. This is exactly what should happen. Wordfence did their job, alerting their users about malware trojaned into an otherwise benign plug-in. You didn't do your job, by allowing malware to be added into your code (by a developer who still is unnamed). The (misguided) statement of the WordPress.org team is still featured in a pull quote.

      I'm glad you understand why WordFence did what they did. But I still wonder why you resent the impact it had on your customer base. And I still wonder why there is, apparently, a WordPress plug-in developer out there, intentionally using malware, who you know, but have not yet identified. Shouldn't that information be made available, so that people who have installed his code can examine it more closely?

    • Thanks for posting here Joel. That takes courage. Lets call this water under the bridge and move forward.

      What might help the community is if you post in some detail about how you came about the partnership and a few tips on what to look out for - for other plugin developers. You might help someone avoid the same mistakes.

      My guess is if you engage with the community in some depth about this and describe the process of making your plugin secure again, you'll probably win a lot of new users (and win back old ones) and may end up stronger than you were before.

      Regards,

      Mark.

      • Your response illustrates why I love WordFence. Whether the plugin author takes your advice or not in this specific instance, we all benefit from your quest to research, improve your plugin and educate us about what works and what doesn't. WordFence is standard on all our websites, including the pro version for those needing it. I regularly find myself having to defend WordPress security when I'm selling its benefits. I know WordFence has contributed to improving the security of our own sites, and I believe it has contributed to improving the overall security of WordPress as a platform.

    • Seriously, a school. Even if the school thing wasn't your plugin, think if it was. Man you really screwed up, and you should have to pay for your selfish actions. I am glad you spoke up and did a little damage control on this site. But your actions affected other people and their livelihood.

      If you only learn 1 thing from this, learn this:
      "The LOVE of money is the root of all evil."

  • If I recall correctly, the plugin author said that someone else with whom he shared his credentials had replaced his text with something else 'server side'.

    Should you have given him the benefit of the doubt and thought that maybe someone else had snuck in and compromised his already questionable plugin?

    Maybe, but more to the point shouldn't the mods have bitten their tongues and shouldn't they feel embarrassed for letting the code into the repository in the first place?

  • I believe Wordfence made the right decision here in regards to the 404-301 plugin. I had this on several of my sites, and without their email alerts, I would not have known about the cloaking issues. I think they should be commended on making our websites and clients' websites safer.

  • Two wrongs don't make a right. You should have at least given 24 hours for the developer to respond and cleanse the code before throwing him under the boss.

    the dev maybe lying. maybe not. but nobody gave you permission to be an asshole and invent your own version of responsible disclosure.

    • There was only 1 wrong here - and that was done by the dev. Period.

      "but nobody gave you permission"

      For the record (not that he needs it), *I* give Mark "permission" to do exactly what he did and exactly the way he did it - now and forever. I'm quite sure I'm not the only one based on the comments here.

  • For what it's worth the kind moderators over at Wordpress plugins kindly deleted my one star rating for this plugin which stated what the plugin does. Apparently you're not entitled for an opinion if it goes against the opinion of mods at wp.org. I couldn't care less but just thought you might want to know that who ever is moderating the ratings for plugins has other interests than the benefit of users.

  • If WordPress.org plugin repository is upset, perhaps they should take some responsibility. I have had more trouble with plugins in general and here today and gone tommorrow plugins that I do not care to deal with. Its is ridiculous. As far as I am concerned this developer should be banned from Wordpress and if he is in the USA should be the target of a class action law suit. The amount of damage done by this is mind boggling. How many thousands or millions of dollars this caused the victims of this we may never know. It is truly shocking and should not be tolerated, or just easily dismissed as an accident, or just part of doing business on the internet. One of my sites got hacked and caused me a huge amount of stress, and money to fix. I have to constantly keep an eye on all my plug ins and every few months I have to make changes, (some extensive) because some plugin is causing conflicts, is no longer supported or updated or whatever. I am sick of dealing with it.

  • I also have never used that plugin, but I applaud your efforts and completely agree with you in this issue. Keep up the excellent work!

  • people are giving you crap? THAT'S crap. You've always been one of my most trusted resources for info online, and Wordfence is now standard fare for any site I work on. Way before Wordfence, you once responded to two of my personal emails and gave me some quick advice that saved the day. I'll stand with you any time Mark.

  • Rule #1: Spammers lie
    Rule #2: If a spammer seems to be telling the truth, see Rule #1.
    http://bruce.pennypacker.org/2005/02/28/the-rules-of-spam/

  • THANK YOU. Please keep doing what you do. I am so, so glad to have found your service a few years ago. Two of the sites I manage get heavily attacked two or three times a year. This was a huge problem before finding you - as it sometimes takes me a few days to recover a hacked site.

    But I have been able to fend them off through your service. I am so grateful for all that you do.

  • All I can say is 'keep doing what you are doing'. We appreciate it!

  • Thank you for all that you do. We are happy that you have the best interests of your clients in mind in protecting our sites. We appreciate all that you do at such a reasonable cost. We have 18 sites under your protection and you make all of us safer. Anyone who is not using the premium version should be... it is the best. We have had no issues on any of our sites and are thankful for that.

  • Thank you Wordfence!! Thank you for your amazing plugin with incredible functionality at no cost (and even more functionality for a small fee!) And THANK YOU for doing what the Wordpress team should be doing by discovering malware intentionally built into plugins like this!

  • There is no need to defend your position.

    You informed and enlightened us all and for me to resolve to be more vigilant. Raising the stakes always is good for the end products are of higher value.

    I for one appreciate your commitement and vigilance.

    Thank you!!!!!

  • This very thing is the reason why I use (and encourage all bloggers I know) Wordfence - your commitment to integrity, security and safety. THANK YOU for being willing to take the hit for standing by your commitment and for sharing things with us, who don't have the information or knowledge that your company does.

    I'm grateful.

  • All my specific URLs to my web pages and blog posts from my Wordpress site have disappeared from Google mysteriously. Me and my partners are now convinced that this plugin was the reason. I am shocked, appalled and angry. I immediately deleted the plugin in.

    My question now is: what do I do now to make sure all traces of this plugin and anything it may have left behind is gong? Also what recommendations does anybody have to get back in Google's good grace?

  • Thank you for putting your community first. Have heard some not so good things about the repository. Some swear that everything is checked but others - not so much. I try never to use 'free' anything from the repository unless I am sure where it came from. The culture today is awful - everyone is a victim. Not you! Thanks again.

  • Mark, a huge "thank you" to you and your team for going the extra mile and taking the undeserved flack for it. The attitude of the plugin repository managers is incomprehensible--as you so clearly demonstrate, this isn't an unintended security vulnerability and shouldn't be treated as such. Malware authors deserve no notice and no mercy.

    Jaw-dropping ... both the situation and the discussion in the comments,

    WordFence is the FIRST plugin I install on all the sites I develop and manage and I've used it since it was first released. Its ability to compare installed files against the repository originals and restore compromised files is critical.

    This brings up a serious question: if we can't depend on the repository approval process to identify and stop a bad actor that was "hidden in plain site", how can we depend on them to vet and stop malicious code? I'm feeling far less secure today, given the attitude from the managers.

  • In my eyes, you did the prudent thing, Mark. Thanks. Keep up the good work.

  • You did right Wordfence; I appreciate your vigilance!

  • Thank you for standing by your principles in this matter.

    I am disappointed in WP's criticism of how you handled this.

    Below is part of my email to WordPress on this matter:
    "Instead of casting criticism at WordFence, why aren’t you holding up your hand for letting this plugin into the repository in the first place?
    You guys are the gatekeepers. You guys hold the space for greatness within the WP community.

    I’m sorry if I sound harsh, but I think WordFence took the most appropriate action in the right order. I don’t feel they had any obligation what so ever to have contacted the plugin author."

  • Wordfence has been the "go to" security plugin for years now. My hat is off to Mark and his Team for not succumbing to politically correct hogwash which many within the liberal bastion of WordPress have become. Freedom of Speech is only as valuable as those whom would use it. In the case of Mark and his Team, that Freedom protects the very Freedom which others depend upon to safely access and use WordPress to express their Speech, thus the irony! Keep up the good work!

  • just another vote for mark and the wordfence team.
    it seems to me that they put the wider community first. especially if the plugin knowingly inserted malicious code.
    i agree with their priorities.

  • You did, and are doing the right thing. Thank you for your product. It has saved my site a few times.

  • You did the right thing. Anyone saying anything else is limited by their own lens (and that's sad.)

  • You guys did the right thing at Wordfence to expose this plugin's scheme. I read the author's explanation last night and honestly I didn't buy a word of it! Wordpress plugin repository people should've taken this plugin down instead of blaming Wordfence for doing the right thing.

  • Thanks alot for prioritizing the community than a single plugin author who have no idea about cloaking and spammy acts. What you did is the right thing the community expects from the hired defender like you for their website.

    100% Appreciative and just leave out the negative comments you have receive from plguin author as well as even from wordpress.org moderator b/c they may be beneficial from the spammy or cloaking act done on that plugin.

    Enjoy your efforts.

  • Mark,

    Thank you for taking the steps that you did. Your actions in helping us protect our websites are exactly why we trust you.

  • Thank you for doing the right thing, it is my and many others opinion that you acted properly to protect the WordPress community and that is a credit to you all at WordFence. I teach people how to use WordPress for their business websites and teach advanced SEO so I know the damage this would do to search results, the first thing we teach is security and that starts with installing WordFence. Thank you for looking out for us all #Mark Maunder the online world if a safer place with you here.

  • Me too .... THANK YOU!

  • You did the right thing, and I thank you for it. This is why I love Wordfence.

    Now that the plugin author has apparently fixed the problem, I think we can all go back to productive work!

  • You're actions were clearly right on target. Thank you for your work in protecting us all.

  • Wow, what a response. Haven't read all the comments (way too many), but I believe most of them support your decision to reveal the unsavory intentions of a plugin author that seeds garbage as he did. There is no excuse for any coder to create a plugin like that and then think he can stand and justify his actions with some self-righteous ideas or hide behind false excuses.

    I am dismayed that WordPress would even attempt to challenge you without even investigating the plugin based on the information you presented to determine if that plugin author made a mistake or was malicious in the first place. I hope they pull his plugin, because WordPress needs to boot any plugin or theme that does these things and not accept anything like it to any degree, in my view.

    Hacking is far too destructive to ignore.

    Kudos to you Mark for doing this (Kinda feels I am taking to myself).

    I am not sure, but does WordFence identify (name) a plugin as malicious or on a black list or just identify specific code and files?

  • Hi. I am using the free version of your plugin an did not have the malware plugin installed. Just wanted to say thank you for your work, thank you for your help.

    Kudos.

  • Well done and well worded. This is what the WordPress community is all about :-) I think the worpress,org developers are missing a beat. Plugins like this should be band from the rep at once to protect the community. They should not hide behind some rules, but take responsibility and act on shady behavior of plugin authors and withdraw the plug for investigation.

    It's good to have independent people how voice there opinion. int makes the community think and act. That is what move the world and wordpress eco systems forward. That what GPL is about :-)

    Keep throwing stones in the pond when needed!

  • You are justified in your actions, and you did no wrong. Often times doing the right thing, is the hardest. Thanks for being there for all of us. +1

    My question though is, what was the reasoning behind WordPress and them wanting to handle it another way?

  • Thank you WordFence, I read all your security reports and applaud you for putting the safety of our websites 1st and foremost. You supply a vital service to the WordPress community and you and your entire team deserve all the praise we can give you. Please do not change the way you do things.

  • Does WordPress repository team not validate plugins before they go live? Sounds like they were more embarrassed by their own blunder of letting this plugin slip through than actually upset at a malware spreading plugin. Shame. Great work though Mark!

  • You folks did the right thing; you protected me, your customer.

    By these actions, you have only risen in my already high esteem of you, your company and services.

    Thank you!

  • Good job!

  • Thanks for watching over us, I love Wordfence! You did the right thing!

  • Thank you Wordfence. Your disclosure was highly responsible, in my opinion.

    I'm not sure why Wordpress wanted you to reach out to the plugin dev or to WP repository admins first - that should ONLY be the case for vulnerabilities which can be exploited by others AND for which there is no fix yet. The plugin you were reporting on does not fall in such a 'zero day vulnerability' scenario since it's not really exploitable by other hackers.

    As a busy site admin of multiple sites, I very much appreciate that you have our backs on this. In fact, it's also in WordPress's own best interests to have you report openly and in a timely manner on this sort of thing. Why? Because it helps 'weed out' harmful plugins from the repository, i.e. making WordPress better. Not only that, but WordPress repository admins should hardly expect to be 'the police' on who gets to report what and when!

    In particular, it frustrates me that in this day and age the WordPress core does NOT by default come with even a basic built-in security limit on the number of login attempts (unlike some other CMS's such as Concrete 5 and OpenCart which DO offer this by default in the core). Instead WordPress relies on plugin developers such as yourself to handle this sort of thing. If they expect to rely heavily on plugins for lots of things - even the most 'expected' basics (e.g. basic security, Meta-description for SEO) then they have to realize there will eventually be some harmful/malware plugins in the repository of various types/functions.

    Therefore security entities such as yourselves at WordFence should be applauded, not just by site admins, but by WP itself AND by legitimate plugin developers, for your practical help in keeping WordPress 'clean' and thereby raising its trustworthiness in the community as a whole.

  • You did the right thing. I'd be pissed if I discovered this on my site.

  • Hi Mark,

    Have had a quick look and don't see where this happened - it may have been in the comments on the original post or by direct contact.

    "We were criticized for our approach by the WordPress.org plugin repository maintainers."

    I am incredulous that the repo maintainers have been critical. We maintain 19 plugins on the worpress.org repo and in the past have had a 'take down' notice for 1 plugin that we had in inadvertently added a JavaScript to after release that was not open source.

    Apparently if we had used a cloaking script that filled users sites with spam we would have not had an issue (being sarcastic).

    I would have thought that the wordpress.org maintainers would have been very happy that you had exposed the issue as it affects negatively affects 70,000+ active WordPress users.

    I do not believe that the cloaking would have been in the plugin when it was first submitted to the repo and reviewed by the plugin reviewers - they would have seen it then. The only way it could be there is that the plugin author has added it sometime after release.

    The repo maintainers don't go back and periodically recheck plugin code after release - there are just too many plugins for that to ever be possible - the only way that they could know about this is if it is reported by users. As you have pointed out the plugin author has gone to considerable lengths to ensure that users did not see the cloaking. The way the cloaking was done despite what the plugin author has said since was via deception for monetary gain.

    A most unsavoury business and I am baffled why your actions would be getting anything but praise from the wordpress.org repo maintainers.

    Keep up the great work. Much appreciated.

  • You did the right thing Mark and the WordPress should have taken it seriously and ban the plugin author.

  • Dear wordfence,

    You did exactly the right thing. I thought this when I ready your first email on the subject, and was surprised to read that you received criticism by taking the action that you did.

    I was shocked to read in this post about the response from Wordpress. It is surprising and a real shame that Wordpress have taken this issue in such a manner, I would have hoped and indeed trusted that they would be more responsible. I hope that this is a mistaken one off or a misunderstanding on their part, and that they will reavt more responsibly in future.

    Please keep up your good work, and thank you for protecting my organisation from these threats.

  • F U Wordfence!

    Im wp security expert who lost lots of jobs because of you!

    My heart is breaking when I see all grannies and grandpas comments above ... they CHEER YOU.. and once upon time they were my costumers :(.

  • Thanks for shining flashlights on the darker corners of the web.

    Transparency for the win!

  • Mark, you absolutely did the RIGHT thing. I support your decision.

    The community first, the DISHONEST plugin developer second.

  • Well done Mark for taking a stand.

  • When all the dust settles, I have more respect for work fence and their team then I do for the WordPress plug-in repository team, because they are to blame for condoning this chicannery in the first place. The fact that they even chose to defend this nefarious plug in author speaks volumes about their "concern" for the community. It is nonexistent, WordFence however time and again has proven that they truly care about the community and its customers and the health of their WordPress website.

    • I would love to see an edit comment feature here too. Let me make some corrections to my above text. I was using a dictating software which apparently leaves a lot to be desired. "Work fence" should have been "Wordfence;" "then I do" should have been "than I do."

  • Fantastically quick actions and absolutely correct judgment on this shocking incident. Thanks to all at Wordfence for showcasing exactly how these unscrupulous actions and commercially-driven greedmonsters can affect honest and hardworking businesses.

    As an SEO for over 8 years myself, with an international following and impeccable reputation for ethics and honesty, I read the plugin author's post on the Advanced WordPress group with a feeling of despair and disbelief. I'd never heard of the plugin, yet the premise of re-routing all status code 404s, using a blanket rule, to avoid investigating *why* you have missing images or pages in the first place, seemed strange - if not thoroughly lazy and dangerous. SEOS and fairly competent Web developers should have questioned the need for such a plug in. Small business users, public sector, charities and bloggers would never have known - these are the vulnerable people we should be advising and protecting. Not exploiting.

    Seeing the author declare he'd learnt a "big lesson" after knowingly giving his logins and account to another developer to inject this code, made me hit the keyboard to register my disgust. Why any of the comments which followed mine were even tolerant of his apology and suggestion it was a mistake, is beyond comprehension.

    We should all employ a degree of due diligence and research techniques like this to understand the impact, well before flicking switches which could savage years of hard work. With SEO - there's little room for mistake. Get a professional. Please. We care about how you're represented out there.

  • Mark, your handling of this is exactly why I will continue to subscribe to WordFence Premium.

    Conversely, the response from the maintainers of the WordPress Plugin repository has actually diminished my confidence in WordPress, given that they evidently can't differentiate between an unintended vulnerability and a deliberate intent to inject undesirable content.

  • You guys are awesome! Apreciate the way you have handled this. I love wordfence, ans being a developer and small business website agency i sleep well at night knowing all of our clients websites are protected by wordfence. Keep up the AMAZING work.

  • Mark and all the guys at Wordfence did the only right thing, alerting everyone of this serious issue. You don't owe the plugin author anything!!

    This is just another great example WHY we put our trust in you and pay for this great plugin (Wordfence).

    Shame on Wordpress for not banning this author!!!

    And seriously this scammer, fraudster is the one thinking he is entitled to criticize YOUR actions???

    Thankfully I did not have this scam plugin installed, and the author is now on MY personal blacklist.

    Kudos to Wordfence and keep up the great work!!!

  • Is there anything I need to do to get rid of it except uninstall the plugin?

  • As a blogger maintaining my websites - on which I have negative income - with no past computer experience, I really appreciate your dedication to website security. I think that most developers have no idea how clueless most of us setting up websites are. I'm a tiny step ahead in that I know I'm clueless; most don't even know they are missing anything. Please keep up the good work!

  • You guys did exactly the correct thing and I for one thank you for every thing you do.

    Wordfence and its team are the best!

  • I use the free version of your plugin and wasn't affected by the bad plugin but so happy to see that you put the customer first!! Great job - great explanation of the situation. Thanks!

  • You guys rock it! This author knew what he was doing, which is evident by his playing the victim. You did a great service to potential victims of this nefarious BS, and no one should be critical of you. They should thank you.

    This is why we provide Wordfence Premium with every hosting customer. It adds to our own server level security and net defences and countermeasures. Moreover, it adds an outstanding service and value for the reasonable annual fee.

  • I am 100% behind your handling of this and should a similar situation ever arise, I hope you handle it the same!

  • As someone who has used this plugin on my site, however do I know if ***I*** have been affected? :(

  • I'm VERY impressed with the way you immediately alerted us to the issue and TERRIBLY DISAPPOINTED with the plugin community's criticism of the way it was handled. I'm just as disappointed with Wordpress for allowing plugins to be peddled through their site. Two years ago, another plugin pulled the same crap on me (see https://wordpress.org/support/topic/text-ads-above-my-blog-header?replies=2). They claimed it was an option that shouldn't have been turned on by default; a bug. Plugin developers like this know exactly what they are doing. Its SHADY and shouldn't be allowed in the Wordpress plugins offerings. The "it was in the fine print" defense is unacceptable. Thank you for watching out for us! I was happy to renew last week for another year.

  • Mark, appreciate everything you guys do at Wordfence. I feel that you guys offer the best WordPress security plugin around. Keep up the good work and thanks so much!

    David Coleman

  • Thank you! You shouldn't have to defend yourself for doing the right thing. The plugin coder responsible for this black hat venture should be banned from .org!

  • They should be banned from the repository. Whether or not "the Foxx" new of the issue or created it doesn't matter, you have a certain responsibility when providing a product like this. All author need to have a certain level of security and audit compliance to be notified when something in their code is modded like the wp audit plugin , but for plugins and themes

    This is why the repository shouldn't be free. ALL plugins and theme should have a token cost of maybe only $5-10 this would at least give the authors a little payment for their effort and separate payments for support which would lead to better security and controls

  • I have this plugin on my site. After reading this, I feel like I should remove it, but it does serve a purpose because I know I have some broken links on my site. Can you recommend a trustworthy plugin that accomplishes the same thing without messing with my site?

    • Contact your host and ask them how to set up a 301 redirect. You don't need a plugin to do this. If you have a good host, you should get the help you need. And it should be an easy process.

    • First: update the plugin (if you didn't yet).
      Second: The plugin is safe now you can continue using..
      Third: in case you dont want then take your time and look for something else or even check this post comments im sure someone already suggested another one.

  • I think wordpress must banish bad plugin author like that, to protect us and deter others.
    I feel reassured to know you ensure our safety, thank's !

  • I too feel you did the right thing. To me it seems as though the balance between the damage done to one rather careless code writer pales when compared to the damage that this was doing to thousands of businesses. Even if that loss of business is not measurable, security is why we are here, and security is what we got. I love WordPress.org but sometimes their rules are just not that important.

    William Frankell

  • I stand by you and the Wordfence team Mark. You handled this situation as you should have, by alerting the community to the problem since it is their websites that were affected, and the developer last. As you said, he knew what he was doing, why are you obligated to give him a chance to hide the evidence? The only ones who protest, I think, are those who have never had to deal with a site hacking or DNS attack or other type of interruption. You do a great job and I appreciate you and the Wordfence team every day.

  • I thank you all for not only your hard work but for your high moral standards. I appreciate your dedication and determination. I'm glad to see you stick to your principles under pressure.

  • Thanks, Wordfence team. As a novice at web development I know I am at the mercy of developers, and all I can do is do my homework carefully and follow communities that have user concerns at heart. I am also very careful when engaging developers and will ensure they are formally and personally accountable if they fail in their due diligence, let alone try something unscrupulous. I'm learning a great deal from your blog, and my spending habits on WP developers' products is becoming more discerning. Thanks again.

  • Keep up the great work. Im 100% with you for the fact that community should be first. And even lets suppose that its plugin was done by another developer its is job to carefully test it, plus the WP guys should test the plugins as well and not blame you..

    Again keep up the good work, your job and actions will speak louder more and more to thw community over time...

  • Fortunately I haven't been affected by this plugin. Had I been using it, I would have been very grateful to have been informed sooner rather than later.

    I believe your process and actions were 100% correct and "the right thing to do". The repository maintainers are clearly embarrassed that they didn't pick up on the cloaking built into the plugin. I know it's an almost impossible job to vet all plugins all the time but their response should have been in the form of a thank-you note.

    Keep up the great work.

  • With you 100% on this one. There's no place for crapware like this especially in the WP repository of all places. You did exactly what I would want from a reputable security company. Thanks!

  • Good job!!

  • You did exactly the right thing. Good work!

  • I wholeheartedly agree with your approach. As a former SEO forum moderator I also see this as a "black hat" SEO technique and do not believe it was accidental. Whether it was intended to show or not is irrelevant. And the fact that it was buried in terms of service doesn't make it right, only marginally legal. People trust plug-ins in the WP repository to be safe and above-board. You were right in bringing it to everyone's attention.

  • You were absolutely right to blog about this plugin and I feel that your actions were perfectly correct.

    Totally behind you!

  • I just found a cloaking detector doing a search on Google. I don't know how accurate this tool is, but it may be helpful to identify if cloaking is happening on your website: http://www.seotools.com/seo-cloaking-checker/

    Mark, most people will likely overlook this comment. If you think this tool would be useful, then please consider adding a link to it in your article.

    • Thanks Chris, I approve each comment here myself and did notice this. I'll keep it in mind for future posts. Much appreciated.

  • Thanks for saving us!

  • I am stunned, just absolutely STUNNED by the response of the WP repository team. I would understand their desire to clear up any confusion or put a stop to poor reviews had this been something OTHER THAN the plugin author's fault, but the way WP continues to chastise people who are (rightfully) pissed off about this situation just completely blows my mind. I just can't comprehend why this plugin wasn't pulled and the developer's account shut down.

  • I support your decision and behavior whole heartedly. If I had put that plugin on my client's sites I'd be horrified! I can't just sit and wait for this guy to fix it. How dare anyone suggest that I allow this for one minute more? That is sick. (I didn't use this plugin, thank God.)
    The pushback you are getting is uncalled for. The WordPress plugin guys obviously fell down here. There should be a separate process for this kind of abhorrent behavior by plugin creators. What if once contacted this guy buried the cloaking even further?
    Wake up WordPress! You can't possibly support this plugin's cloaking. Do you?
    I love your tool. Rock on.
    Jen

  • Count me as a supporter of doing the right thing. You did right. The world if filled with far more hacks and scams than I ever thought possible - there are so many who cheat their way through life, so it's good to see a man of integrity. Keep fighting the good fight.

  • Well done for disclosing this.
    This was clearly the ethical thing to do

  • Mark. Thank you for your work with WordFence. I completely agree with your handling of this sleazy code and rationale

  • Mark, fully agree with your assessment here. Please don't be discouraged! I discovered Wordfence for my personal sites because my organisation's professional (public sector) site uses it. As an IT professional dealing with IT Security, I want to be secure and Wordfence really helps. I recommend it both professionally and personally.

  • I lost a lot of my Google rankings due to this plugin. Any advice to help me get them back. I uninstalled the plugin already, but anything else I can do?

  • Well done and thank you.

    Shame on anyone who critisized your approach.

  • Thank you for being a part of the SOLUTION rather that the problem. It sickens me how prevalent it is encourage firms to act as enablers rather than enforcers. Viruses, malware, ransomeware, spam, etc., exist today because we make it a win-win proposition for the bad guys. If they don't hit you directly, they know you are being forced to take Herculean efforts (and cost) to TRY to prevent it. Either way, they have harmed you. Only when it becomes painless for everyone to sidestep the onslaught and when the retribution becomes immediate and unavoidable will the crooks find they have lost the game.

  • Guess all have been said by previous comments but joining the chant.

    Well done guys (and gals?)

  • Excellent post! Thank you for doing the right thing. ?

  • Thanks for sharing the full info and taking immediate action! These are the reasons why your users still keep using - and are still following - Wordfence! ;)

  • Based on this post and the response of the plugin author. I see nothing wrong (as I understand) with how you approached this. You detected a plugin which was injecting adware into a site, in such a way in which it was very difficult for the site owner to even see it, you did due diligence to determine if it was *likely* that this got inserted into the plugin by someone who was *not* the lead developer, and determined it unlikely.

    With that in mind, I wonder if the code which got committed, which ended up injecting these ads into the site, was as the author claims, actually pulling the offending content off of some other machine (rather than being in the code) so as the author claimed that the behaviour of the code he added (under his commit credentials) actually could reasonably have changed?

    I know that someone shared some code that they were talking about inserting into their website, and a quick look at the code which they were being told to insert felt incredibly dangerous in that it was pulling content (which likely would be displayed) from another site, and the URL it was pulling from was a PHP page (unmasked), trying to explain this to the person who was putting it in, lead me to believe that they felt I was "purely paranoid" and really had no idea what I was talking about.

    I really *do* hope that at least *part* of what the author said was accurate. I'd rather you continue this type of reporting in the future than waiting the expected 3 days (or so) before you can do so through official channels.

    My feelings now about WordPress.org are becoming increasingly such that they'd rather support the people who "make mistakes" and chastise those who "are trying to do things right the first time."

  • Another Wordfence customer here who is thankful and supportive of the way you did handle this.

    My site has been hacked before and had cloaking applied. It was picked up by google and my site was flagged as hacked in google search results. Only then did I become aware and it was a lengthy and stressful period to get the issue resolved and the hacked warning label removed by google. So I feel that any plugin author knowingly doing this to customers who trusted them enough to install their plugins are deviants. I would like to say worse things about them but I won't do that here.

    Thank you for putting us first and protecting the customers Wordfence.

  • You guys were totally right to warn us! Thanks!

  • Thanks for posting to clarify - and also for taking the ethical and moral high ground on this issue - in my view you certainly acted correctly and it only helps bolster my support for Wordfence :)

  • Highest praise for your stand. Your work and your products have always been of the highest standard and aimed at protecting the hard work of site owners like myself who frankly would be lost without your expertise.
    I am surprised by some who have criticised, but time will sort that out i believe and you will be fully vindecated

  • You did the right thing, Mark. It's refreshing to see someone do the right thing, just because it is what's right. Kudos to you.

  • WordFence: You've done a remarkable job again. I support the way you handled this issue. Passively informing the author or Plugin repository guys may not be of much use. Your way is the best, as it exposes the culprit and brings great awareness of the issue to the public.

  • Dissenters don't have a leg to stand on. When you see that a school in Charlottesville is linked to the site, it's obvious that great harm was being done in search of the almighty dollar. My clients look to me and I look to Wordfence to keep my clients' sites free from any nefarious activities, which it does well and did superbly in this instance. Thanks for doing this the way you did. It's not your business to quietly remind an author or his or her moral responsibility to the community, but to report things that will harm my clients' sites in a timely matter.

  • Hi Mark,

    You were bang on in terms of how you handled this issue.

    I personally want to thank you for your efforts and let you know that I appreciate all you have done for the community.

    The internet does have those that are unscrupulous and unfortunately it is up to each of us individually to be vigilant in this regard.

    Thanks again for your help,

    Lionel

  • Not surprised by the response of the plugin author, trying to blame you and take some or all guilt off him/her. The moral compass of that person seem a bit off so would be surprised by a "oops my bad" response.

    However I am a bit surprised by the response of WordPress.org. Yes normally if it was some kind of security hole I would agree, but a major part of that is (in my opinion) to give the author a chance to fix issues and users a chance to upgrade before giving info about an exploit that may not be very known. That is minimizing damage for everyone.

    In this scenario the damage was already done, hurting everyone except the author who earned money of it...

    Also I find it a bit disturbing that there are plugins like this at WordPress.org. It kind of means that the evaluation of plugins before adding them to production site needs to be done more thoroughly :/

  • Was curious so I looked at github repository for the plugin, and as far as I can see the conditions which you have to approve to use the plugin is pretty much the same, except it now let's you know there is a disable 3rd party stuff button called "disable uan" under plugin information page :S (information added directly after the approve 3rd party stuff text)

    Looking at github through smartphone wasn't very easy though (and the commit was quite large) so may very well have missed something.

  • Hi Mark,

    Your handling of this issue was 100%. Keep up the good work. :-)

  • I am thankful for your diligence and I highly respect the team at Word Fence for going above and beyond on issues like this. The email news updates are great as well as the tutorials. Hey - if the facts had different circumstances(beginner error, anything honest mistake, etc.) it would be different but thanks for stepping up to the plate.
    While I am at it - THANK YOU for an excellent premium security plugin for protection on my WP sites. I LOVE the workshop videos and find my relationship with Wordfence seriously a great learning experience!
    5-stars!!

  • It is a shame that such shady practices occur on the web.
    Thank you for watching out for the community

  • Kudos to Wordfence and Thanks!

  • Thanks for exposing this threat and the immediately action to prevent further spread.

    Find it very disturbing that the plugin is still available for download.

    Even if it was a sloppy mistake by giving his account to somebody else who created and checked in malicious code, like he indicates in his own post.

    It's still very weird that in this log period he didn't test or check something or noticed something strange. Nor would he have used this plugin on his own websites because then he definitely would find out.

  • I am unimpressed with the way WordPress.org Plugin Repository team handles a lot of reports they get. I find it amazing the amount of people who defend someone who places the reputations of tens of thousands of websites, owners and businesses associated with them.

    I appreciate the efforts of Wordfence. I applaud you for standing in the face of unjustified criticism such as what you received. I will not ever use a plugin or theme authored by someone who has clearly engaged in activities such as what you described.

    WordPress.org plugin review team as well as forum moderators did the "community" a disservice by defending the actions of the plugin author and closing multiple reviews and stopping the outrage expressed by those affected by the plugin author's actions. It's a good thing I wasn't in control of the situation. The plugin and the author would have had a very long break from the Repository. But that's me.

    I don't believe in rewarding people who intentionally harm other people. I don't buy into the politically correct notion that the actions of someone who does harm shouldn't be held accountable. Apology or not.

    Many people could have lost a lot by the actions of that plugin author. Period.

    Thank you !!!

  • I agree, I think this was handled spot on. To fail to immediately address the issue is inappropriate and I am disappointed that Wordpress.org would have suggested any action other than what you took -- and then to not support your follow up? I have to wonder if someone in their plugin repository has issues. It leaves WP open to some liability, should they fail to act on your information from the start.

    There must be transparency by the plugin authors... Period. To provide a plugin with any type of malware is completely unethical, in my opinion. I hope the school is now aware of this issue as well. I would be very angry to learn my sites had been compromised in such a way.

    Thanks, Mark. I appreciate you.

  • We at OzHosting.com.au will continue to promote WordFence with confidence to our website hosting customers and also help them with set up to ensure they have the best possible protection.
    That was great investigative work on the malware-injecting plugin and the communication was handled correctly under the circumstances.
    Stay the course!
    Ozhosting Team

  • Quite simple, you have taken the only right route. Thanks and please react the same way in the future.

    System owner of about 20 WP sites.

  • Considering the (free) service you bring to the Wordpress.org community, I imagine it's made a lot of users sceptical of how serious Automattic takes security of plugins.

    Interestingly, this plugin may have actually broken rule 10. of the Wordpress.org plug-in guidelines (the part about "default" "link-showing";

    "The plugin must not embed external links on the public site (like a “powered by” link) without explicitly asking the user’s permission. Any such options in the plugin must default to NOT show the link."
    Source: https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/

  • You're the best! Thank you for protecting our Wordpress blogs. I can't imagine a web full of unscrupulous plug-in authors. Now, the word is out. There is a new sheriff in town.

    Cheers!

  • You did right and the WordPress repository maintainers are wrong on this one. imho

  • Excellent action!
    I'm worried the WordPress crew are getting a little high-handed these days and seem to be putting their own interests ahead of those of the community at large - although I cannot for the life of me think of any interest they might have in a plugin that is intentionally malicious.

    Keep up the good work!

  • Hi - Having used both WordFence as well as the 404 to 301 plugin for quite a while, I believe there was a third option that was not used.

    I very much respect your work and am very grateful for what you do (and I am using your premium service on two sites).

    The same goes for Joel and his plugin that I found the only one to work the way I wanted. He has made some mistakes that he knows he should not have done. And after having been in communication with him long before the recent uproar, I believe what he is saying.

    There is someone who put his heart and soul and lot of his time into providing a service for free. That's the very foundation of this WordPress community. Imagine you made a mistake that left a gap in your firewall, and someone like Automattic would slam your plugin...

    Yes, I understand the whole thing with the terms (see mistakes above).

    I still think, you could have done one and not leave the other.

    Considering someone else's reputation is something that's going to be more and more important. You knew that given your own reputation, that other plugin provider would be heated. Claiming that you didn't care about that, still leaves a bad taste.

    Thanks

    Stefan

  • I agree wholeheartedly with your course of action.

    Given how many businesses, educational establishments and other organisations rely on WordPress, the plugin repository feels like it needs more, not less quality control and regulation.

    What you did was to help raise the standard, sending a message to authors that on behalf of your customers, you will pass judgement on their coding and their ethics.

    You are not a monopoly; people who do not like your stance will have no problem finding other sources of information and security software.

    Please keep up the good work.

  • I appreciate your original heads up and course of action. Happy to know if a similar situation comes about, you'd handle it the same way. Two thumbs up

  • I think you did absolutely the right thing. Thank you!

  • You did great, thanks!