While investigating the whole WP/HQ Sand Box spamming thing, I came across something interesting. Our ‘buddy’, user robinruet several months ago, along with a recent post that was deleted spamming for takabd.com (don’t visit it, and do not +1 it). More recently, another user, WPgooglerankingBooster, was spamming for the same site. The current product they are peddling is something that will get you blacklisted from Google.
It is sad that the first post for 2012 is exposing a spammer and security flaw, but it must be done. Today’s lesson in poor Internet etiquette and poor security awareness is WordPress.org user robinruet, promoter of Invenesys’ WP Sand Box plugin. Around the turn of the new year, robinruet went through the WordPress.org forums and replied to several support topics with the same post promoting the WP Sand Box plugin. These posts were all off topic, and on several occasions robinruet somehow managed to set the issue as resolved. The good news is his posts were deleted, along with his two plugins.
But, this post isn’t about the robinruet, who is an interesting character, and possibly a hacked account (it started spamming a Google +1 click jacking plugin). This is about WP Sand Box and why you should not use it.
A year ago, I published my discovery of a backdoor within the BlogPress SEO plugin. The only reason I looked at the plugin was author tried to get me to review it. Little did he know I’d actually look at the code before installing it.
Since that time, the plugin received a ton of bad publicity, the author lashed out against Joost de Valk, and now, a year later, it appears the saga ends. The domain name blogpressseo.com expired back in October, and no one has renewed it yet. My only hope is the people behind BlogPress SEO didn’t move on to using a different name for the same plugin.
-John Havlik
[end of transmission, stay tuned]
If you have not heard about the unauthorized SVN commits to the WordPress.org plugin repository for the plugins AddThis, WPTouch, and W3 Total Cache, you may want to read the post on the WordPress.org blog first. This event has prompted a WordPress.org password reset for all registered users. While these are three high profile examples that happened in the last 48 hours, a similar incident happened back in February.
Read more
It should be no surprise that some plugin authors can no be trusted. We’ve seen that with the BlogPress SEO plugin, but that one was just sloppy. Others actually try to hide what they are doing. An easy way of doing this is to use a PHP code obfuscating application. These will produce code such as:
<?php if(!function_exists("TC9A16C47DA8EEE87")){function TC9A16C47DA8EEE87(...
WordCamp NYC
