It is sad that the first post for 2012 is exposing a spammer and security flaw, but it must be done. Today’s lesson in poor Internet etiquette and poor security awareness is WordPress.org user robinruet, promoter of Invenesys’ WP Sand Box plugin. Around the turn of the new year, robinruet went through the WordPress.org forums and replied to several support topics with the same post promoting the WP Sand Box plugin. These posts were all off topic, and on several occasions robinruet somehow managed to set the issue as resolved. The good news is his posts were deleted, along with his two plugins.
But, this post isn’t about the robinruet, who is an interesting character, and possibly a hacked account (it started spamming a Google +1 click jacking plugin). This is about WP Sand Box and why you should not use it.
A year ago, I published my discovery of a backdoor within the BlogPress SEO plugin. The only reason I looked at the plugin was author tried to get me to review it. Little did he know I’d actually look at the code before installing it.
Since that time, the plugin received a ton of bad publicity, the author lashed out against Joost de Valk, and now, a year later, it appears the saga ends. The domain name blogpressseo.com expired back in October, and no one has renewed it yet. My only hope is the people behind BlogPress SEO didn’t move on to using a different name for the same plugin.
-John Havlik
[end of transmission, stay tuned]
If you have not heard about the unauthorized SVN commits to the WordPress.org plugin repository for the plugins AddThis, WPTouch, and W3 Total Cache, you may want to read the post on the WordPress.org blog first. This event has prompted a WordPress.org password reset for all registered users. While these are three high profile examples that happened in the last 48 hours, a similar incident happened back in February.
Read more
It should be no surprise that some plugin authors can no be trusted. We’ve seen that with the BlogPress SEO plugin, but that one was just sloppy. Others actually try to hide what they are doing. An easy way of doing this is to use a PHP code obfuscating application. These will produce code such as:
<?php if(!function_exists("TC9A16C47DA8EEE87")){function TC9A16C47DA8EEE87(...
A week ago I found the now well known backdoor in BlogPress SEO. Since then the news has been picked up all over the place, some more accurate than others. Regardless, the pressure has caused the makers of the plugin to remove the backdoor, which did not move it out of its unacceptable state.