It should be no surprise that some plugin authors can no be trusted. We’ve seen that with the BlogPress SEO plugin, but that one was just sloppy. Others actually try to hide what they are doing. An easy way of doing this is to use a PHP code obfuscating application. These will produce code such as:
A week ago I found the now well known backdoor in BlogPress SEO. Since then the news has been picked up all over the place, some more accurate than others. Regardless, the pressure has caused the makers of the plugin to remove the backdoor, which did not move it out of its unacceptable state.
Looks like Joost is getting to the BlogPress SEO folks. In the latest blog post by BlogPress SEO’s creator, we receive this nugget of comedy:
Why don’t big guys like BlogPress SEO?
I would come up with a very small and sweet explanation on why big Sites and Big guys don’t like BlogPress SEO?
The simple reason – they are scared!
Explanation: How many times it has happened with you write an original article and a site which has copied your article ranks on top of your site on Google? Well this is the power of backlinks and site authority. So its just a matter or backlinks – trust me. Now if you can over come that you can easily beat the **** out of Google’s algorithm… -Saurabh Nagar
Well, he couldn’t be talking about me, I don’t consider myself to be part of the supposed “big Sites and Big guys”. I do know why Joost does not like this plugin, and I agree with his justification. Let’s just say I am not trembling with fear of this plugin. Likewise, I’m sure Joost is not scared. I have no reason to be afraid of a plugin that will get you blacklisted from Google’s index and hands your blog over to Saurabh on a silver platter.
Due to the actions of the BlogPress SEO team, I can never, and will never recommend that plugin. It is malware, written by people who clearly have malicious intents. Their lack of explanation or admitting to writing the backdoor demonstrates this. Instead, they spin, spin, spin more than a politician.
The fine folks that brought you BlogPress SEO are offering subscriptions for their product, or something along those lines. They are charging $97.00 a month for a single site subscription, and $597.00 a month for a 100 domain subscription. So now they are charging you and installing a backdoor in your site. But wait, there’s more. Who ever updated the page neglected to remove the download link or API key generator.
While I was catching some much needed rest after WordCamp MSP, Joost de Valk did something cleaver. He setup a BlogPress SEO plugin on WordPress.org. The initial release consists of just a readme.txt and a php file with only the plugin comment header, no actual code. Since he set this release as 2.0, all users of the malicious 1.1 and 1.2 versions will receive “Plugin update is available” notices.