It is sad that the first post for 2012 is exposing a spammer and security flaw, but it must be done. Today’s lesson in poor Internet etiquette and poor security awareness is WordPress.org user robinruet, promoter of Invenesys’ WP Sand Box plugin. Around the turn of the new year, robinruet went through the WordPress.org forums and replied to several support topics with the same post promoting the WP Sand Box plugin. These posts were all off topic, and on several occasions robinruet somehow managed to set the issue as resolved. The good news is his posts were deleted, along with his two plugins.
But, this post isn’t about the robinruet, who is an interesting character, and possibly a hacked account (it started spamming a Google +1 click jacking plugin). This is about WP Sand Box and why you should not use it.
If you have not heard about the unauthorized SVN commits to the WordPress.org plugin repository for the plugins AddThis, WPTouch, and W3 Total Cache, you may want to read the post on the WordPress.org blog first. This event has prompted a WordPress.org password reset for all registered users. While these are three high profile examples that happened in the last 48 hours, a similar incident happened back in February. Continue reading
It should be no surprise that some plugin authors can no be trusted. We’ve seen that with the BlogPress SEO plugin, but that one was just sloppy. Others actually try to hide what they are doing. An easy way of doing this is to use a PHP code obfuscating application. These will produce code such as:
Looks like Joost is getting to the BlogPress SEO folks. In the latest blog post by BlogPress SEO’s creator, we receive this nugget of comedy:
Why don’t big guys like BlogPress SEO?
I would come up with a very small and sweet explanation on why big Sites and Big guys don’t like BlogPress SEO?
The simple reason – they are scared!
Explanation: How many times it has happened with you write an original article and a site which has copied your article ranks on top of your site on Google? Well this is the power of backlinks and site authority. So its just a matter or backlinks – trust me. Now if you can over come that you can easily beat the **** out of Google’s algorithm… -Saurabh Nagar
Well, he couldn’t be talking about me, I don’t consider myself to be part of the supposed “big Sites and Big guys”. I do know why Joost does not like this plugin, and I agree with his justification. Let’s just say I am not trembling with fear of this plugin. Likewise, I’m sure Joost is not scared. I have no reason to be afraid of a plugin that will get you blacklisted from Google’s index and hands your blog over to Saurabh on a silver platter.
Due to the actions of the BlogPress SEO team, I can never, and will never recommend that plugin. It is malware, written by people who clearly have malicious intents. Their lack of explanation or admitting to writing the backdoor demonstrates this. Instead, they spin, spin, spin more than a politician.
The fine folks that brought you BlogPress SEO are offering subscriptions for their product, or something along those lines. They are charging $97.00 a month for a single site subscription, and $597.00 a month for a 100 domain subscription. So now they are charging you and installing a backdoor in your site. But wait, there’s more. Who ever updated the page neglected to remove the download link or API key generator.