Beware of Free WordPress Plugins

Beware of Free WordPress Plugins

FREE WordPress plugin’s Can Cost You!

Note: I have obscured the restaurants name and any other identifying details because the website owner is completely innocent of any wrongdoing and if anything is a victim of a plugin developer who is trying to profit from placing spam links inside their code.

Because it is against my own ethics I did not further violate the website in order to examine the code to see how the plugin developer added the spam links.

Recently I posted why you should stay away from free WordPress themes unless they are verified and listed on WordPress.org. But I did not delve into the world of hinky WordPress plugin’s.

Mainly the various individuals and businesses developing free WordPress plugin’s create wonderful products. The main goal of most of the WordPress plugin developers is to fill a need and highlight their business by giving away a valuable resource. Unfortunately there are quite a few WordPress developers giving away their plugins for free because they have a darker reason for providing a free product. Their goal is to reap the rewards of a hidden link network.

Why Hide Hidden Links?

Unethical WordPress plugin developers secretly place the links within their WordPress plugin code so innocent webmasters who don’t know to look or how to spot the hallmarks of obfuscated code. They do this so their various websites gain thousands to hundreds of thousands of links from otherwise reputable websites.  The end goal is to boost their questionable website through links from reputable websites.

Spam Links I Found On a Chicago Restaurant Website

I was checking out new restaurants in Chicago and stumbled across a website that obviously contained spam. I could see the spam clearly because I was using Firefox as a browser using the NoScript FireFox add-on. I like NoScript because it adds a layer of security when browsing because it turns off all Javascripts. I personally just like to have Java turned off because it often contains nasty bugs that will have access to your computer unless you have the proper security measures. And even then there are malicious Javascripts can circumvent even the best security. So, I prefer to constantly refer to my lower right hand corner of my browser and selectively temporarily allow certain Javascripts through NoScript.

I called the restaurant and asked to speak with the manager. The hostess let me know that the manager was unavailable so I told her about the issue. She was understandably concerned and gave me an email address so I could send a screenshot of the issue and how to recreate it.

Restaurant Spam Letter

 

Letter to Chicago restaurant About Plugin Spam


The restaurant’s hostess was prompt and responded quickly to my email to let me know that she did forward my information to the restaurant owner. I can only imagine the horror and panic the hostess and owner felt at seeing the following image. I don’t want to imagine the phone call to the web developer who thought they did a great job only to get blindsided by this find. I feel bad for the developer because they did nothing wrong. Chances are pretty good without looking over the offending WordPress plugin code that a visual scan would not find the problem. The website developer would have needed to use some of the more advanced WordPress exploit finding techniques I listed on this post.

Here is the screenshot I sent of the WordPress plugin spam issue:

Chicago Restaurant Website - WordPress Plugin Spam


I am happy to say that as of today, the web developer swiftly found and cleaned the issue. I normally am a little wary of letting people know about issues like this because I fear one of two things will happen:

  • Shoot the messenger – I get blamed for the issue
  • Misinterpret my motives – I am trying to drum up business by finding flaws

Neither could be farther from the truth. I feel a deep responsibility as an Internet Professional to speak up when I see an issue no matter if it is my problem or another web developers mistake. Mistakes happen.

 Swift Website Developer Response

I am just glad that the website DID NOT get flagged by Google as a potentially dangerous website. Thank goodness!

While it is not difficult to let Google know you have taken care of the issue. But it is time consuming as Google doesn’t have a “rapid response” to websites it deems have been naughty. So there is a potential of  days to week or so of website visitors getting warned of visiting your website. That can’t be good for business!

 

Potential Business Harming – Google’s Red Malicious Website Warning

Google's Red Malicious Website Warning Screen

I wish this restaurant the best of luck! Between their great reviews and checking out their menu… I am looking forward to visiting with my other half.