29 Comments

  1. Alex Mustin

    I’m surprised there’s no software check in place that scans the code for disallowed PHP or JS functions ( base64_encode(), etc ) when pushing up to the Repo… That would’ve thrown a red flag immediately.

    Report

    • Goob

      Agreed 100%. I’m baffled that base64 code doesn’t get immediately rejected by the WP Repo.

      Report

    • Collins Agbonghama

      FWIW, not all base64_encode() intended use is harmful and malicious.

      Report

      • Otto

        Any use of Base 64 in plugins actually sends me an email when committed. I read all of those emails and look at the code. 99% of them are totally harmless and reasonable. I’ve continued to read them all for the last 5 years because of that 1% that’s not.

        Report

    • Steven Gliebe

      This makes me wonder how many others plugins there might be on .org containing intentionally malicious code. Are there any third parties that scan the directory for these things?

      Report

      • Plugin Vulnerabilities

        In June we started monitoring changes made to plugins in the directory to try to catch some serious vulnerabilities. Some of the checks we do are based off of previous instances of intentionally or possibly intentionally malicious code. So that could catch some future instances of it, but realistically it would very difficult to catch instances where the developer makes an effort to hide what they are doing, as was the case with what was done with this plugin, with that type of monitoring. It would great if other companies were doing that type of monitoring as well, as even without catching intentionally malicious code, there are plenty of vulnerabilities in plugins that could be caught through that, based on the vulnerabilities we have found so far.

        We also monitor the support forum for indications of security issues in plugins, which could pick up some discussions that point to intentionally malicious code being in plugins, but with this situation it only alerted us to what was going on at the end. If someone is aware of a security situation with a plugin that isn’t getting properly handled in the future, please lets us know.

        We are not aware of any disallowed PHP or JS function and there doesn’t appear to be any mention of that in the developer guidelines. If there are any that are disallowed that have security implications, please let us know and we can start monitoring for usage of them.

        Report

  2. Tai

    Pretty pathetic the Author wants people to “cut me some slack” with malicious code. C’mon now.

    Report

  3. Donna

    Just putting a reason or a public page on a removed plugin is not enough. How many times after you’ve installed a plugin have you gone back to that plugin’s page on the repo? In most cases, I would think, that would be zero. So you would never know it even got removed, much less why.

    The are two responsible solutions to this problem as I see it, and both are necessary.

    1. A notification must be shown on every site’s Plugin admin page that is using the plugin. Just as though the plugin had an update, it should have a link that shows “Important Notice” or some such wording instead of “There is a new version available”. And of course, that notice should be linked to some sort of notification that the plugin has been removed and why. (Don’t even tell me that would make security worse. Please….we live in an age where disclosure is the right thing, not the wrong thing).

    2. If a plugin is “removed” permanently, a version that is reverted to a known-good version or a fixed version should be put in its place, and frozen…just as was finally done in this particular case. I like the way they finally handled this one.

    It’s kind of insane that current users of plugins removed for security reasons never ever know that there is a problem with the plugin they are using, unless they just happen to run across someone talking about it on a blog or social media somewhere. That’s.just.crazy. Notify users, dang it. NOTIFY USERS. Geez.

    Report

    • M

      +100

      Report

    • pierre

      I’ve said the same thing a hundred times.

      Beyond that, I used the original version of Display Widgets on over 100 sites. Went to look for it in July and it was delisted. Looked into why and found discussion about the spammy links. My coworkers and I had this exact discussion then, regarding this exact plugin!

      Report

    • Joachim Jensen

      I fully agree that following these 2 steps would be a great solution for cases like this.

      It should already be possible for the security team at wordpress.org to push out automatic plugin security updates so sites will update affected plugins in the background (like core):
      https://make.wordpress.org/plugins/2015/03/14/plugin-automatic-security-updates/

      Plugin readmes also have a section called “Upgrade Notice” but as far as I know, anything written there are not parsed or displayed anywhere to the user. That could be used to display important notices for a specific update, but as plugin developers can change the text themselves, I could see how it could be abused.

      As with everything else, communication is key.

      Report

    • Zesty Lemon

      In total agreement with Joachim! Last week when I saw an update for the plugin and the accompanying “Rollback to version x.y to remove recent changes” message caused me to be curious as to what was going on. First thing I did was head for the plugin repo to see the changelog as the link in WP admin wasn’t working, but couldn’t find the plugin.

      In cases like this a ‘holding page’ with more information / advice on how to proceed will benefit everyone, especially WordPress newbies.

      Report

  4. John

    At least 3 things are surprising here:

    – WP moderator’s tone in messages about this removal (I would rather apologize for letting such mess happen instead of giving military style orders and closing comments)

    – The total absence of suggested alternatives for the 200,000 existing installs (this article provides some of them but do all users that installed this thing 200,000 times read it here? – I would rather have kept the plugin’s page live and provide alternatives for them there + alert them about about what happened)

    – How come there is no CLASS ACTION SUIT for such cases? (200,000 installs would represent something like 10,000 abused users and that would make a nice lawsuit to serve as example for the next ones that would like to try playing the same game).

    Report

  5. Ngan

    I’ve emailed the wordpress team when i discovered hidden spam pages on my blog, they did took the plugin down, the problem is, taking it down does not solve the problem, they should provide a security warning and a clean update.

    Report

  6. Tomas M.

    That’s why plugin authors that sell/give up their plugins take so much care to release plugins in the good hands.

    I hope Formidable Forms had their lesson learned, as this whole story will have a negative impact on their brand name.

    Report

    • Mark

      Why would it have a negative impact on them? They are not, nor should they be responsible for what an individual or business does with the product once it has been legally sold and transferred.

      If your neighbors moved and the couple who bought the house stopped maintaining their yard, whose fault is that?

      I’m sure the plugin author didn’t sell Display Widgets expecting this to happen, but placing any of the blame on them whatsoever is wrong.

      Report

      • Tomas M.

        It’s not about blaming, it’s about what will happen in real life. Pure psychology – your brand name related to something bad, etc.

        Probably many of their own clients were using this plugin and it doesn’t matter that plugin was sold, what matters is that websites that were using that plugin were affected in a very negative way.

        So plugin owner sold not only the plugin (a house), but also the phone book with contacts and the ability to enter houses of all the people on that book.

        That’s why when you read about acquisitions on WP Tavern, you notice how careful authors are when choosing the party that will inherit the product.

        Report

    • Joachim Jensen

      Otto actually made a post about scenarios like this a while back. It’s worth a read: https://make.wordpress.org/plugins/2016/02/12/on-the-topic-of-selling-your-plugins/

      I agree that the people behind Formidable Forms should not be blamed for the buyer’s behaviour, and shouldn’t apologize or anything. It’s clear in the article on Wordfence that they regret selling the plugin to the new owner.

      Content Aware Sidebars, one of the alternatives Sarah mentioned, has never been for sale, but I still get unsolicited offers from time to time. As I never read the emails fully before marking them as spam, unfortunately I don’t know if I’ve been contacted by the same person(s) that acquired Display Widgets.

      Report

  7. Tim Kaye

    I am a long-time user of this plugin. I installed the first update by the new plugin owner on a test site and immediately noticed problems, so did not install it (or any subsequent updates) on any live sites.

    My sites have not, therefore, been harmed by this episode. But I have been following closely what has been going on.

    What is missing from Sarah’s report is the shocking treatment meted out to David Law by the wordpress.org moderators. He even had his account suspended for a time!

    He was essentially acting as a whistle-blower, and yet got treated as if it were he who was in the wrong.

    Not for the first time, moderator Jan Dembowski behaved like a bully.

    And Mika Epstein’s own explanation of how this episode was allowed to unfold as it did paints her as naive in the extreme.

    To err is human. But their repeating the same mistakes in future would be less forgivable.

    A public apology to David Law would not go amiss.

    Report

  8. Eric

    There’s just got to be a way to get the word out about these types of situations. Personally, I was alerted that the plugin was removed from the repository via the Wordfence plugin. Otherwise, I’d have no idea that this happened (and I work with WordPress and follow news daily).

    As for the defensive stance seen in the forums, I can attest to it. A forum post where we were discussing what happened to the plugin was closed to new comments:
    https://wordpress.org/support/topic/display-widgets-plugin-v2-6-3-1-includes-hacking-code/page/2/

    With the moderator stating:

    “I’m going through and closing posts about this. There’s little point in people going around and slamming others about this. Remember: people can be mean, but you don’t have to be.”

    I don’t even think anyone was directly trying to slam anyone. It was just a frustration of how this plugin was getting removed and re-added over the summer and that warnings about its malicious code may not have been handled so well.

    We just need a way to warn others when something like this occurs. Even if it’s a small notice on the plugins page.

    Report

  9. Katie Keith

    Over the years, I have happily used Display Widgets on dozens and perhaps 100’s of WordPress sites, with no problems. It’s such a shame that it has been acquired by such an unscrupulous company who has no respect for the WordPress community or its values. I know it’s a free plugin, but that doesn’t make it ok. Now I will have to change the MANY blog posts where I have recommended Display Widgets and switch to Jetpack Visibility or similar instead!

    Report

    • Eric

      It is a shame because Display Widgets was a really powerful plugin for what it did. This whole thing definitely put a lot of us in panic mode.

      Report

  10. Bianca

    I agree with the replies above. The mods on WordPress.org did not handle it very well IMHO. They should take lessons out of the situation instead of letting ego’s and power play get in the way. At least that’s how I perceive it. Not very community like… In the end they’re on the same side right? This kind of reaction may lead to people (whistle blowers) staying quiet and move on to something else.

    Another concern I share with others is how safe the repository still is. Also I think that this kind of threat does not limit itself to plugins only but may affect themes as well. Heck, it may not even be limited to the repo but extend to marketplaces as well.

    It’s another wake up call in which we all can take lessons out of.

    Report

  11. Jeffrey Carandang

    Thanks for suggesting Widget Options as a replacement. I’m the plugin creator and I’ve actually created a migration tool to move Display Widgets’ saved preferences to Widget Options. It’s my way of saying thanks to those who are choosing my plugin. The migration tool is available for free on github: https://github.com/phpbits/widget-options-migrator and has full details; and instructions here: https://widget-options.com/easily-migrate-display-widgets/ .

    Cheers!

    Report

    • Katie Keith

      That’s fantastic Jeffrey, I was groaning at the thought of migrating our clients to another plugin because some of their Display Widgets settings are quite complex. I have been hoping that someone honest will take over Display Widgets and fork it! Please could you confirm whether Widget Options has a feature to show/hide widgets based on post ID?

      Report

      • Jeffrey Carandang

        Hi,

        Sorry for late response, not sure why I wasn’t notified. Widget Options support for Post IDs is available on “Display Widget Logic” using is_single(). Using the migrator, it will automatically add this code for you :) Let me know how it goes. Thanks!

        Report

Comments are closed.

%d bloggers like this: