New Company Releases Evil WordPress Plugin

GangsterCodeLogo Earlier today on Twitter, WordPress community member Travis Ballard @Ansimation published a link to a plugin that will have people thinking twice before they sign up to a WordPress based website. Ironically, it’s called WPEvil and saves passwords into plain text instead of hashes. One thing I’ve learned over the years is that passwords are to never be stored in plain text, for any reason. I reached out to the creators of this plugin to see if they could give me a couple of legitimate use cases. Here is what they had to say.

Legitimate use would be I guess to tell one of your users their password if they can’t reset it for some reason. There are no appropriate uses for this plugin, I guess you could do your own research to see what people actually use as passwords.

Motivation? Bored.

Travis also got in touch with the plugin author on Reddit to discuss legitimate uses for this plugin and was greeted with an insult that it was above his pay grade.

So if you come across a WordPress powered website that you can tell is using this plugin, would you register your account there? How does it make you feel to see a company release such a plugin to the wild? Should anyone be worried that this plugin exists?


33 responses to “New Company Releases Evil WordPress Plugin”

  1. @Dave – Speaking as one who wrote a RickRoll plugin, and who writes evil plugins for both practice and for training, there actually are a lot of legitimate uses for plugins like this. Boredom is a factor, so is “I wonder if…”

    (Legitimate uses does not include ‘Using this on my real website.’)

  2. I am just wondering if there is any quality control over at the plugin repository. Does anyone filter out the “evil” plugins? Is there a litmus test? Evil is really in the eye of the beholder. I think it is injected spyware or was a trojan plugin, then that’s real EVIL. This one just seems like not very nice or possibly evil in the wrong hands.

  3. One more word about ciphered passwords:

    -do not cipher them using a symmetic key (e.g. DES or AES) . If the key is found, then all the passwords are revealed.
    -do not simply store SHA or MD5 hashes. There are hash dictionaries on the web. Rainbow tables are also usable to find the password that generated a particular hash.

    -use salting and integrate the username in the hash:

    1)choose a random string A
    2)compute B= SHA256(username:password)
    3)store in the database A and SHA256(A:B)
    3bis) as an alternative, store A and SHA256(A:username:password)

    this way, the stored hash cannot be used to recover the password.

  4. This doesn’t bother me one bit. I think it’s funny, actually. If anything, it’s a welcome reminder that websites can do a-n-y-t-h-i-n-g they want with the data you give them. Keep your guard up.

  5. @Daniel Crowley You are correct, there are sites that do store usernames and passwords in plain text who are not labeled as “Evil”, however IMO they should have a badge displayed that says “inexperienced and naive”. I recently visited a well known site and happened to look up into the address bar only to see both exposed in plain text!!! As @Rob Lawrence pointed out, there should be some quality control particularly for the safety and security of the general, global public. It is simply the responsible and honorable thing to do. Though, as @Richie stated those who use this plug-in may “deserve what they get” (only due to its own title), do the site’s visitors and general public who unwittingly submit to the use of this plug-in deserve what they get? This falls into the category of “reasonable expectations” don’t you think? And yes, by @Ipstenu definition and explanation of “legitimate”, in the dev environment for testing for security vulnerabilities I can see his point, but never under the excuse of boredom and certainly not ever in a production environment. @squalyl‘s solution is at least considering the implementation of a developer’s or site-builder’s own responsibility to the general public’s safety and privacy. Years ago I developed my own personal “salting” method due to some sensitive software packages for a client that required a higher level of security. Our responsibility is to the general public and end-user as well as the clients who will have their own pool of end-users. It is a very sad day that we live in to see that people like this have a place online that accepts anything from anyone without any type of quality control especially something that becomes associated with and affects their own reputation.

  6. @Rob Lawrence – Yes and no. We review all plugins as they are submitted, but we don’t do ongoing approvals for releases. If a plugin is insecure (like that text only password is readable to anyone via XSS or other methods while not being logged in as a permitted user) then we reject them. If you find a plugin like that, or one that breaks the guidelines for the WPORG repo, you should email plugins AT with the details. Link to the plugin, tell us exactly where the problem is, etc :)

  7. I was mostly bored when i decided to make this but I am sure getting a kick out of the people who think this is the end of the world and whine about it like the the author of this post. Its a plugin… dont use it if you dont like it, it is that simple. I like to see my data unhashed. Its my data I can view it if I please. There is no privacy online…. get used to it. Even Sony didnt keep their passwords hashed :D

  8. @Rob Lawrence – This plugin is not hosted on the plugin repository. Instead, it’s hosted on the GangstaCode website.

    @Daniel Crowley – Agreed and it’s usually too late before you find out.

    @dave wp evil – I’m not whining about it, just spreading the word. It’s not about privacy, it’s about the responsibility of making sure the data users provide you is kept safe and is not easily obtainable. Just out of curiosity, would you ever use your plugin on a large membership website with a ton of members? If so, would you at least disclose that information to members when they signed up?

  9. @dave wp evil – The guy is right if you don’t like it, don’t use it!

    Be interesting to see how you ppl react to a serious issue. If you have nothing better to do than chase up plugin ethics, who’s the “bored” one here? certainly NOT dave wp evil that’s for sure ;)

  10. “If you don’t like it, don’t use it!”

    That’s ABOUT the stupidest thing I’ve ever heard…

    The issue is not whether or not ONE OF US wants to use the plugin. It is whether other admins decide to unscrupulously install the plugin and not disclose it.

    *I* have no control over whether or not some other WordPress install USES or DOESN’T USE the plugin. But the fact that the plugin has been released into the wild means that other unscrupulous admins COULD covertly install the plugin and rape internet users for their private login names / passwords…

    Would *I* personally use the plugin? NO!

    But whether or not *I* would use the plugin is NOT what is at issue here… It is whether, since such a plugin exists in the wild, *OTHERS* would install such a plugin and use it against me or others.

    “Don’t use it if you don’t like it…” is little more than a red-herring. A sleight of hand wordgame.

    The one installing the plugin is not the one coming to harm by way of its use. It doesn’t matter whether I install it on my system. (I won’t.) It matters whether OTHERS whose websites I utilize install the plugin and fail to disclose that fact, thus leaving my data vulnerable…

    This kind of plugin makes it far too easy to build sites with little purpose other than to trick users into revealing their usernames / passwords and building a username/password dictionary for blackhat hacking.

    Just saying… I’m sure NOBODY ELSE was thinking of that use, right? :P

  11. Oh patrick it must be you who wrote me that nice email saying you will hack me and my mom sucks d*ck. How about i neg seo your site with a 1,000,000 backlinks and see how fast you change your tune? There is no bouncing back from that my friend.

  12. I think this plugin can potentially be a breach of users privacy. Website owners and administrators who store names and email addresses on their database are required to ensure that their privacy are maintained. Storing unencrypted passwords is a violation of users privacy and poses a security risk.

  13. No offense to the author of this post, but everyone knows plug-ins are what you “choose to use”. So this post and its topic is non news. There are thousands of insecure, unupdated plug-ins in WordPress’s library. How do you “fix” this “problem”?

    Don’t use them.

    As for the developer of this particular plug-in, it wasn’t even uploaded to the WordPress plug-in library… You came across it on a third-party site.

    I’ve seen tons of Questionable plugins available on various developers’ websites…. I don’t call them out as being evil, dumb, etc. I simply just don’t use them. I sure as hell don’t write them up and give them more publicity.

  14. @Chris – No offense taken. I debated for awhile on whether I would publish anything concerning this plugin and I concluded that it was better for the general populous to know about it instead of not saying anything. Your points are valid concerning the number of un-updated plugins in the repository but I would argue, how are end users supposed to know about those? Although there is a warning on plugins that have not been updated in 2 years, there are plugins from 2 years ago that work perfectly with the latest release of WordPress and who’s code is fine. I’m currently working on a guide on how to choose plugins on the repository which I hope will help people.

    He did submit the plugin to the WordPress plugin repository and as of yet, I can’t find it. I’ve sent an email to the folks who review the repository to see if they have come across it and whether it was accepted or denied.

    By the way, I never called the plugin evil, that’s the name of it lol. In my opinion, I think you’re doing everyone a disservice by not calling people out on questionable plugins you come across. By no means does that mean insulting people but the general public ought to know which plugins to potentially stay away from just as much as they should have insight into which ones to choose. Also, if we can help turn those questionable plugins into non-questionable plugins, everyone wins. I also think that it’s healthy to have a conversation on whether a plugin is questionable or not, which was another aspect of this post. As Ipstenu pointed out, there are some legitimates uses for this plugin, namely for researching purposes. I have no problem with a plugin that does that as long as it’s marketed for that use. If people download it and use it for malicious purposes, there’s nothing I can do about that.

    With all that said, there is one thing I’ll do differently in the future when bringing up questionable plugins. I won’t engage in a discussion unless it’s hosted on the repository.

  15. I think there is a distinct difference between ‘boredom’ and malicious behavior.
    You know, programing is going to need to start screening it’s applicants as police and other law enforcement officials and if they can’t pass the basic
    “yah, I’m quirky but I know right from wrong” test, then they just don’t get into a programming school, yes, folks can still teach themselves still.

    Up until now we’ve really only discussed the security issue from one side only, perhaps it’s time to start being a little more creative with our solutions to the security problems we all face.

  16. @Jeffro, don’t you think that conversations like this are its own form of quality control — despite the previous ugliness? There are many things in our world and work now that allows for things like the out-of-date plugins available for WordPress. They aren’t alone, but reviews, blog posts and other venues allow us to freely make our recommendations from our experiences as technology professionals. Those who are responsible web developers, server and database administrators and the like who DO keep up with the rapidly changing landscape of the tech world should start conversations just like this one to help others make sense of the overwhelming numbers of plugins, widgets, apps and such for more efficient and secure working environment for everyone. I love those OMGubuntu 10 or 12 things I do after installing the latest version of Ubuntu and any comparison posts of tools that make my work environment more efficient. While I know that it might not be suitable for my own purposes, it is a helpful framework. So, when someone comes across something like this plugin, I think it is very appropriate and responsible to write a post about it. There is usually much to gain from quality discussion in the comments to help you decide. It’s what I love about the internet.

  17. @Jeffro
    For what it’s worth,
    1. I think this is a perfect discussion to have.
    2. The plug-ins directory was started at a time when malicious behavior didn’t out weigh the standard user 6 to 1.

    If someone comes across a plug-in that is “Malicious” Some type of action should be taken to blackball it. It does not to the WordPress reputation any good when something like that is uploaded from their site, nor does it do anyone any good for future endeavors, you’ve no idea how many plug-in’s now are becoming *not* available to users because they require access to the webroot, and users in a standard multiple hosting environment are not given access to even their own webroot anymore.

    So, again, here we have the situation where “the actions of a few” are detrimental to the whole, personally, I’m getting really fed up with that scenario, and it’s hardly a motivation for keeping ones ethics in place if everytime someone else screws up, I get punished for it too.

    I think your post is perfectly valid, and community wisdom seeking, and community best-interest motivated. So Kudo’s!!

    @Michael – quite a number of years ago a person who had a THRIVING business of selling gamming pieces out of his garage sent me his website and database to design a new one.

    In that, he had all user names/pw/cc numbers/expiration dates everything, non-encrypted in a non-compiled website. i.e. just a website with an access database for the information.
    This person not being really very smart on the one end, was really brilliant on the other. Oh, and did I mention he sent this by email to me and maybe 15 people before me. If he sent it to one after me I’d be surprised.
    Part of our job includes the responsibilities that go with it, no different than a doctor or a lawyer, and most of us with no-less educational years.

    @dave wp evil -Yes, there’s no privacy online, that’s why @EFF fights for us everyday and why the White-House just stole twitters attorney.

    See, what allot of people forget is it’s just not people in the US, and what if some African country’s polit-bureau used this plug-in, and saw real-names of people who were uploading the articles, it would be death to another journalist. (granted a stretch in this case never-the-less)
    Simple security issues don’t seem to make a big difference here, but they can literally mean life or death to people and their families and their friends in other places. ref:,

You may also like


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: