SI CAPTCHA Anti-Spam Plugin Permanently Removed from WordPress.org Due to Spam Code

The SI CAPTCHA Anti-Spam plugin has been removed from the WordPress Directory due to its author including spam code. The plugin added a CAPTCHA image test to WordPress forms to prevent spam and was compatible with forms generated by bbPress, BuddyPress, Jetpack, and WooCommerce. It had more than 300,000 active installs at the time of removal.

Mike Challis, the original author of the plugin, said that a WordPress.org user named “fastsecure” became the new owner of SI CAPTCHA Anti-Spam in June 2017. Challis was not aware of the new owner’s plans for the plugin but posted a notice on the WordPress.org support forums to inform users about why it was removed.

“The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts,” Challis said. He also linked the incident to a ring of WordPress plugins that researchers at Wordfence say were part of a coordinated spam campaign. Display Widgets, one of the most notable plugins in this group, was recently permanently removed from WordPress.org for a series of violations wherein the author had injected malicious code.

Challis said the new owner failed to display any spam on sites due to how the code was implemented, but the code could have been activated at a later time:

The new owner put spam code in versions 3.0.1 and 3.0.2 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database.

SI CAPTCHA Anti-Spam users who still have the plugin installed may see an update available in the WordPress admin. Plugin team member Samuel (Otto) Wood removed the malicious code and released 3.0.3 as a clean version that is a safe update for users who still rely on the plugin. Wood recommends users find an alternative, because SI CAPTCHA Anti-Spam will not be re-listed in the directory or receive any future updates.

The incident is another reminder for users to be on alert when WordPress.org plugins change hands, as the buyers do not always disclose their actual intentions for the plugin. Users in search of an alternative to SI CAPTCHA Anti-Spam will find many alternative options on WordPress.org. AntiSpam by CleanTalk, Simple Google reCAPTCHA, and CAPTCHA Code are a few examples that may work as replacements, depending on what other plugins you need the anti-spam capabilities to support.

35 Comments


  1. I recommend WP SpamShield as I’ve run it for over 2 years and it’s saved me a lot of spam both on my personal blog and on the other sites that I run. Best of all, there are no captchas involved.

    Report

    Reply

  2. Does WP send out a notice in the admin that the plugin should be uninstalled? Feel like with 300k installs, many will have no idea…

    Report

    Reply

    1. Probably not, Josh. Even if they do have such an email list, you would have to subscribe to it to avoid WordPress breaking the antispam laws.

      Report

      Reply

  3. Perhaps Automattic could maintain a listing of WordPress plugins that have gone sour and if not too long push them to the Admin control panel…

    Report

    Reply

    1. Clearly they could. In fact they already notify me and all my clients of wordcamps and many other things they do not care about. This is a source of confusion and frustration for many who just want to run their site.

      Surely notifying us of critical security concerns would be a better use of the admin dashboard space.

      Report

      Reply

  4. I just want to add a captcha to my wordpress login form to discourage abuse.

    None of the alternatives mentioned in the article seem to fit the bill. They either have discouraging reviews or aren’t very widely adopted.

    What do you recommend?

    Report

    Reply

    1. I recommend WP SpamShield – no captchas for your visitors or members to fill out, and works with all forms and comment areas! Stops spam dead in its tracks, and if you want, you don’t even have to let your visitors know you run it!

      Report

      Reply

    2. This year Google launched the latest version of the reCAPTCHA service – Invisible reCaptcha. I like it because it doesn’t ask users to click a checkbox. I personally use a plugin called Google Invisible reCaptcha by ThreatPress.

      Report

      Reply

  5. The opening paragraph “The SI CAPTCHA Anti-Spam plugin has been removed from the WordPress Directory due to its author including spam code.” is misleading, it makes it sound like the person that created the plugin turned rogue, which is not the case.

    It was the person/people behind the user fastsecure (a user that was JUST created in June with no history in the WordPress community btw) that “became the new owner” (bought I assume, but no details in the article) of the plugin from Mike Challis in June that injected the code in question:

    https://profiles.wordpress.org/fastsecure

    “The new owner attempted to put code in several of his newly acquired WordPress plugins” … Again, no details, it would be helpful to know what those other plugins are so we can find alternatives for those.

    I just did a quick look around after reading it and it appears all of the plugins by Mike Challis have been pulled permanently from the repository (in particular Fast Secure Contact Form, which had 400K+ active installs).

    Mike also has a statement published @ http://www.fastsecurecontactform.com/

    “The incident is another reminder for users to be on alert when WordPress.org plugins change hands, as the buyers do not always disclose their actual intentions for the plugin.” seems like a weak suggestion, WordFence this year (for example, I don’t use it on any sites, but it may be time to re-evaluate) just implemented a feature to alert site admins when a plugin has been pulled from the repository.

    Why did a longtime developer sell to a user with no reputation in the WordPress community?

    Why do plugins get permanently pulled even if the current owner corrects the issue?

    Why does WordPress pull the URL completely off the repository as though it never existed, killing the downloads I understand, but why not have info related to why that plugin was pulled, and letting users know it won’t be coming back?

    It’s great that the repository admins are pulling malicious plugins out, but there seems to be an enormous disconnect between removing plugins and letting users know what is going on. To me, it seems like there needs to be a system in place for the transfer of ownership of plugins in the repository (at the very least once a certain level of active installs is reached) that involves a probationary period and a fee to cover the cost and time of babysitting new owners (there would be obvious reason for allowing well-established developers to fast track through this process).

    The original listings for Mike Challis plugins (via Wayback Machine as the links are now invalid):

    Fast Secure Contact Form (400K+ active installs)
    https://web.archive.org/web/20170614210930/https://wordpress.org/plugins/si-contact-form/

    SI CAPTCHA Anti-Spam (300K+ active installs):
    https://web.archive.org/web/20170327201154/https://wordpress.org/plugins/si-captcha-for-wordpress/

    Visitor Maps and Who’s Online (40K+ active installs)
    https://web.archive.org/web/20160207181915/https://wordpress.org/plugins/visitor-maps/

    Fast Secure reCAPTCHA (6K+ active installs):
    https://web.archive.org/web/20170721025620/https://wordpress.org/plugins/fast-secure-recaptcha/

    Report

    Reply

    1. While the public facing wordpress repository listings have been removed, the plugins haven’t been removed from the actual subversion repository.

      You can still access the old versions via
      https://plugins.svn.wordpress.org/si-captcha-for-wordpress/
      https://plugins.svn.wordpress.org/si-contact-form/
      https://plugins.svn.wordpress.org/fast-secure-recaptcha/
      https://plugins.svn.wordpress.org/visitor-maps/

      You’ll need to go to “tags” and pick the version BEFORE the rogue code was inserted.

      Report

      Reply

      1. That’s actually handy Paul, I wasn’t aware that the builds were available that way. I also noticed that the support forums are still active for all 4 plugins:

        https://wordpress.org/support/plugin/si-captcha-for-wordpress/
        https://wordpress.org/support/plugin/si-contact-form/
        https://wordpress.org/support/plugin/fast-secure-recaptcha/
        https://wordpress.org/support/plugin/visitor-maps/

        Actually, it looks like everyone in those forums is looking for the previous builds to roll back to, they could benefit from the links you mentioned.

        Report


  6. Too bad this seems to become a trend nowadays.. Just recently the Display Widgets plugin was removed, now this one. If this keeps happening it might be worthwhile to figure out a decent way of getting this kind of information to the users of a plugin that gets removed because of these kind of reasons.

    Report

    Reply

  7. It’s annoying to see that authors are selling more and more of their work products to third parties WITHOUT checking the background of the new owner first. I refused buying attempts of a few of my plugins which were in the scope of 100k and more because i had a bad feeling with the deal. Before such a deal hurts my reputation as a developer and as a personal Individuum i better refuse it.

    It must be greed, a lack of rationality or both to sell to a plugin which is used on 300.000 websites to someone else who definitely has bad intends.

    I have no sympathy for such a deal and the participating parties and wish that plugin owners do more background investigations before they think about selling their product.

    Might be a good idea to write a publicly available handout for wordpress plugin owners with some tips how to successfully transfer the ownership of a plugin and what to consider before selling a plugin.

    It should be in the intend of all of us to prevent such shitty deals.

    Report

    Reply

  8. My heart goes out to Mike Challis and all the plugin & theme developers who were/are taken in by unscrupulous people. The days are long gone when we, as a community, can really take people at face value. For our safety and the safety of our readers we must do more research and deeper “investigations” just to stay online.

    When all of this news started breaking, I was struck by how differently things sometimes work, as opposed to other industries and niches. When the non-tech business owners/developers that I know decide they want to make an “exit” or change focus, they often put out the word to peers (people they know and trust.)

    Once a “new owner” is researched and goes through a transition period, where the original owner oversees the new owner as they work on the site/project together. This serves 3 purposes.

    1. The original owner gets to know the prospective new owner better.
    2. The prospective owner gets to “learn the ropes” and builds trust with the existing members/readers.
    3. The members/readers know what end is up and can make a more informed decision about whether they need to look for a new resource or option, before the original owner bows out fully.

    There have been quite a few times when owners and developers left without a word to users. Because I had no forewarning, I was left scrambling trying to find a new source for info or a comparable product.

    Sometimes being “transparent” isn’t easy but I greatly appreciate it when business owners and developers take the time to tell me about things that are likely to affect me or my business. Maybe I’m old fashioned but that level of integrity and respect is something that I’d like to see more of within every industry.

    I’m getting off my peach crate (aka soapbox) now. Thanks for letting me babble. :D

    Report

    Reply

  9. There should be something done to change the attitudes of plugin/theme developers. As we see from the comments on previous article

    I agree that the people behind Formidable Forms should not be blamed for the buyer’s behaviour, and shouldn’t apologize or anything.

    They still think that they can do whatever they want with their code and they even “shouldn’t apologize or anything”… That’s right, legally they can, but being legal doesn’t make it necessary right (slavery for example) and it doesn’t make this behavior ethical.

    Is it so hard to understand, that you don’t sell your code – if anyone wants you code, they can just fork it. Yes, you are selling the “name” and reputation, but must of all you’re selling access to people’s sites. And if you sell it to a highest (or perhaps the only) bidder, without properly checking, you act irresponsibly.

    Did you do all checks, were you 100% sure, you give the plugin into good hands? If not, then I’m 100% happy that all plugins of such irresponsible developer would be closed by admins. No need to cry, your former users are crying now…

    Report

    Reply

    1. It is extremely clear that these plugin developers are not doing their homework when it comes to vetting buyers.

      The sellers have a responsibility to existing users to do their homework. Anyone that says the seller shouldn’t share in any blame is crazy. OF COURSE THEY SHOULD!

      I don’t know the details and backstory on the sale of these plugins but I have to wonder if it’s similar to the situation with the Display Widgets plugin. We know the backstory on that one. WordFence did an indepth report on it. There were a LOT of red flags that went unheeded prior to the sale. So many red flags that it’s shocking that it even transpired.

      Let’s make this simple… reputation matters.

      If you do not know the reputation of the seller when selling a plugin with thousands of active installs (hundreds of thousands in this case)… DO NOT SELL TO THEM. If you have trouble vetting a buyer… DO NOT SELL TO THEM. If you can’t find anyone in the WordPress community that knows who the buyer is… DO NOT SELL TO THEM.

      If they appear to be buying up random plugins with no discernable business model… DO NOT SELL TO THEM. If you’ve never heard of them… DO NOT SELL TO THEM. If they appear to be shady SEO marketers… DO NOT SELL TO THEM. If they mention their involvement in online casinos and using plugins as a sales tactic for casinos when communicating with them… DO NOT SELL TO THEM.

      That online casino bit may have seemed random but it was literally one of the many red flags in the Display Widget correspondence leading up to it’s sale.

      Please do your homework people. It’s not hard. Don’t fail your users. If you do, you absolutely do shoulder some of the blame.

      Report

      Reply

      1. Also, I mean, if they’re trying to pay money for your plugin, obvs they think they have a way to get money back out of it. And if you don’t understand how they plan to do that — run for the hills because it’s probably not via good methods.

        Report


      2. @Carl Handcock Dude, stop shouting …it’s really annoying. Try bold or italics for emphasis.

        Entities have every right to sell “As-Is” and waive their liabilities. Cycle down the chain of accountability all you want – or stop malicious intent/distribution at the loading docks.

        Report


  10. users to be on alert when WordPress.org plugins change hands

    And herein lies the problem. How does a typical end user from the backend of WordPress stay alerted to when a plugin disappears or changes hands outside of clicking a link to the Tavern to read about it? :) I think these situations are going to happen more often and underscore the need to at least alert plugin users that the plugin has disappeared or the owner has changed. Maybe something that is opt-in.

    Report

    Reply

    1. No one has to opt-in for admin panel notices for local Meetups and WordCamps (although that should be configurable also) based on your location, it would make perfect sense to me to allow admins to receive notices on either installed or activated plugins & themes.

      Also, I didn’t realize it until looking into this story a bit, WordFence has options to alert for abandoned (not updated in more than 2 years) and removed plugins from the repository:

      https://www.wordfence.com/blog/2017/06/abandoned-removed-plugin-alerts/

      Report

      Reply

  11. WordPress already has a highly effective method for notifying users of plugin updates, surely this should be the method we can use to notify users when a plugin changes developers.

    Report

    Reply

  12. Not sure if any of you have it but Wordfence alerts you to plugins that are removed from the repository, plugins that are no longer supported (over 2 years), and plugins that have files changed or added to them which differ from what the repo has too.

    Report

    Reply

  13. If you want WordPress to notify you when plugins are removed or changes ownership, then you need to make sure your voice is heard over at wordpress.org, specifically to core and the plugin teams. Several of us have argued before that users should be notified. The plugin team’s response so far is that notifying people would place more people at risk (I’m not making that up) because then attackers would know of the vulnerability too. I steadfastly disagree with that reasoning, but I’m only one person out of hundreds of millions.

    Report

    Reply

  14. Luckily, this guy seems like he did not know how to put the malware in the correct file, but something similar might have happened to what happened a few weeks ago with the Display Widgets plugin …

    Without a doubt we should be, now more than ever, attentive to the security of our sites made with WP, since many pirates know that is the way to reach thousands of web pages, since WP is booming.

    During last week, I reported on my blog, podcast and youtube channel on the topic “Display Widgets” to alert all my followers, but I think it is also up to the WP.org community to send a notice to users whenever a plugin is removed from the repository … I am convinced that there must still be people with the malicious version of the Display Widgets installed on their web or blog, showing SPAM without having been able to realize the seriousness of the matter.

    I think the community should take very important steps in this regard and not allow all people upload any plugin to the repository without it has been completely revised to make sure it is clean. It will be hard work, of course, but if we all lend our cooperation for the common good, we are sure to walk safer.

    Greetings from Spain

    Report

    Reply

  15. There are more positive examples than negative ones of plugin ownership transition, and these kind of things will happen, but I think the plugin team is doing their best to purge out the bad ones.

    Report

    Reply

    1. But it only takes one bad transition to affect hundreds of thousands of sites. I do not blame the plugin team for “failing” to catch what happened. We (the collective WordPress community) need to come to grips with the fact that we’re going to need to place some governance on plugins/themes, that it can no longer be the Wild West. That’s fine when you’re small and not important. When you become a critical component to the infrastructure of the entire Web, the Wild West becomes dangerous.

      Report

      Reply

  16. When a plugin is removed from the repo, there should be a message telling the user that the plugin is no longer available blah blah instead of directing us to a search page

    Report

    Reply

  17. Honestly, with this happening as much as it is, plugins that change ownership need to be frozen and then treated like a brand new plugin for a while.

    Also, a Zero Tolerance policy needs to be implemented. That one that kept getting removed and put back only to be removed again is nuts.

    Report

    Reply

    1. I’d love to see a policy where any plugin that is removed due to a vulnerability issue is not made available again until it goes through a complete security audit.

      Report

      Reply

  18. To the bunch of you that asked about authors selling their plugins to nobodies…1) we were all nobodies at one time 2) Even if original authors do their “homework” then the new author can do whatever AFTER the sale has gone through 3) Most authors sell because of money or they are retiring.

    Report

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *