1. Nathan Pinno

    I recommend WP SpamShield as I’ve run it for over 2 years and it’s saved me a lot of spam both on my personal blog and on the other sites that I run. Best of all, there are no captchas involved.


  2. Josh

    Does WP send out a notice in the admin that the plugin should be uninstalled? Feel like with 300k installs, many will have no idea…


  3. Marcus Tibesar

    Perhaps Automattic could maintain a listing of WordPress plugins that have gone sour and if not too long push them to the Admin control panel…


    • Sonja

      Clearly they could. In fact they already notify me and all my clients of wordcamps and many other things they do not care about. This is a source of confusion and frustration for many who just want to run their site.

      Surely notifying us of critical security concerns would be a better use of the admin dashboard space.


  4. Milo

    I just want to add a captcha to my wordpress login form to discourage abuse.

    None of the alternatives mentioned in the article seem to fit the bill. They either have discouraging reviews or aren’t very widely adopted.

    What do you recommend?


    • Nathan Pinno

      I recommend WP SpamShield – no captchas for your visitors or members to fill out, and works with all forms and comment areas! Stops spam dead in its tracks, and if you want, you don’t even have to let your visitors know you run it!


    • Rasa Adams

      This year Google launched the latest version of the reCAPTCHA service – Invisible reCaptcha. I like it because it doesn’t ask users to click a checkbox. I personally use a plugin called Google Invisible reCaptcha by ThreatPress.


  5. Brian Fuller

    The opening paragraph “The SI CAPTCHA Anti-Spam plugin has been removed from the WordPress Directory due to its author including spam code.” is misleading, it makes it sound like the person that created the plugin turned rogue, which is not the case.

    It was the person/people behind the user fastsecure (a user that was JUST created in June with no history in the WordPress community btw) that “became the new owner” (bought I assume, but no details in the article) of the plugin from Mike Challis in June that injected the code in question:


    “The new owner attempted to put code in several of his newly acquired WordPress plugins” … Again, no details, it would be helpful to know what those other plugins are so we can find alternatives for those.

    I just did a quick look around after reading it and it appears all of the plugins by Mike Challis have been pulled permanently from the repository (in particular Fast Secure Contact Form, which had 400K+ active installs).

    Mike also has a statement published @ http://www.fastsecurecontactform.com/

    “The incident is another reminder for users to be on alert when WordPress.org plugins change hands, as the buyers do not always disclose their actual intentions for the plugin.” seems like a weak suggestion, WordFence this year (for example, I don’t use it on any sites, but it may be time to re-evaluate) just implemented a feature to alert site admins when a plugin has been pulled from the repository.

    Why did a longtime developer sell to a user with no reputation in the WordPress community?

    Why do plugins get permanently pulled even if the current owner corrects the issue?

    Why does WordPress pull the URL completely off the repository as though it never existed, killing the downloads I understand, but why not have info related to why that plugin was pulled, and letting users know it won’t be coming back?

    It’s great that the repository admins are pulling malicious plugins out, but there seems to be an enormous disconnect between removing plugins and letting users know what is going on. To me, it seems like there needs to be a system in place for the transfer of ownership of plugins in the repository (at the very least once a certain level of active installs is reached) that involves a probationary period and a fee to cover the cost and time of babysitting new owners (there would be obvious reason for allowing well-established developers to fast track through this process).

    The original listings for Mike Challis plugins (via Wayback Machine as the links are now invalid):

    Fast Secure Contact Form (400K+ active installs)

    SI CAPTCHA Anti-Spam (300K+ active installs):

    Visitor Maps and Who’s Online (40K+ active installs)

    Fast Secure reCAPTCHA (6K+ active installs):


  6. Pieter Daalder

    Too bad this seems to become a trend nowadays.. Just recently the Display Widgets plugin was removed, now this one. If this keeps happening it might be worthwhile to figure out a decent way of getting this kind of information to the users of a plugin that gets removed because of these kind of reasons.


  7. René Hermenau

    It’s annoying to see that authors are selling more and more of their work products to third parties WITHOUT checking the background of the new owner first. I refused buying attempts of a few of my plugins which were in the scope of 100k and more because i had a bad feeling with the deal. Before such a deal hurts my reputation as a developer and as a personal Individuum i better refuse it.

    It must be greed, a lack of rationality or both to sell to a plugin which is used on 300.000 websites to someone else who definitely has bad intends.

    I have no sympathy for such a deal and the participating parties and wish that plugin owners do more background investigations before they think about selling their product.

    Might be a good idea to write a publicly available handout for wordpress plugin owners with some tips how to successfully transfer the ownership of a plugin and what to consider before selling a plugin.

    It should be in the intend of all of us to prevent such shitty deals.


  8. Kit

    My heart goes out to Mike Challis and all the plugin & theme developers who were/are taken in by unscrupulous people. The days are long gone when we, as a community, can really take people at face value. For our safety and the safety of our readers we must do more research and deeper “investigations” just to stay online.

    When all of this news started breaking, I was struck by how differently things sometimes work, as opposed to other industries and niches. When the non-tech business owners/developers that I know decide they want to make an “exit” or change focus, they often put out the word to peers (people they know and trust.)

    Once a “new owner” is researched and goes through a transition period, where the original owner oversees the new owner as they work on the site/project together. This serves 3 purposes.

    1. The original owner gets to know the prospective new owner better.
    2. The prospective owner gets to “learn the ropes” and builds trust with the existing members/readers.
    3. The members/readers know what end is up and can make a more informed decision about whether they need to look for a new resource or option, before the original owner bows out fully.

    There have been quite a few times when owners and developers left without a word to users. Because I had no forewarning, I was left scrambling trying to find a new source for info or a comparable product.

    Sometimes being “transparent” isn’t easy but I greatly appreciate it when business owners and developers take the time to tell me about things that are likely to affect me or my business. Maybe I’m old fashioned but that level of integrity and respect is something that I’d like to see more of within every industry.

    I’m getting off my peach crate (aka soapbox) now. Thanks for letting me babble. :D


  9. Ryan Gudonis

    Fast Secure Contact Form also has the same issue. Upon learning about this, I replaced FSCF with Contact Form 7 on the WordPress sites I managed immediately.

    Mike Challis posted a statement on the plugin’s website: http://www.fastsecurecontactform.com/


  10. Tomas M.

    There should be something done to change the attitudes of plugin/theme developers. As we see from the comments on previous article

    I agree that the people behind Formidable Forms should not be blamed for the buyer’s behaviour, and shouldn’t apologize or anything.

    They still think that they can do whatever they want with their code and they even “shouldn’t apologize or anything”… That’s right, legally they can, but being legal doesn’t make it necessary right (slavery for example) and it doesn’t make this behavior ethical.

    Is it so hard to understand, that you don’t sell your code – if anyone wants you code, they can just fork it. Yes, you are selling the “name” and reputation, but must of all you’re selling access to people’s sites. And if you sell it to a highest (or perhaps the only) bidder, without properly checking, you act irresponsibly.

    Did you do all checks, were you 100% sure, you give the plugin into good hands? If not, then I’m 100% happy that all plugins of such irresponsible developer would be closed by admins. No need to cry, your former users are crying now…


    • Carl Hancock

      It is extremely clear that these plugin developers are not doing their homework when it comes to vetting buyers.

      The sellers have a responsibility to existing users to do their homework. Anyone that says the seller shouldn’t share in any blame is crazy. OF COURSE THEY SHOULD!

      I don’t know the details and backstory on the sale of these plugins but I have to wonder if it’s similar to the situation with the Display Widgets plugin. We know the backstory on that one. WordFence did an indepth report on it. There were a LOT of red flags that went unheeded prior to the sale. So many red flags that it’s shocking that it even transpired.

      Let’s make this simple… reputation matters.

      If you do not know the reputation of the seller when selling a plugin with thousands of active installs (hundreds of thousands in this case)… DO NOT SELL TO THEM. If you have trouble vetting a buyer… DO NOT SELL TO THEM. If you can’t find anyone in the WordPress community that knows who the buyer is… DO NOT SELL TO THEM.

      If they appear to be buying up random plugins with no discernable business model… DO NOT SELL TO THEM. If you’ve never heard of them… DO NOT SELL TO THEM. If they appear to be shady SEO marketers… DO NOT SELL TO THEM. If they mention their involvement in online casinos and using plugins as a sales tactic for casinos when communicating with them… DO NOT SELL TO THEM.

      That online casino bit may have seemed random but it was literally one of the many red flags in the Display Widget correspondence leading up to it’s sale.

      Please do your homework people. It’s not hard. Don’t fail your users. If you do, you absolutely do shoulder some of the blame.


      • George Stephanis

        Also, I mean, if they’re trying to pay money for your plugin, obvs they think they have a way to get money back out of it. And if you don’t understand how they plan to do that — run for the hills because it’s probably not via good methods.


      • Tai

        @Carl Handcock Dude, stop shouting …it’s really annoying. Try bold or italics for emphasis.

        Entities have every right to sell “As-Is” and waive their liabilities. Cycle down the chain of accountability all you want – or stop malicious intent/distribution at the loading docks.


  11. Jeff Chandler

    users to be on alert when WordPress.org plugins change hands

    And herein lies the problem. How does a typical end user from the backend of WordPress stay alerted to when a plugin disappears or changes hands outside of clicking a link to the Tavern to read about it? :) I think these situations are going to happen more often and underscore the need to at least alert plugin users that the plugin has disappeared or the owner has changed. Maybe something that is opt-in.


  12. Tim Blankenship

    WordPress already has a highly effective method for notifying users of plugin updates, surely this should be the method we can use to notify users when a plugin changes developers.


  13. Thomas Wainwright

    Not sure if any of you have it but Wordfence alerts you to plugins that are removed from the repository, plugins that are no longer supported (over 2 years), and plugins that have files changed or added to them which differ from what the repo has too.


  14. Paul F Gilzow

    If you want WordPress to notify you when plugins are removed or changes ownership, then you need to make sure your voice is heard over at wordpress.org, specifically to core and the plugin teams. Several of us have argued before that users should be notified. The plugin team’s response so far is that notifying people would place more people at risk (I’m not making that up) because then attackers would know of the vulnerability too. I steadfastly disagree with that reasoning, but I’m only one person out of hundreds of millions.


  15. Juanma Aranda

    Luckily, this guy seems like he did not know how to put the malware in the correct file, but something similar might have happened to what happened a few weeks ago with the Display Widgets plugin …

    Without a doubt we should be, now more than ever, attentive to the security of our sites made with WP, since many pirates know that is the way to reach thousands of web pages, since WP is booming.

    During last week, I reported on my blog, podcast and youtube channel on the topic “Display Widgets” to alert all my followers, but I think it is also up to the WP.org community to send a notice to users whenever a plugin is removed from the repository … I am convinced that there must still be people with the malicious version of the Display Widgets installed on their web or blog, showing SPAM without having been able to realize the seriousness of the matter.

    I think the community should take very important steps in this regard and not allow all people upload any plugin to the repository without it has been completely revised to make sure it is clean. It will be hard work, of course, but if we all lend our cooperation for the common good, we are sure to walk safer.

    Greetings from Spain


  16. Jeffrey

    There are more positive examples than negative ones of plugin ownership transition, and these kind of things will happen, but I think the plugin team is doing their best to purge out the bad ones.


    • Paul F Gilzow

      But it only takes one bad transition to affect hundreds of thousands of sites. I do not blame the plugin team for “failing” to catch what happened. We (the collective WordPress community) need to come to grips with the fact that we’re going to need to place some governance on plugins/themes, that it can no longer be the Wild West. That’s fine when you’re small and not important. When you become a critical component to the infrastructure of the entire Web, the Wild West becomes dangerous.


  17. Kingsley Felix

    When a plugin is removed from the repo, there should be a message telling the user that the plugin is no longer available blah blah instead of directing us to a search page


  18. Jon

    Honestly, with this happening as much as it is, plugins that change ownership need to be frozen and then treated like a brand new plugin for a while.

    Also, a Zero Tolerance policy needs to be implemented. That one that kept getting removed and put back only to be removed again is nuts.


  19. Miroslav Glavic

    To the bunch of you that asked about authors selling their plugins to nobodies…1) we were all nobodies at one time 2) Even if original authors do their “homework” then the new author can do whatever AFTER the sale has gone through 3) Most authors sell because of money or they are retiring.


  20. WP Helper

    I recommend Security Sheild it has a spam captcha feature.


Comments are closed.

%d bloggers like this: