SI CAPTCHA Anti-Spam Plugin Permanently Removed from Due to Spam Code

The SI CAPTCHA Anti-Spam plugin has been removed from the WordPress Directory due to its author including spam code. The plugin added a CAPTCHA image test to WordPress forms to prevent spam and was compatible with forms generated by bbPress, BuddyPress, Jetpack, and WooCommerce. It had more than 300,000 active installs at the time of removal.

Mike Challis, the original author of the plugin, said that a user named “fastsecure” became the new owner of SI CAPTCHA Anti-Spam in June 2017. Challis was not aware of the new owner’s plans for the plugin but posted a notice on the support forums to inform users about why it was removed.

“The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts,” Challis said. He also linked the incident to a ring of WordPress plugins that researchers at Wordfence say were part of a coordinated spam campaign. Display Widgets, one of the most notable plugins in this group, was recently permanently removed from for a series of violations wherein the author had injected malicious code.

Challis said the new owner failed to display any spam on sites due to how the code was implemented, but the code could have been activated at a later time:

The new owner put spam code in versions 3.0.1 and 3.0.2 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database.

SI CAPTCHA Anti-Spam users who still have the plugin installed may see an update available in the WordPress admin. Plugin team member Samuel (Otto) Wood removed the malicious code and released 3.0.3 as a clean version that is a safe update for users who still rely on the plugin. Wood recommends users find an alternative, because SI CAPTCHA Anti-Spam will not be re-listed in the directory or receive any future updates.

The incident is another reminder for users to be on alert when plugins change hands, as the buyers do not always disclose their actual intentions for the plugin. Users in search of an alternative to SI CAPTCHA Anti-Spam will find many alternative options on AntiSpam by CleanTalk, Simple Google reCAPTCHA, and CAPTCHA Code are a few examples that may work as replacements, depending on what other plugins you need the anti-spam capabilities to support.


35 responses to “SI CAPTCHA Anti-Spam Plugin Permanently Removed from Due to Spam Code”

    • Clearly they could. In fact they already notify me and all my clients of wordcamps and many other things they do not care about. This is a source of confusion and frustration for many who just want to run their site.

      Surely notifying us of critical security concerns would be a better use of the admin dashboard space.

  1. I just want to add a captcha to my wordpress login form to discourage abuse.

    None of the alternatives mentioned in the article seem to fit the bill. They either have discouraging reviews or aren’t very widely adopted.

    What do you recommend?

  2. The opening paragraph “The SI CAPTCHA Anti-Spam plugin has been removed from the WordPress Directory due to its author including spam code.” is misleading, it makes it sound like the person that created the plugin turned rogue, which is not the case.

    It was the person/people behind the user fastsecure (a user that was JUST created in June with no history in the WordPress community btw) that “became the new owner” (bought I assume, but no details in the article) of the plugin from Mike Challis in June that injected the code in question:

    “The new owner attempted to put code in several of his newly acquired WordPress plugins” … Again, no details, it would be helpful to know what those other plugins are so we can find alternatives for those.

    I just did a quick look around after reading it and it appears all of the plugins by Mike Challis have been pulled permanently from the repository (in particular Fast Secure Contact Form, which had 400K+ active installs).

    Mike also has a statement published @

    “The incident is another reminder for users to be on alert when plugins change hands, as the buyers do not always disclose their actual intentions for the plugin.” seems like a weak suggestion, WordFence this year (for example, I don’t use it on any sites, but it may be time to re-evaluate) just implemented a feature to alert site admins when a plugin has been pulled from the repository.

    Why did a longtime developer sell to a user with no reputation in the WordPress community?

    Why do plugins get permanently pulled even if the current owner corrects the issue?

    Why does WordPress pull the URL completely off the repository as though it never existed, killing the downloads I understand, but why not have info related to why that plugin was pulled, and letting users know it won’t be coming back?

    It’s great that the repository admins are pulling malicious plugins out, but there seems to be an enormous disconnect between removing plugins and letting users know what is going on. To me, it seems like there needs to be a system in place for the transfer of ownership of plugins in the repository (at the very least once a certain level of active installs is reached) that involves a probationary period and a fee to cover the cost and time of babysitting new owners (there would be obvious reason for allowing well-established developers to fast track through this process).

    The original listings for Mike Challis plugins (via Wayback Machine as the links are now invalid):

    Fast Secure Contact Form (400K+ active installs)

    SI CAPTCHA Anti-Spam (300K+ active installs):

    Visitor Maps and Who’s Online (40K+ active installs)

    Fast Secure reCAPTCHA (6K+ active installs):

  3. Too bad this seems to become a trend nowadays.. Just recently the Display Widgets plugin was removed, now this one. If this keeps happening it might be worthwhile to figure out a decent way of getting this kind of information to the users of a plugin that gets removed because of these kind of reasons.

  4. It’s annoying to see that authors are selling more and more of their work products to third parties WITHOUT checking the background of the new owner first. I refused buying attempts of a few of my plugins which were in the scope of 100k and more because i had a bad feeling with the deal. Before such a deal hurts my reputation as a developer and as a personal Individuum i better refuse it.

    It must be greed, a lack of rationality or both to sell to a plugin which is used on 300.000 websites to someone else who definitely has bad intends.

    I have no sympathy for such a deal and the participating parties and wish that plugin owners do more background investigations before they think about selling their product.

    Might be a good idea to write a publicly available handout for wordpress plugin owners with some tips how to successfully transfer the ownership of a plugin and what to consider before selling a plugin.

    It should be in the intend of all of us to prevent such shitty deals.

  5. My heart goes out to Mike Challis and all the plugin & theme developers who were/are taken in by unscrupulous people. The days are long gone when we, as a community, can really take people at face value. For our safety and the safety of our readers we must do more research and deeper “investigations” just to stay online.

    When all of this news started breaking, I was struck by how differently things sometimes work, as opposed to other industries and niches. When the non-tech business owners/developers that I know decide they want to make an “exit” or change focus, they often put out the word to peers (people they know and trust.)

    Once a “new owner” is researched and goes through a transition period, where the original owner oversees the new owner as they work on the site/project together. This serves 3 purposes.

    1. The original owner gets to know the prospective new owner better.
    2. The prospective owner gets to “learn the ropes” and builds trust with the existing members/readers.
    3. The members/readers know what end is up and can make a more informed decision about whether they need to look for a new resource or option, before the original owner bows out fully.

    There have been quite a few times when owners and developers left without a word to users. Because I had no forewarning, I was left scrambling trying to find a new source for info or a comparable product.

    Sometimes being “transparent” isn’t easy but I greatly appreciate it when business owners and developers take the time to tell me about things that are likely to affect me or my business. Maybe I’m old fashioned but that level of integrity and respect is something that I’d like to see more of within every industry.

    I’m getting off my peach crate (aka soapbox) now. Thanks for letting me babble. :D

  6. There should be something done to change the attitudes of plugin/theme developers. As we see from the comments on previous article

    I agree that the people behind Formidable Forms should not be blamed for the buyer’s behaviour, and shouldn’t apologize or anything.

    They still think that they can do whatever they want with their code and they even “shouldn’t apologize or anything”… That’s right, legally they can, but being legal doesn’t make it necessary right (slavery for example) and it doesn’t make this behavior ethical.

    Is it so hard to understand, that you don’t sell your code – if anyone wants you code, they can just fork it. Yes, you are selling the “name” and reputation, but must of all you’re selling access to people’s sites. And if you sell it to a highest (or perhaps the only) bidder, without properly checking, you act irresponsibly.

    Did you do all checks, were you 100% sure, you give the plugin into good hands? If not, then I’m 100% happy that all plugins of such irresponsible developer would be closed by admins. No need to cry, your former users are crying now…

    • It is extremely clear that these plugin developers are not doing their homework when it comes to vetting buyers.

      The sellers have a responsibility to existing users to do their homework. Anyone that says the seller shouldn’t share in any blame is crazy. OF COURSE THEY SHOULD!

      I don’t know the details and backstory on the sale of these plugins but I have to wonder if it’s similar to the situation with the Display Widgets plugin. We know the backstory on that one. WordFence did an indepth report on it. There were a LOT of red flags that went unheeded prior to the sale. So many red flags that it’s shocking that it even transpired.

      Let’s make this simple… reputation matters.

      If you do not know the reputation of the seller when selling a plugin with thousands of active installs (hundreds of thousands in this case)… DO NOT SELL TO THEM. If you have trouble vetting a buyer… DO NOT SELL TO THEM. If you can’t find anyone in the WordPress community that knows who the buyer is… DO NOT SELL TO THEM.

      If they appear to be buying up random plugins with no discernable business model… DO NOT SELL TO THEM. If you’ve never heard of them… DO NOT SELL TO THEM. If they appear to be shady SEO marketers… DO NOT SELL TO THEM. If they mention their involvement in online casinos and using plugins as a sales tactic for casinos when communicating with them… DO NOT SELL TO THEM.

      That online casino bit may have seemed random but it was literally one of the many red flags in the Display Widget correspondence leading up to it’s sale.

      Please do your homework people. It’s not hard. Don’t fail your users. If you do, you absolutely do shoulder some of the blame.

      • @Carl Handcock Dude, stop shouting …it’s really annoying. Try bold or italics for emphasis.

        Entities have every right to sell “As-Is” and waive their liabilities. Cycle down the chain of accountability all you want – or stop malicious intent/distribution at the loading docks.

  7. users to be on alert when plugins change hands

    And herein lies the problem. How does a typical end user from the backend of WordPress stay alerted to when a plugin disappears or changes hands outside of clicking a link to the Tavern to read about it? :) I think these situations are going to happen more often and underscore the need to at least alert plugin users that the plugin has disappeared or the owner has changed. Maybe something that is opt-in.

  8. Not sure if any of you have it but Wordfence alerts you to plugins that are removed from the repository, plugins that are no longer supported (over 2 years), and plugins that have files changed or added to them which differ from what the repo has too.

  9. If you want WordPress to notify you when plugins are removed or changes ownership, then you need to make sure your voice is heard over at, specifically to core and the plugin teams. Several of us have argued before that users should be notified. The plugin team’s response so far is that notifying people would place more people at risk (I’m not making that up) because then attackers would know of the vulnerability too. I steadfastly disagree with that reasoning, but I’m only one person out of hundreds of millions.

  10. Luckily, this guy seems like he did not know how to put the malware in the correct file, but something similar might have happened to what happened a few weeks ago with the Display Widgets plugin …

    Without a doubt we should be, now more than ever, attentive to the security of our sites made with WP, since many pirates know that is the way to reach thousands of web pages, since WP is booming.

    During last week, I reported on my blog, podcast and youtube channel on the topic “Display Widgets” to alert all my followers, but I think it is also up to the community to send a notice to users whenever a plugin is removed from the repository … I am convinced that there must still be people with the malicious version of the Display Widgets installed on their web or blog, showing SPAM without having been able to realize the seriousness of the matter.

    I think the community should take very important steps in this regard and not allow all people upload any plugin to the repository without it has been completely revised to make sure it is clean. It will be hard work, of course, but if we all lend our cooperation for the common good, we are sure to walk safer.

    Greetings from Spain

    • But it only takes one bad transition to affect hundreds of thousands of sites. I do not blame the plugin team for “failing” to catch what happened. We (the collective WordPress community) need to come to grips with the fact that we’re going to need to place some governance on plugins/themes, that it can no longer be the Wild West. That’s fine when you’re small and not important. When you become a critical component to the infrastructure of the entire Web, the Wild West becomes dangerous.

  11. Honestly, with this happening as much as it is, plugins that change ownership need to be frozen and then treated like a brand new plugin for a while.

    Also, a Zero Tolerance policy needs to be implemented. That one that kept getting removed and put back only to be removed again is nuts.

  12. To the bunch of you that asked about authors selling their plugins to nobodies…1) we were all nobodies at one time 2) Even if original authors do their “homework” then the new author can do whatever AFTER the sale has gone through 3) Most authors sell because of money or they are retiring.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: