WangGuard Plugin Author Shuts Down Splog Hunting Service Due to Trauma and Death Threats

After seven years of developing and supporting the WangGuard/SplogHunter service, José Conti has shut down the server permanently due to the stress and trauma associated with maintaining it. Conti is a WordPress plugin developer and consultant, and a member of the WordPress España translation team. His WangGuard plugin identifies and blocks sploggers, unwanted users, and untrusted users on WordPress, Multisite, BuddyPress, bbPress, and WooCommerce sites. It is currently active on more than 10,000 sites.

Speculation about why the service shut down was running rampant after Conti had collected donations via an Indiegogo campaign in October 2016 to fund support and server costs. Since that time SiteGround stepped in to sponsor WangGuard, eliminating the server costs. The only costs that remained were Conti’s time and effort that he put into supporting the plugin.

“My purpose with WangGuard was never money,” Conti said in his post explaining the reason for the shut-down. “I could have made WangGuard a paid plugin at anytime, and actually had a plan for that for years. But I didn’t do it because there is something inside me that would never let that happen. It was never, I repeat, never my plan to get rich with WangGuard, and I assure you that I could have done it easily: simply charging each of my users 24€/year, would have meant an income of more than 2 million euros per year. I just had to distribute a version of WangGuard I had collecting dust, with a checkbox on WangGuard’s server administration options but I never got it done. No matter the other reasons, which only people very close to me know: I simply didn’t want to, nor did I want to be a millionaire.”

Mafia Death Threats and Trauma from Exposure to the Dark Web: The High Cost of WangGuard’s 99.9% Accurate Detection of Splogs

WangGuard has long been known for its nearly perfect detection of registration spam. Not only did it completely block unwanted users, it also removed them from the database. The plugin was unrivaled in both accuracy and price – all users got everything the service offered for free. In order for WangGuard to provide its 99.90% accuracy, Conti bolstered the algorithm with manual curation and reviews.

“WangGuard worked in two different ways: as an algorithm that I had been refining for seven years, and which was getting better as the sploggers evolved, so that it was always one step ahead of them, and also as human curation, in which I reviewed many factors, among them sites of sploggers to see if their content could improve the algorithm and make sure that it worked correctly both when it was blocking or not blocking a site,” Conti said. “The great secret of WangGuard was this second part. Without it WangGuard would not ever have become what it was.”

Because of how effective WangGuard was at stopping unwanted users, Conti said for four years he received “almost daily death threats from mafias for making them lose millions of dollars.”

Through the process of manually curating splogger sites, Conti caught a glimpse of the some of the darkest places on the web, which he said had a damaging psychological impact on him.

“For seven years, I have visited places where I saw pederasty, pictures, and videos of murders (by razor blades, by gutting live people, by beheadings, dismemberments, to name a few), real videos of rape of all kinds (children, women, boys), photos of accidents in which people were totally disfigured, bizarre actions that I did not even know existed, and a very long ‘and so on,’ which I do not want to expand on,” Conti said.

The effects of viewing these types of websites every day took their toll and Conti decided to close the splog hunter service.

“Finally, a few months ago, I broke down,” Conti said. “I disappeared from everywhere and fell into a depression. The seven years of working at WangGuard finally took a toll on me. I had nightmares because of all the macabre deaths I had seen, an obsession with protecting my children from pederasty, OCD, depression, and many other symptoms. It took me about 6 months to recover (and honestly, I may be deceiving myself, since I do not think I completely recovered my life).”

I asked Conti if clicking through to the websites was necessary for maintaining the service. He explained that while WangGuard blocked emails, domains, IPs, and ISPs, without his manual curation of visiting the domains and clicking the links, users could get a lot of “sleepers” – registered and active accounts that remain silent until one day with a 0day vulnerability or a bug fix, they attack thousands of websites. The sleepers also wait to perform actions like create millions of sites on thousands of WordPress multisite installations in order to create a lot of bad content/links.

“Visiting many domains, I was able to minimize this problem,” Conti said. “The way I worked not only fixed the current spam / splog problem, but the wizard and database also fixed any future problems with sleepers.”

Another reason he visited the domains was to figure out what he needed to block, whether it was an email or a domain. The domain could be a spam domain or possibly a free email service.

“By visiting a website, I could detect whether it was a phishing website or a site camouflaged as an email service in order to try to cheat WangGuard,” he said. “I saw a lot of ‘techniques’ for trying to cheat WangGuard at Black Hat specialized forums. I had been subscribed to many spam/sploggers forums for investigation. Every time that a user described a real technique for cheating WangGuard, it was fixed immediately.”

If you’re still using the WangGuard plugin, it may continue to work but not nearly as well as in the past. Conti said that some parts of the code work without the API, but the most important parts require the WangGuard/SplogHunter server. The plugin is open source, so anyone can fork it. An English translation of his original post is available on the WordPress.org plugin forums.

53 Comments


  1. Is there an alternative plugin?

    Report


  2. I hope he plans on returning everyone’s donations. Took money then shut the service down.

    Report


    1. Of course he should!

      Just because you’re deeply traumatized, have provided a free service for almost a decade, and raised a little over 2k to help support the service… doesn’t mean crap, right?

      Report


      1. No one asked him for charity. He should have charged for the plugin. Don’t take money to keep it going then abruptly shut it down. People donated in good faith. Honestly, the story sounds a bit strange. If he can’t handle the heat, let another developer volunteer to step into the kitchen.

        Report


      2. Many times I asked for help, some developers were “interested” in help me with the developopment, but after that they dissapered.

        Now, seems that there are new developers that want to help, if that’s true, SplogHunter will not disappear, but the human part will be closed, that’s insane.

        Do you think that is easy to close a project where I have been working for 7 years, 365X7X5? Is like my son.

        And no, anyone ask me for charity, but I believe in a different world.

        Report


      3. It seems like you don’t understand the meaning of “donate”. When I donate money or time, I don’t expect anything in return.

        Report


    2. Yeah I don’t think that’s going to happen. That Indiegogo
      campaign is ancient and the goal partly achieved (he did improve the Plugin and keep the splog service running until now).

      Give it some time to settle down and then the community can see if any developers are interested in adopting and/or forking it.

      Report


    3. Yeah no. The campaign was to cover 1 year of continued service, it only gained ~8% of the target which doesn’t even cover a single month, and yet he kept it going for nearly a full year. Your argument is invalid.

      Report


    4. stop being dishonest. 2000€ after taxes and commissions, is hardly “taking the money”. It was in Oct/2016.

      Saying that, congratulations to Jose Conti for his effort on this 7+ project!

      Report


      1. Jose Conti, you are an amazing and wonderful human being. Thank you is an understatement for your years of selfless service to the WordPress community.

        God bless you and your family. Your prioritization of your mental health and your family is also very admirable.

        You have the admiration and love of the vast majority of WordPress users. xoxo

        Report


    5. If he was seeking $35k to run the service for one year, then on a crude estimation that runs at $2916 per month. The campaign raised just $2050 i.e. less than a months support, yet he continued to support the plugin for a further 9 months effectively at a $24,194 loss.

      Now considering the SiteGround sponsorship et’s say he had the max WordPress plan for his site, that is $29.95 per month or $269.55 over 9 months, and lets pretend they gave him the best dedicated server they offer, that is $490 per month for a total of $3,861. Add the two together and you get a total of $4130.55 in “free” benefits for the service.

      Even after the IndieGoGo campaign and the SiteGround support, he still made an effective loss of $20,063.45. That is more than some people’s annual salary in *losses* for a job that he claims was psychologically challenging.

      I don’t know the guy and haven’t used the service, but any call for him to return funds definitely seems unwarranted. If anything he could probably put up all of the projects source, documentation and processes so that it can be forked along with an optional address for tips and he could probably collect more.

      Report


    6. How much did you donate? How much did you save?

      No matter what, please come with proof of your donation and I’ll personally give it back to you. I’m not associated in any way with José or this plugin, but you’re so desperate I’ll just give your money back just to stop your whining and avoid reading your nonsensical, ignorant and rampantly disrespectful post.

      But let’s be honest: you didn’t donate a dime, and we all know that.

      Report


    7. I feel for you pal – feeling that you have to further add hurt to a person who really did all he could. You heard what the man said honestly. He did all he could and that was indeed a lot for the industry. Maybe you will find some compassion to apologize in a later comment and edit in some good faith instead. Talent like Jose needs encouraging as whatever he does next is likely to be bigger and better than we can imagine. Likely better than us all could achieve! May you all be blessed with good hearts towards each other.

      Report


  3. Surely, if this application is so good at finding these unsavoury sites the police or similar services would be extreemly interested and could take over the role of vetting. This would leave José free to continue improving the code (he may even make a little money by providing the service to the authorities). Just a though…

    Report


    1. Government departments like the police usually suck at doing stuff like this, so although it’s a nice idea in concept, I highly doubt that would work in practice.

      I think it would be helpful for a company like Google to fund something like this though. It seems like it would be in their best interests to rid the internet of evil splog sites.

      On the off chance some company out there is interested in funding this and reading my comment right now, you should get in touch with me :) I have experience with this sort of thing and would be quite interested in doing it full time.

      Report


      1. Hope you get some support. I think Jose should have gone premium as people would pay for this type of service if it works. Just need to do some regular marketing.

        Report


  4. I am very sorry to hear this and I do wish Jose a speedy and complete recovery. The experience he describes cannot be easy to go through. I once ventured on such a disturbing site by mistake and it took me weeks to recover from that

    Report


  5. It is hard to understand that someone asks from a WordPress developer who helped so much WordPress users to return 2k donation.

    It is very rude comment or at least the comment is coming from someone who is not the part of WordPress community at all.

    It would be the same situation that some sportsman asked for a 100k donation so he can continue with trainings and he raise 5k and after almost two years he get injured, so he would be guilty for his injury and should give back donation???

    Good work Jose and I wish you all the best in your future endeavors, and just let haters to hate.

    Report


  6. I have never used this plugin but going through all the trauma and receiving death threats is too much. Thanks for all your efforts and hope you recover soon.

    Report


  7. “For seven years, I have visited places where I saw pederasty, pictures, and videos of murders (by razor blades, by gutting live people, by beheadings, dismemberments, to name a few), real videos of rape of all kinds (children, women, boys), photos of accidents in which people were totally disfigured, bizarre actions that I did not even know existed, and a very long ‘and so on,’ which I do not want to expand on,” Conti said.

    Ummm…don’t visit those sites, bro. If you keep going to them then something’s wrong with you. Consumption of that type of content should not have been a requirement for you to develop your plugin.

    Report


    1. Hi Chuck,

      If I want the best effectivity for the service, I’ve to visit the domains (I don’t know what I will find at the domain).

      Ex:

      There are many sign ups (in few minutes) from a domain, jahdkdk@love.com, the@love.com, great@love.com

      Ok, the WGG algorithm will block the IP for few hours, will add all email from the blocked domain to the DB and will remove all the emails from all websites.

      Problem, if the splogger use a new IP, he will continue registering in a websites without problems. There are software that update the IP every 30 seconds.

      Solution, I can visit the domain, and if the domain is a splogger domain, I can block that domain, so the splogger never ever will be allowed to signup (with the domain love.com in this example).

      If I don’t visit the domain love.com, with this domain name I can think that is a splogger domain, but if i visit the domain, I can see that the owner is AOL, so I cannot block it.

      WGG was blocking thusands of domains. With this blocked domains, I was able to protect and clean the websites.

      Now, today, is imposible to do this task automatically. WGG is not for Spam, is for Splog, so works in the signup page, not in comments form. The basic information is an email and an IP, no more. In spam comments, you can use the content, links into the comment, IPs, emails, etc.. Is much easier.

      Report


      1. Hola Jose,

        First, I wanted to commend you on the wonderful work you have been doing all this time, such dedication is simply heroic.

        Now, regarding the future of the service, I beleive that the most important asset is the database you already built, so in case me or someone else was interested, would you be willing to share it ?

        The reason I ask for this is because I beleive I can build an automated content analysis algorithm coupled with some AI that would recognize and classify the domain in question and which could help offload the major human component, and the best way to fast-track this is your already built and curated database.

        So what do you think ?

        Report


      2. Hey José,

        I really appreciated the concept of the plugin and was disheartened to hear that you were shutting down.

        The fact is that there is some gross and disgusting shit out there. You chose to develop this plugin so that others wouldn’t have to deal with it. And for that you are appreciated. But here’s the thing.

        If you have proof that someone is threatening you, which i am assuming that you can somehow record or have the capability of knowing how to provide proof because you’re developing a plugin, then all you would have to do is provide this information to the proper authorities… along with the IP range and domains.

        Also, you should know that if you have knowledge of such sites and DON’T report it, you are an accessory. If you are doing this kind of leg work to find all this and you are finding these websites, you need to report them. It’s that simple.

        Again, i hope that you feel better soon but please keep the plugin alive or at least pass it off to someone who will maintain it.

        Report


      3. I’ve been through the process of reporting an abusive netizen to authorities in the UK. They don’t know what to do with the information and therefore don’t follow-up. I suspect it’s similar elsewhere. I provided them with a log of IP addresses used by a single person at specific times through a specific provider who was paid by that person for use of their services. The IP addresses were linked to abusive content. There was a direct line from content through IP to host to the doorstep of the abuser – and they weren’t comfortable with connecting the dots.

        As to reporting web sites – in many countries it is not illegal to host specific kinds of content. We all value a free (liberty) internet and this is the price we pay. That said, when these sites extend beyond their legal jurisdiction into other parts of the world to threaten others, then one would hope there would be some way to prosecute the matter. Unfortunately our world is not that sophisticated yet – people are just now recognizing the real threats of black-hat hackers.

        Report


      4. I truly feel bad for you having to see those terrible things, and am grateful for your efforts over the years in supporting the plugin. But I have to say, you did not have to sit and watch videos or look at pictures? I have come across some unpleasant sites in my time, and people often share nasty videos I do not want to watch, but once I realize what it is, I close it quickly, I do not sit and watch it.
        I hope you reported these sites to the police when you found them? If not then I would echo what others have suggested, and maybe work together with an appropriate legal entity who track down the owners of these sites and put them in prison.

        I would also say this is another good reason to charge for the plugin, maybe you do not want to make money out of it, but you could then train and pay for other people to work on it instead. All you need to do is cover costs, nobody would begrudge you making a living from it.

        Report


  8. @Sarah @ Jeff Offtopic, but very important. Your commenting plugin leaks private commenters info. I already witnessed it twice with different persons being exposed. For some reason system thinks that it recognized me and prefills Name, Email and website info. In fact, it is not my info!!! Please see: https://imgur.com/a/q0Rm5

    Report


    1. Thank you. We’re aware of the issue and working to address it.

      Report


      1. This explains how someone posted under my name and picture last week. I didn’t report it because I figured someone was bored and created a fake account with my name and image.

        Not to be rude but “working to address it” isn’t helping to assure me that my information isn’t continuing to leak from your website. If this is an on going issue, maybe it would be best to disable commenting until it’s resolved?

        Report


      2. Your “info” isn’t exactly unique. For any comment system that uses Gravatar, all someone needs to “impersonate” you is your email address. The only reason people don’t abuse this on a massive scale is because it’s pointless if you don’t have access to the email address to receive reply notifications.

        Report


      3. This doesn’t have anything to do with Gravatar. The WP Tavern comment boxes are being pre-filled incorrectly with other users names and email addresses. I get that the security risk of a leaked email address is low but I’d prefer my info to not be public.

        I’m taking issue to the Tavern seeming to think it’s okay to let the problem continue until they figure out a fix.

        Report


  9. If you would be interested in keeping it the service active and handing off the human validation element, I’m sure some of us can help come up with a viable solution that will free you up.

    Not Ryan Hellyer….

    (May want to hide that your email address will not be published until this bug is fixed. ;)

    Report


    1. This was very confusing :P

      ^ it’d be good if you one of you admin folk could change the name here since that’s not me

      Report


      1. just an example how broken is the gravatar’s “we are a global identifier” promise. Most people’s email address is not very private even without leakage bugs.

        Report


  10. What a shame that this is not longer out there protecting sites. There has to be a way to get some investors together and charge for the service and hire a team of people to visit the sites so the burden is not on one individual.

    Report


  11. Hmmm, this sounds like a job for those friendly folk at Anonymous!

    Report


  12. Hi,

    I just wanted to thank Jose Conti to do Wangguard – I used it for about two years on my main sites and had never problems with spam. Everybody complaining should said instead thank you. Its clear if you see that only 2000$ where collected on Indiegogo 9 months ago that the service is shut down.
    Its sad and I would have paid easily the 24$ / per year for a paid plugin.. even as I see that a comparable plugin is not available.
    So stop complaining, start saying thank you as others in this thread did too.

    Report


  13. Thank you Jose for your great service in providing WangGuard all these years. I use it, and it was such a game changer for my site. I was just overrun with fake user registrations. I hope someone will step in to fill your place, but I totally understand needing to lay this burden down.

    I run a support site and read thousands of terrifically sad stories day in and day out. I get trolled. I run the thing on donations and a few ads. My costs do not make up for my time or expense. I can’t imagine doing all that AND getting death threats. All to say, I get where you’re coming from and have total admiration for your dedication, and also your right to end it.

    Selfishly, I hope someone continues your good work! All the best to you.

    Report


  14. Jose, I have used WangGuard for many years and have found it to be invaluable in keeping sploggers from registering on my site. Thank you so much for all the work you put into the plugin. I’m so sorry to hear about the toll it has taken on you. You’ve done a wonderful service for the community.

    I hope someone is able to pick up Jose’s work and keep it going. I, for one, value it enough to pay for the product. It’s as invaluable as Akismet is for spam detection, and I would gladly pay the same for WangGuard.

    Report


  15. Hi Jose, you are a hero, no matter others can say on the other hand. I’m sure you could get the code to some developers of some sort of AI that could check those sites, analyze a series of patterns and determine if it should be banned.

    I understand you must check in on black hat forums to tune in the buzz, but that should be enough, and leave the possibility of finding bizarre media to a “soulless robot”.

    Sincerely, I hope you can fully recover your health and find good backers that can continue your amazing war against those pesky human beings.

    All the best for you and your family!

    Report


  16. For seven years, I have visited places where I saw pederasty, pictures, and videos of murders (by razor blades, by gutting live people, by beheadings, dismemberments, to name a few), real videos of rape of all kinds (children, women, boys), photos of accidents in which people were totally disfigured, bizarre actions that I did not even know existed, and a very long ‘and so on,’ which I do not want to expand on,” Conti said.

    If you charged a small fee to use the service you could have hired spog hunters to do that job for you and also cover the hosting bill.
    Just saying

    Report


  17. Jose, I’m humbled to read about your experience. I haven’t used your plugin but efforts like this make the world a safer place – I’m sorry to hear you didn’t receive the support you needed to sustain this without incurring psychological trauma.

    Take care and find peace in walking a different path.

    Report


  18. Thanks Jose for keeping this nonsense away from so many people’s websites, and doing such a good job of it.

    I can well understand that having to view such content has a toll on your mental wellbeing. But…

    Viewing some sites (and accidentally downloading images) could potentially put you at risk of prosecution. At least visit them using a text only browser.

    But you didn’t have to do that. You chose to. For not much payback (expect major kudos).

    Now let someone else do that job. Go make lots of money doing something else, you have valuable skills. Have quality time with the family. And relax!

    Report


  19. José

    First of all I want to thank you for the plugin. I have used WangGuard for more than 3 years in 2 projects. A great job 0 sploggers.

    I regret for the news about your health. I met you at the meetups in Barcelona. Everyone who does not know you and judge you should know all that you have done for the WordPress community.

    I’m proud that there are Catalans like you.

    Report


  20. We’re seeing a pattern that is very common in the FOSS world: This plugin is going away, so people want to move on to the next free replacement. Developers are milked into clinical depression or poverty and the locusts just move on to the next pasture.

    The problem we see here isn’t a one-off. Developers get burned out all the time, doing what they love until they can’t do it anymore – and then the crowd of users just moves on, some throwing an indignant glance behind them, others a note of thanks – but they do move on. This is the pattern that has led to many of the unmaintained plugins in the WP.org repo, dead projects at Sourceforge, and Codeplex, and Codeproject, and Bitbucket, on and on… This is the price we pay for free (as in beer). People abuse developers of free software because there is little penalty for doing so. It costs nothing to ask for features and there’s always the threat/opportunity to move on to the next eager and naïve developer. The cost to business is the time it takes to find new software and re-implement – but since business doesn’t track the cost of time associated with FOSS, they continue to think they’re getting all these goodies for free. Well, as the saying goes: It’s only free if your time is worthless.

    In this case the problem is compounded by threats against the developer. Does no one realize that with this success behind them, the people who put up these sites, who splog, who threaten, that they’re now just going to do the same with any other developer who stands in their way? They have resources and motivation. Think about the infrastructure that goes into supporting these sites and maintaining the ongoing abuse of the internet. That takes a lot of people, time, and money. These resources are not available to individual FOSS developers who are not getting paid for their efforts, developers who are “supported” by postcards, good reviews, and occasional praise in a public forum. The point here is – the bad guys have won here, and there are no good guys to stop them from rolling forward.

    After over two decades now of spam, malware, and other internet abuse, we still spend tens of billions of dollars passively defending against those bad guys. We buy and update our anti-virus software, read with interest about the latest 0day threat, rant at our internet hosts about their poor email filters, and Share notes of support for kids and adults who get bullied in social media. But the people who do this stuff are purchasing services from companies that provide access to the internet backbone. We know where these hosts are and they know where their clients are. The problem is not that we can’t find the bad guys, it’s that we lack the will to follow the trail all the way to the source.

    So we pay billions of dollars per year as we pretend that’s the only solution that’s available – and the companies that benefit from this aren’t going to discourage that. And rather than finding a way to pay for pro-active remedies, we try to push the problem onto Google, government, or some other entity, because “they should do something”. And while we pay these billions per year without a thought of how insane it is (how schools and other priorities could use it more) we have guys like José Conti getting terrorized and criticized for raising 2k euros for a service he’s been providing for 7 years.

    And let’s not forget, that those resources used by the bad guys cost money, which they are getting from people who pay them to consume their content. They threaten José because they don’t want to lose that money. Another way to deal with this is to stop the flow of cash to the providers of the kind of content that José has described. I’m not proposing a war on internet trash like the war on drugs or the Prohibition against alcohol. I’m suggesting that we re-direct some of our cash from passive cyber-defense against the bad guys to helping the (obviously many) people who are paying those bad guys for their content.

    People! Priorize! Please!

    Report


    1. Announcing the new spokesperson and head PR agent for WangGuard….. Tony G.!!

      Tony, please take a bow, b/c here comes your applause ;-)

      Report


    2. Tony, you are correct on many points, but should not forget that it was Jose’s decision to keep it non-commercial. So I guess we, as developers, should also learn the lesson that over-extending ourselves with the noble ideas will not solve our own problems, so we should be more realistic and plan our future accordingly.

      Report


      1. We all have to learn the lesson that free != donations. In fact it almost always does not. Alas.

        I should know… *cough* Redux Framework *cough*

        Report

Comments are closed.