WP-SpamShield Plugin Removed from WordPress.org, Author Plans to Pull All Plugins from the Directory

The WP-SpamShield plugin was removed from the WordPress.org directory this week due to what the Plugin Review Team has deemed a violation of the guidelines and a possible miscommunication.

Two weeks ago, the author of WP-SPamShield and the author of the Plugin Organizer plugin exchanged contentious remarks in a support forum thread where each accused the other of targeting each others’ plugins. This resulted in both parties adding code that disabled the others’ plugins, and both were asked by the Plugin Team to remove the code.

WP-SpamShield’s author, Scott Allen, has published an account of his interactions with the Plugin Team with updates for users who are monitoring the status of the plugin. Although the team rarely discloses why a plugin was removed, representative Mika Epstein responded to Allen when he said he had not received an answer about what guideline the plugin had violated:

Sorry, I thought it was clear that it’s issues regarding the forum guidelines and rule #9:
Intentionally attempting to exploit loopholes in the guidelines.

To whit, you were asked to make a change and did so incompletely. If this was not intentional, then I apologize.

I’ve sent you a followup email, trying to clarify what we would accept as solutions to the issue (I came up with 3 options, but I’m open to hearing more).

I understand why you’re angry and we will respect any decision you make regarding this. Nothing that has happened thus far is insurmountable or permanent.

In the post Allen published, he said his experiences with the Plugin Team over the past 10 years have caused him to decide to move his plugins off of WordPress.org. When I contacted him to see if he plans to update his code according to the Plugin Team’s suggestions, he said he doesn’t agree with the solutions the team is offering, nor their assessment of the situation.

“They really were not solutions,” Allen said. “It was just rehashing the same issues we’d already discussed. Unfortunately, neither Otto nor Mika have the security expertise to be making the dictates they were making, so there were no realistic solutions.”

Allen also claimed that Epstein’s report about him making a change and it being incomplete was not accurate and that the Plugin Team did not seem to be on the same page:

We literally did exactly what they asked and made the changes. Two weeks ago Mika had emailed me and indicated things were good. (No code updates since then.) Then two weeks of silence, and then angry email from Otto out of the blue yesterday telling us it was booted. The issue he brought up was different code.

The two of them cannot make up their minds on what is acceptable, and what is not. The arbitrary removal was the last straw though. WordPress.org is the only venue that would do that. We repeatedly asked them what rule we broke, to no answer. Only after I called Mika out on the forum did she come up with something – Rule 9 – exploiting a loophole in the rules. Seriously? It’s impossible for developers to comply with rules that are constantly changing.

Allen confirmed that his team at Red Sand Media Group plans to pull all seven of its plugins from WordPress.org as the result of the incident but will continue maintaining and hosting them elsewhere.

“Developers cannot operate like that,” Allen said. “People depend on us. While it might hurt a bit in the short term, in the long term, we have to do it. There really need to be some major reforms to the way plugins are handled.”

WP-SpamShield was installed on more than 100,000 WordPress sites before it was removed. There is currently no standard way to notify users why a plugin was removed from the directory, but the original dispute between the WP-SpamShield and Plugin Organizer authors is public, as well as a few exchanges between Allen and the Plugin Team. Allen said he is still working out the details of how to notify users that his plugins will be hosted elsewhere from now on.

“We’ll come up with a good plan in the next few days,” he said. “Some people have been notified already because WordFence let them know yesterday that WPSS was removed. (They knew before I did.)”

Samuel “Otto” Wood said the Plugin Team is still willing to put Allen’s plugins back up if he removes the code in question and that the team is not offended by a plugin developer being angry over a decision. At this time Allen appears to be unwilling to comply with the team’s most recent requests.

In the meantime, users who know that WP-SpamShield was been removed are waiting to hear if they need to begin looking for a replacement. Allen said that users shouldn’t need to replace the plugin, since the it will continue to work as before. However, some users are not comfortable installing free plugins hosted outside of WordPress.org. Allen’s team is figuring out a plan for how they will deliver updates to the plugin and will post more information for users on the Red Sand Marketing blog.

97 Comments


  1. Without more background details, it’s hard to understand completely what went on here.

    That being said, I’ve generally been quite impressed with how Mika has improved the Plugin Team at WP.org. She has displayed a genuine desire for fairness, compassion, and organization. Sometimes I wonder if she’s being handicapped by other entities, however…

    In any regard, these stories will continue to happen until WP.org clarifies what the rules and guidelines are. To date, only a few vague rules have ever been set re: Plugins (let alone other areas of the site), meaning that interpretation of rules by various staff and moderators varies wildly and is utterly unpredictable.

    It brings up the fact that the “core insiders” haven’t changed since the founding of WP.org. Pair this with lack of clarity and favoritism (which has gotten a LOT better in recent years, actually), and the state of the community continues to suffer. Specifically, bad blood cannot be healed because the policies nor team members change.

    IMO the WooCommerce team should be allowed and encouraged to offer more input and new approaches.

    Several years ago, I had multiple plugins suddenly banned from WP.org when JJJ was in charge, with vague reasons. The experience left a taste of bitterness for many years, until JJJ apologized and urged me to try and get involved again. Frankly though, it wasn’t his fault.

    Here’s another recent discussion:

    https://wordpress.org/support/topic/vastly-improve-plugin-reviews-with-this-one-weird-trick/

    (emailed to WP Tavern last week as well)

    Report


      1. Hi Sergey, I’m not sure if you are being sarcastic, but one idea could be sending out a poll to current plugin authors asking for feedback and suggestions in regard to improvement/clarity.

        The current approach often seems hostile to plugin authors, and seems to assume bad faith. Surely WP.org should be encouraging and supporting contributors, to avoid continued splintering of the community into various cliques…

        A few quick possible areas of improvement:

        9. The plugin and its developers must not do anything illegal, dishonest, or morally offensive.

        11. The plugin should not hijack the admin dashboard.

        12. Public facing pages on WordPress.org (readmes) may not spam.

        14. Frequent commits to a plugin should be avoided.

        Here’s where broad interpretation gets WP.org in trouble. Depending on the moderator or staff member, the handling of these vague guidelines is extremely unpredictable. It would help plugin authors to have specific numbers, for example, such as “no more than one WP Admin nag notice per month” or “besides security patches, no more than one commit per month” etc.

        Not to mention clarity re: SOPs in the way of what the issue escalation process looks like across WP.org. Currently, it’s rather dependent on which moderator is awake at any given time and his/her interpretation of the rules… I’ve received “helpful” emails from some, and “threats” from others, on the same day.

        Also, better guidelines in regard to plugin reviews — what constitutes an allowed/disallowed review, or replies to a review, etc. If a stranger (or customer) reviews our product/service on Google for example, we can reply as we best see fit. On WP.org our replies are constantly censored, blocked, edited, deleted, and so forth, for unclear reasons.

        In summary, WP.org sometimes seems to be a free-for-all for newbie users, while plugin authors (who can’t hide) are often treated with disdain and ridicule. Rotating leadership positions might be helpful… or cycling in more paid staff.

        Report


      2. Jeff , I like how you dig right in a give some suggetions. This is the thing that WP needs. BUT, as you mentioned, the moderators have their own little world they live in and the interpretation—to answer Sergeys comment—is so far out of scope that each moderator (and don’t get me started on theme reviewers)—all have their “own way” of “interpreting” the guidelines.

        I worote ma.tt not too long ago, about a stellar idea that would improve things. I have not heard back from him but when I went to Slack to test the idea, I got nothing but poo poo and boulder dash about how it would be taken advantage of and how other reviewers would favor others authors…. total soap opera down there at WP corral, if you ask me.

        I hope Mika brings in some sunshine; as you mentioned. Never dealt with her accept for the one time that 3M Corp made me/WP remove a plugin that used positz as a slug. Oy Vey!

        Report


  2. It’s unfortunate when people make ill-informed decisions or apply arbitrary rules to developers who in good faith are doing what the can to address any legitimate concerns with their code. I’m happy Scott plans to continue updating WP-SpamShield and has explained his side of the story on his blog so users can make an informed decision.

    Personally, I have been using WP-SpamShield on a number of different WP sites and I have been very happy with the results! So I will continue to use it going forward and will continue to install it on client sites.

    It would be wonderful if this story had a happy ending though… one where his plugins are back on the official plugin directory where they will continue to benefit from the exposure. Hopefully, someone at WordPress.org can offer an apology for the error and get back his good graces. That’s my hope at least.

    Report


    1. Unfortunately Scott was not acting in good faith. He was attacking another plugin without cause and acting like everyone was out to get him when he got called out on it. He’s still acting that way and attacking everyone involved. You can look at the code of the last version of WP Spamshield if you want to see where it was disabling Plugin Organizer. Just search the code for “PO_” and you will see how WP Spamshield disabled the functionality of that plugin. He was asked to correct that and refused to do so. The whole situation is Scott’s fault. I would never run a plugin developed by him or his company after seeing how this all played out.

      Report


      1. FYI, @Xerfyre is the developer of Plugin Organizer, Jeff Sterup. Should put a few things in perspective.

        Report


      2. Yeah, apparently I’m Jeff Sterup and several other of the commenters here. I’m also a few people on Reddit.

        Report


  3. I was horrified to receive a warning from Wordfence that wp-spamshield was removed from wordpress.org so reading the developer’s explanation sets my mind at ease. I will continue to use this plugin on all of my sites because it has saved me from hundreds of bots and Russian hackers registering. It really is a great plugin.

    Report


  4. Lol PluginOrganizer doesn’t maliciously disable plugins, it disables the plugin you specify on the page you want it disabled. Which makes sense in the same way you can disable total cache or some other caching plugin on your shop pages.
    Disabling plugins seem to be what that plugin does, so I really don’t see why should any plugin be exempt from this (kinda defeats the purpose of the plugin, no?).

    I haven’t used either of those plugins, but I really don’t see why all the drama from WP-SpamShield team…

    Report


    1. Exactly. Red Sand also criticized Plugin Organizer for using a Must-Use plugin (in response to Spamshield updates against PO) saying it was some violation to do so… and then Red Sand proceeded to do the same thing and installed a Must-Use plugin.

      In the support forums, almost every post from Red Sand about Spamshield comes off as aggressive, arrogant, negative and their first instinct is to blame other plugins and themes for issues stating it’s impossible for it to be a problem with their plugin… yet there were a consistent stream of plugin updates with always vague meaningless changelog notes. The only time anything specific was noted was when fixes were made after the plugin completely broke things.

      So, I’m not sure I’d ever believe fully Red Sand’s side of the story. Them refusing to make code changes and playing the know-it-all I’m better than you attitude seems to fall right in line with what I’ve observed in the past. Their actions speak loudly. We’re all probably better off just moving on to other plugins with developers more deserving.

      Or, WordPress should really build in their own security features since why is it up to us to rely on 3rd parties to make sure our sites have some level of security that the core team can’t be bothered with. Don’t get me started on why they don’t have core SMTP emailing yet either leaving un-reliable plugins to do the job.

      Core team just needs to do more so we don’t have to rely on some of these flaky 3rd parties.

      Report


    2. Denis’s comment is pretty much exactly what I was thinking. The WPSS dev comes across as a little paranoid about the whole situation. It’s a shame this has to cause trouble for all the people using the plugin, since it was apparently doing its job otherwise.

      Report


  5. Oh boy, sure keep that one well in mind…
    From my experience with the WP-SpamShield dev, I hardly find it surprising that he eventually got in a serious mess and wouldn’t work it out. (Was wondering why I got a couple of hits to https://blog.cavsplace.com/?p=1652 lately.)
    He sure seemed to be a nice guy when I first sent some support messages, while he was trying to find anything that could possibly be wrong on my end and persuade me to change things, including my hosting provider, to suit him, but obviously wouldn’t even check whether the issue I reported showed up on my site for him as well (I had eventually worked it out as something that had to do with how WPSS dealt with something specific to my connection/ISP). When I wouldn’t fall for it and also pointed out the issue on other sites using WPSS he got nastier, then blocked me, even from accessing the site completely, supposedly due to me sending abusive messages or something (but refused to quote or give other evidence of it), and that he was supposedly “literally dealing with” me for over half a year though we had exchanged messages for a couple of days at first, then I decided to just grin and bear it and only contacted him again several months later when it got even worse and my blog became pretty much unusable for me without removing WPSS.
    Meh.
    It’s a nice plugin unless it conflicts with something. If it does, good luck getting a fix instead of being told to “fix” everything else that may influence it, no matter what it is.

    Report


  6. I’ve not used either plugin, but being “protected” from a plugin’s stated purpose (disabling plugins in a specific way) does not sound very reasonable. However, I’m not surprised after reading the highly opinionated claims about nginx not being suitable for hosting WordPress (because .htaccess!!111).

    Report


  7. A plugin to manage plugins. Do that many people really have so many plugins on their sites? You would think they would just consolidate them instead. I use maybe 5 plugins on average – backup, SEO, security, etc. In either case, I don’t like seeing one as important as WP-Spamshield removed.

    Report


    1. One of my clients has over two dozen plugins. We cannot make the clients remove a feature essential for their business.

      Report


    2. Yeah…Plugin Organizer is a lifesaver. It helped cut my page load times considerably by removing processor-intensive plugins when I didn’t need them.

      I’ve had to rely on plugins on WordPress for various things (bbPress, buddyPress, woo) because we can’t afford full time development for our site. They’re great and critical for our business, but they can seriously impact load times on pages where you don’t need them. So with Plugin Organizer, I can disable the load of bbPress, buddyPress, wooCommerce, where they aren’t needed and it speeds things up tremendously.

      That spat was a bit crazy — I was having some issues with Plugin Organizer at the time so I saw it all happen on the support page…was a trainwreck.

      Report


  8. I hope this is resolved as well. I don’t intend to get rid of Spamshield because it’s far superior to Akismet, and if I like it so much, I don’t see a reason to go looking for something else. But there seem to be a lot of these public disputes over plugins lately….

    Report


  9. _We have looked at the code in this plugin and found that it contains code that would automatically disable another plugin; we believe this is the reason why it was removed from the repository._

    There are a ton of plugins that disable other plugins. its 1 function call! not hard to do.

    Also I have followed up in Reddit thread.

    Report


  10. I stopped putting my themes on WP a while back due to politics. They (WP “reviewers/volunteers”) seem to think they are doing_it_right by taking matters into their own hands without considering the OS Community. After all, it is Open Source. As well as politics; there seems to be a ton of abandon-ship WP members/reviewers/volunteers and therefore it now takes six months + to get a theme approved and live on the repo.

    I am really heart broken about WP-SpamSheild and somewhat concerned as well as aggravated. I use the plugin exclusively. First thing I do on _ALL_ of my websites is remove Askimet and install your plugin… it just works! Here is my take on the ‘situation.’

    Let’s start with politics. We all know that Open Source is what it is: a great community of peeps whom write and support some of the best software on the planet. For some reason—-I truly believe it is because of how HUGE WP is—WP seems to think the GPL licensing aspect is very important and hence the lies about using a plugin that scans and protects from malware may be over the line of policies since it is encroaching on areas that are outside of GPL “duties.” I would extrapolate more but will let this soak in for now.

    What [I] believe is the REAL reason for the removal is that your plugin is getting more popular and more installs than some of Automattic’s security stuff. Askimet and the other products just don’t cut it but the fact that it is installed by default (not activated… at least they didn’t break that—their own—rule) so it does have ‘value’ with WP. Maybe it is simply the fact that w.org is not able to control the _size_ of the community and make knee jerk moves like this one, to tell ma.tt that they are abiding by GPL and doing the job expected of them.

    Anyway you look at it, there has been no rule broken and has been no validated reason for the removal. This is incredibly disappointing but not surprising (ok surprising to happen to WP-SpamSheild as apposed to some smaller plugin). I have had reviewers tell me that I was getting “an attitude” and the reviewer admin would close my theme from review if I continued. All I ever did was ask for a better explanation of a review comment and when I went to Slack to discuss the matter they had a worse attitude than I presumably had. Telling me that they get lots of peeps trying to scam with themes having pro version stuff… yada yada, and the conversation boiled down to complete and literal soap opera type of discourse.

    So with all the round-about ideologies I have thrown out here; I hope that this discussion starts a HUGE movement to get WP _back_ on track. Empahsis added to ‘back’, as this “trend” is only getting worse. Save Our WordPress—-hmmm, SOW. LOL – aside: I have officially moved all my professional stuff to MoJo MarketPlace and am very happy with them. (not a promo, just saying: if WP don’t clean up their act they will lose on GOOD developers.) They already lost me.

    Report


    1. What [I] believe is the REAL reason for the removal is that your plugin is getting more popular and more installs than some of Automattic’s security stuff.

      So basically you think this is all a big conspiracy by Automattic? Even after reading the WP.org forum thread linked by Sarah? Oh, boy.

      Report


      1. No conspiracy, just a way of doing things that has its eventual victims, SpamShield being the first on the plugin side of things. Wonder how many theme devs and smaller plugin devs just don’t even bother with WP?

        Report


      2. Not even close – conspiracy is for politics. I am trying to paint a picture of HOW WP comes off when they make drastic moves that affect large numbers of people. The Askimet thing was meerly a side note on my behalf… more of a search to figure out why this HAS gotten political.

        Report


    2. No. The reason for removal was that Scott was asked to remove code from his plugin that targeted a different plugin. He then proceeded to act as he always seems to do. He attacked anyone who questioned him and refused to change anything. If you want to see the code that caused the issue just grep the latest version of WP Spamshield for “PO_”. You’ll see where it changes the database settings for that plugin without the users knowledge or permission. Scott claims to be some kind of security expert but I really don’t trust him or his company after seeing how he acted with this situation and looking through the support threads for their plugins. He’s not a very honest or trustworthy individual.

      Report


    3. Nah mate, that’s all a bit tin foil hat.

      Spam-Shield specifically targeted a plugin, and maliciously disabled it, because said plugin could disable spam-shield on specific pages at a users request (that being it’s purpose for existing).

      What on earth has it got to do with Red Sands if a user wants to use another plugin to disable Spam-Shield.

      They got booted because they didn’t want to remove the code? Good, because I am not happy with them making choices about which of my plugins work and which don’t. Incredible over reach – and basically the definition of malware.

      Report


    4. Based on a decade working on WordPress and interaction with the plugin directory, there is definitely reason to suspect that Otto at least occasionally will ban or harass plugins who compete with “favoured sons”. Mika’s reasons for disengaging often have more to do with “safe space” type issues. Just abandoning the conversation is not really fair. When a developer’s plugin has been removed for no particularly good reason after five or six years of instant updates and prompt communication, s/he is unlikely to be sweetness and light.

      If they’d like to have better interactions with plugin authors, Mika (and Otto) should find a way to do their (thankless – I disagree with much that you do, but let me thank you Otto and Mika for working so hard at this for so long: lack of continuity and transient faces in the plugin directory would be terrible) job more fairly and transparently. The current rules are a joke – it’s more or less whatever Otto and Mika feel like that day. My views won’t come as a surprise to them. I’ve told corresponded with them at length on the issue and even spoken in person with Mika about the arbitrariness issue.

      That no one is allowed to compete with Automattic is not quite true. It’s not false either. The featured and recommended plugin sections belong to Automattic and their close friends and business partners exclusively which is extremely unfair. The successful plugins are being bought out by Jetpack and then discontinued as standalone. Markdown on Save by Matt Wiebe is a good example:

      Plain and simple: I get paid to write and maintain the Jetpack version. It gets used by a lot more people and gets regular bug fixes.

      I don’t have any issue with Jetpack including Matt’s code. I do have an issue with Jetpack encouraging him to kill the freestanding edition.

      WPTavern covered in some detail how Otto allowed Yoast to include upgrade nags for PHP, a first for WordPress. Again handled very badly – policy is changed to allow upgrade nags then it should be changed for everyone. Not just for commercial heavyweights who sponsor WordCamps.

      That said – it’s up to Scott to keep the dialogue open with Otto and Mika and find some compromise.

      A concrete suggestion in this case would be for WP-SpamShield to exist in a lite form on the WordPress plugin directory (without the code that WP.org doesn’t like). If a user trusts Scott and his team and wishes to install a stronger version of WP SpamShield, there can be a link to that edition from within the plugin. Those who should be using strong anti-spam solutions should be able to use FTP (not that loading a plugin helper from within WordPress is an impossible task, we have that technology).

      Good luck to all sorting out your differences. Thanks to WP Tavern for covering these important issues.

      Report


      1. this is a very powerful and salient statement you made here:

        Just abandoning the conversation is not really fair. When a developer’s plugin has been removed for no particularly good reason after five or six years of instant updates and prompt communication, s/he is unlikely to be sweetness and light.

        They, meaning moderators, have too much power—for lack of a better word—to be ‘radical’ with their behaviors. I read Mika’s response: https://wordpress.org/support/topic/plugin-removed-from-repository-6/ she adds:

        (And no, final decisions are not made by Otto. Perhaps shockingly, he’s not the rep for the team at this moment. I am.)

        So now this adds a second level of suspicion to the “personal” aspect of the removal being that Mika has been very orderly and professional about the calls whereas Otto may be looking out for her, as they say, yet he really does not need to be stretching things any further than they were in the beginning.

        Report


  11. This is a very one sided shouting match. I read the blog post. The author seems genuinely angry at the situation. But when you devolve into personal attacks it doesn’t help much.

    I hope they can resolve the issue, otherwise I would wish the plugin developer all the best in having an independent plugin shop. Maybe that will give them the room they need.

    Report


  12. Reading between the lines I think the most likely scenario is that Scott added the MU plugin to WPSS to disable the PO plugin; the WP team then asked Scott to remove the MU plugin; and Scott responded by removing the specific lines directed at the PO plugin, but he left the MU plugin (and “feature”) in place, targeted at another plugin (known malware, not distributed via WP).

    So this is speculation- but my guess is that Mika (who has posted that she is responsible for the decision) – wanted the MU removed entirely, because as long as it is in there it has the potential of being modified to target just about any plugin.

    I concur with the post by Cavalary – excellent plugin, but the developer has an ego problem, is incapable of admitting to a mistake or even respectfully acknowledging another viewpoint. Everything is always someone else’s fault. The current dispute with WP being yet another example.

    Report


  13. From the point of view of a developer, moving away from wordpress.org causes a lot of problem maintaining and doing marketing for the plugin. A similar issue happened with Zerif theme from ThemeIsle and that took a lot of money from them. I really hope Allen can find out a good solution with Mika, Otto to get the plugin back to the repo. Moving away is a lost-lost solution.

    Report


  14. This resulted in both parties adding code that disabled the others’ plugins

    I don’t like any plugin to disable another plugin on my site. I decide what gets disabled and what does not.

    Disclosure, any of my sites (and clients) that used WPspamshield, they now use AnitSpam Bee.

    Report


  15. I’ve read too many instances of behavior like this on the part of one reviewer to discount it entirely out of hand as the result of ego or attitude on the part of the developer. Some reviewers know that their decisions can seriously alter the wellbeing and reputation of a developer and wield that authority immaturely and arrogantly. There is a vast difference between ego, and pride in your craft and the desire for fair, consistent procedures. Whenever I read these grievances, they involve one reviewer. Jesse’s polite response to a snarky comment was on the mark – if you want to really improve your process, ask your customers. The issues that are repeated consistently, are the problems that could use some work. The fact that this suggestion has been asked for every time these fights break out, leads me to believe that the tyrant with the power doesn’t really care about a solution. From this and other posts it sounds like Mika genuinely cares about getting it right and is not bothered by admitting a mistake. That attitude, along with rule clarification as written by Jesse, are what is sorely needed for your (the reviewers’) customers. I’ve also experienced the stagnation and arrogance that burn out can cause. As Jesse suggested, I’ve found moderator rotation essential to pleasant dealings between the parties. Finally, a kind remark or thank you to a reviewer that gets it right can work wonders.

    Report


  16. My only encounter with WP-SpamShield was very negative. One of my users reported a conflict between our own plugin and WPSS… the user actually reached out to WPSS first, and the Red Sand developer of course tried to turn it around and blame the whole thing on us.

    What he said about us was pretty awful: “they don’t realize how they are preventing other plugins from working properly and the effect is that they break the whole WordPress plugin system.” Wow, I broke the “whole WordPress plugin system”? If that were true it would be so impressive, I should put it on my resume!

    He went on to talk about what code *we* need to include in our plugin, instead of just what we “perceive to be needed.” Finally he finished up by pointing out we should use Custom Post Types… which, actually, is exactly what we do already. If he had even bothered to look at our code he would have known that.

    I think having those 100,000+ downloads went to his head and he thought he could just bully his way through conflicts with other developers. That’s not what open source is about.

    Glad to see karma in action.

    Report


  17. No matter whatever happened in the background, But happened very bad.

    We hope one day It will be fixed.

    Cheers,

    Report


  18. Are we intended to indulge this playground spat or has something actually happened? The users are at work.

    Report


  19. I really liked that plugin but now it is gone. Anyways, wordpress.org has taken the right decision of removing it.

    Report


  20. As an IT Professional pursuing an education as an Information Security Professional, this fact is disturbing to me,

    “Two weeks ago, the author of WP-SPamShield and the author of the Plugin Organizer plugin exchanged contentious remarks in a support forum thread where each accused the other of targeting each others’ plugins. This resulted in both parties adding code that disabled the others’ plugins, and both were asked by the Plugin Team to remove the code.”

    The moment a Software Engineer uses their skills in a malicious manner, as stated above, they have violated the ethical boundaries of the industry. This behavior, exhibited by both parties, is inexcusable. Period.

    In my humble opinion, they should both be removed from the platform, for at least a period of time, to reflect on why their behavior is completely inappropriate as “Professionals”. They should thereby demonstrate their comprehension of their misdoing, in a formal and public manner, apologizing to each other, WP.org, and all of us Professionals that rely on them to enhance WordPress and protect end users.

    Folks, this is a serious violation of trust and it must be addressed accordingly in my humble opinion; regardless of how amazing their plugins may be. Otherwise, what precedence are we setting as a community?

    Report


  21. I don’t know what the solution could be, I do know that drama is not it. Egos can get in the way. The rules should be set out as to what a plugin can and can’t do. I would think “any” plugin that has code targeting another plugin should be removed post haste.

    I’m just a lowly blogger, but I can tell you as someone else stated, I want to decide what starts or stops working on my site. Sending out updates every couple days, just tells me you probably should have tested it a lot more before, releasing it.

    There is getting to be a large trend of nagging and alerts, or as someone called it Admin page hi-jacking. Lots of, Please review, Donate, Upgrade to Pro offers. Colored markers showing up in the admin area that at first glance, makes you think you have a plugin needing updating, or correction.

    When I open my admin page the only thing I want to see, is if something is not working properly. No prompts across the top of the page prodding for upgrade to the “Pro” version, if I want the Pro, I will ask for it.

    Please don’t let the commercialism of WP ruin it all. Once you ever get started down that road with people like this guy, the next thing you know, most all plugins will cost something,

    Report


    1. Good points Ron. If I see one more theme with the word “lite” in it…. People DO take advantage of w.org this way. What I think about that is that there are not any good outlets to sale your wares which reach a large audience. Envato and Tforest are filled with poorly coded themes and most people use Avada or Divi cause they heard it is great.

      I prefer themes on w.org because they are reviewed and checked for security. A big hurdle would be to screen for pro notices in admin, Customizer. Add an “About Us” theme options page is what I do. WP.org is NOT a market place.

      Maybe these are some of the finite things which trigger the behaviors at Worg. The whole thing is just too out of control for “voluteers” to fix and should be audited by a group of outsiders. So I’m all on board to remove promotional themers stuff. I never load anything on a clients site that has that crap. (gives me the opportunity to customize the theme the way the client wants it… not the way the theme author wants it.

      Report


  22. That is quite unfortunate. Ranking the plugin on Google might go a long way on recovering/retaining their clients (like me) – just downloaded the plugin from their website. I prefer it to Akismet etc

    Report


  23. Any developer who inserts code that, without end-user’s approval and knowledge, disables another plugin is absolutely NO different that authors of Malware, Ad-injectors, etc. Period. Anything that does that on a plugin or theme hosted on WP.org should be removed and the author simply blacklisted.

    Allen’s hubris isn’t helping much matters either. If something I write conflicts with another plugin/theme then I simply will contact the author of it and see if we can work together to find out what is going on and why. Then we work on a solution to fix it or I put a conditional disable that will turn off the conflicting code in my plugin and slap a message on its admin page alerting the user that the functionality is disabled and why. I don’t simply decide “Well, his/her stuff sucks so I’m going to disable it!”

    Personally, I’m glad Red Sands is moving their stuff if they’re going to act like Eric Cartman about it. The WP Plugin Team is well within their rights to boot them for deliberately interfering with other people’s plugins.

    Report


    1. It’s truly incredible to me that when you invest your time and energy with only one goal, helping to protect others, it gets mistaken for “hubris”.

      Report


  24. Update to my comment above (I speculated as to reasons but I now have more facts) – so I am posting. I thought the problem related to the MU plugin, but it’s a little more complicated than that.

    In a reddit thread (that Scott started), Otto posted:

    SpamShield has special case code specifically targeting Plugin Organizer, and disables it’s ability to save options properly. That code was added long ago, way before any of this stuff started. That is the code we requested that he remove, and which we gave them 2 weeks to do. They did not remove it in that time.

    I found the code in question, at lines 165, 175, and 306 in the plugin /includes/classcompatibility.php file. Basically it is code that disables some of the functions of the PO (plugin organizer) plugin and existed prior to the additon of the WPSS MU in version 1.9.20.

    So, comparing files between versions 1.9.19, 1.9.20, and 1.9.21 I see that 1.9.19 has the code which disables functions of PO; in 1.9.20, the MU which disabled PO was added, and code in 1.9.19 was revised to work with the MU; then in 1.9.21, the lines of code in the MU targeting PO were removed, but the code in 1.9.19 targeting PO were restored. So that seems to be the crux of the dispute.

    Report


    1. Otto’s comments were not exactly factual. For a full description of the situation, see this blog post: https://www.redsandmarketing.com/blog/malware-alert-plugin-organizer-wordpress/

      As soon as I responded to Otto on Reddit, he abused his role as moderator and banned my Reddit account, and posted further comments that we could not respond to. Just sit and chew on that for a minute. As a moderator on Reddit, he permanently banned our Reddit account. That is completely inappropriate for anyone in a moderator role.

      Any code we added in reference to Plugin Organizer was defensive code. Originally, we only added a compatibility shim and did it in a way that affected no other plugins. Once Plugin Organizer started taking aggressive measures towards WP-SpamShield code, it became necessary to add defensive code.

      Otto has been harassing us, and me personally since 2007. My next blog post will outline the facts of that.

      Report


      1. Scott,
        You continue to lie in public. And in a forum for developers no less who know how to use grep and diff to see how you started the whole thing and acted like a child. It’s pretty sad that you are willing to sink your plugins like this rather than admitting to what you did. Which again anyone can see for themselves with the code that is publicly available.

        Report


      2. Any code we added in reference to Plugin Organizer was defensive code. Originally, we only added a compatibility shim and did it in a way that affected no other plugins

        When a plugin disables the functionality of another one without asking for user consent, it moves into the malware realm.

        I assume that it is not the only plugin doing such stuff (jetpack used(?) to override the limit logins plugin), but there is a fine line between doing that shamefully as a last resort thing and insisting that it has any legitimacy from users or fellow developers.

        Report


      3. 1. I don’t believe that your user account on Reddit was banned. I can still see the account user page showing as active here: https://www.reddit.com/user/RedSandMG

        However, I notice that your user account is brand new (only 1 day old) and that you have a net negative score. Reddit has a variety of automated functions to prevent spam or trolling. I am not up to date on what the current functions might be, but one thing that has existed in the past was automated responses to certain posting patterns. So a brand new user account together with a series of downvotes on posts would very likely trigger a temporary ban on posting — because basically users build up positive “karma” points over time so that the automated bots recognize them as trusted users.

        So my guess is that you just ran afoul of the automated system, which probably interposed a temporary block on posting that will clear after some period of time.

        2. No one cares about your personal grievances against Otto, or who said what and when. So blog away if it makes you feel better, but your users don’t care whose fault it is.. The 100,000+ users who have downloaded your plugin just want software that works and that they can rely on. You’ve made it pretty clear that the “rely on” part is going to be a problem in the future.

        You were asked to remove code that targeted another plugin, and you chose to remove it from one file but restore code with essentially the same effect in another. So no surprise that you managed to tick off the people who wanted the offending code removed.

        Report


  25. If Otto and Allen have been in dispute for the past ten years, as Allen states, then whatever the truth, both will now be so entrenched they won’t be able to see a way out.
    This will stay at stalemate unless someone can mediate.

    Report


  26. I don’t get the point of a plugin such as Plugin Organizer, but isn’t the purpose of this plugin to let users disable other plugins in specific scenarios? Then don’t blame (and covertly disable) Plugin Organizer itself, but educate your users (with a warning message, for example) that are using it together with your plugin, instead.

    Report


    1. It’s a very useful plugin. For example, let’s say you have a resource-heavy e-commerce plugin and it slows down every page on your site. The reason it’s slow is because it loads in kilobytes (and megabytes) worth of options, creates a session for the cart, and so on, but you don’t need any of that for your home page or blog. You can selectively deactivate that plugin on parts of the site where you don’t need e-commerce functionality.

      Report


  27. I think we need to be acurate in defining malware.

    Malware: software that is intended to damage or disable computers and computer systems.

    -or-

    Malware, is short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software

    Malware is defined by its malicious intent, acting against the requirements of the computer user — and so does not include software that causes unintentional harm due to some deficiency.

    An example is the Sony rootkit, a Trojan horse embedded into CDs sold by Sony, which silently installed and concealed itself on purchasers’ computers with the intention of preventing illicit copying; it also reported on users’ listening habits, and unintentionally created vulnerabilities that were exploited by unrelated malware.

    Report


    1. Malware is defined by its malicious intent, acting against the requirements of the computer user

      That is exactly what Wp Spamshield was doing and why it got removed. The user installed Plugin Organizer intending to use it as it was written. WP Spamshield disabled it and didn’t tell the user it had been disabled. So it was acting against the user who had installed it.

      Report


      1. WPSS is not even close to the definition, if that is what you are trying to posit. malicious intent is just the same as in a courtroom where you have to prove, beyond a resonable doubt that there was intent. AND THEN you would have to prove that it WAS malicious.

        When a plugin provides options to turn on or turn off a certain component that may or may not interfere with another (piece of software) there is not intent; and it is not devious or malicious.

        WPSS provides ample options. And the support for any juxtaposing, from what I have found, is very spot on and the author even provides snippets to fix things that should not even need to be fixed inside of WPSS itself, yet he abides.

        Here is screenshot of the options settings if you can not find them on WP…. laughing out loud now: https://wpquirks.com/counter-points/wpss-101/

        Report


  28. The fact this situation exists at all is proof a systematic change is needed. Picking a side is too easy.

    Report


  29. Some might see the plugin as more trustworthy when it is not in the WordPress plugin database. I’m at that point. Too many WP plugins are hiding how commercial they are. Off the WP site they can at least be honest about it. Of course, it is still user/ buyer beware either way.

    Report


  30. If he is willing to (wpspamshield) disable a plugin on my site…how do I know he won’t try to disable a competing plugin, so I see the disabled plugin is not working so I switch to his?

    How is this any different when a plugin author inserted a backdoor to put spam links (see wordfence blog)

    Report


    1. Hi Miroslav,

      I’m completely in agreement with you about distrusting a plugin author that would do sneaky things like you’re describing. We definitely are not doing that.

      The problem is, there is a lot of spin-doctoring going on. The word “disable” is getting thrown around a lot, when that’s not even close to what’s actually happening.

      WP-SpamShield does not “disable” or “deactivate” Plugin Organizer, and nothing is done in secret.

      There is a fairly bold warning notice in the admin as long as the two are active together, explaining that the two plugins are not compatible and should not be used together as it will cause problems.

      If the user decides to ignore the warning notice (and only if this is true), WPSS changes the value of 5 settings in PO in order to allow some limited functionality of both plugins. Plugins do this all the time, and it’s not malicious. If anything, this is a compromise — both plugins are limited. It’s not ideal, That’s why we had asked Jeff — PO’s dev — to respect other plugin developers and provide a whitelist option for other developers. For example, we provide hooks for other developers to use when they need to bypass certain filters in WPSS. This is not uncommon.

      The user should just deactivate WP-SpamShield or Plugin Organizer, and we make this clear with the warning, and in Known Conflicts page. You’ll notice there are two direct quotes by both Otto and Mika, that describe Plugin Organizer as “dangerous”, and they acknowledge that it can break security plugins.

      I realize that situations like this are likely to cause mistrust, but I would just ask people to run some tests for yourselves, and investigate further before rushing to judgment. When people start throwing around words like “disable”, it starts twisting the facts.

      Report


      1. @Scott Allen you seem to have an explanation for everything, which just goes to show you are not listening to what your users (or the WordPress plugins Team) are telling you.

        As far as I’m concerned the most damning fact against WPSS is when it DELETES the Plugin Organizer’s MU plugin file. When a plugin DELETES files from my server that it has NO RIGHT TO TOUCH — you’ve now crossed the line and turned WPSS into malware.

        As much as YOU try to “spin-doctor” it in your favor, the fact that you deleted the file can’t be disputed. It’s in the code for everyone to see (/wp-spamshield/lib/sec/am-integrity-scanner.php, version 1.9.20).

        Your excuse for this is to call Plugin Organizer “malware”, but we all know that’s not why you really did it. The truth is you got into a childish spat with the PO developer, and like kids you tried to break each other’s plugins. Frankly I don’t care if you guys want to keep fighting it out, but when you start deleting files from *my* server, without my prior express approval, now you’ve gone a step too far.

        Until you own up to what you’ve done, show some humility, and vow never to act like this again, I cannot trust that you won’t just do the same thing again the next time some plugin developer pisses you off.

        Report


      2. Yes. There’s a lot of “spin-doctoring” and it’s coming from you. It’s easy to look through the changes you made to WP Spamshield before it was removed from wordpress.org. Your plugin turned off the ability of Plugin Organizer to do what it was intended to do. It could no longer function after the malware you call WP Spamshield was installed. You are a very dishonest person. It’s a good thing you can’t change what the internet has stored of the code you released. It’s really that simple. It only takes a few minutes to prove everything you are saying is complete BS.

        Report


      3. @David Rothschild
        Everyone has a right to defend themself against a false accusation.

        As far as I’m concerned the most damning fact against WPSS is when it DELETES the Plugin Organizer’s MU plugin file. When a plugin DELETES files from my server that it has NO RIGHT TO TOUCH — you’ve now crossed the line and turned WPSS into malware.

        Taking actions to stop malware is not malware — that’s anti-malware.

        Your excuse for this is to call Plugin Organizer “malware”, but we all know that’s not why you really did it.

        Well, version 9.2.3 of Plugin Organizer is malware. As of version 9.2.3 it added malicious code that intentionally disables WP-SpamShield (and I mean literally deactivated it without the site owner’s knowledge) — it went on to prevent site owners from re-activating it, even when Plugin Organizer is deactivated. The situation was clearly explained in this blog post. We were up front about all of the actions we were taking, and it was clearly marked in the Changelog, and in the upgrade notice in the WordPress admin.

        That stands in contrast with PO secretly deactivating an anti-spam and security plugin. WP-SpamShield blocks pingback DDoS attacks, brute force amplification attacks, and provides a number of other security features.

        I stand by our actions — it was the right thing to do. I am not going to apologize for protecting our plugin users. You’re free to judge, but I have to go with my conscience.

        @Penelope

        I’m sorry that you feel that way. Honesty has always been a priority to me. Not everyone will be able to see that all the time, and I accept that. I think that anyone who analyzes the facts with an open mind will see the truth of what I’ve said.

        Report


      4. …and this proves my point. Talking to Scott Allen is like talking to a brick wall.

        Report


      5. So you clearly marked in your changelog that you were disabling and deleting the files from Plugin Organizer? Because I have your changelog and I can tell you that is not in there. Where does it say in version 1.9.19 that you were disabling Plugin Organizer?

        Here’s your changelog.

        = 1.9.19 =
        *released 10/25/17*

        * Added an enhancement to ensure functional integrity and prevent other plugins from disabling or modifying essential functionality.

        Where does it say you are disabling Plugin Organizer? Doing a diff of your code shows that you are doing exactly that.

        Where in the changelog for 1.9.20 does it say you are deleting Plugin Organizer from the users server? Where does it say that you were installing an MU file that would continue to delete files from the users server even after WP Spamshield was disabled? Because that is exactly what that version of WP Spamshield did.

        = 1.9.20 =
        *released 10/27/17*

        * Added an anti-malware module to prevent the “Plugin Organizer” malware plugin from disabling WP-SpamShield, and to scan for and remove the fake malware plugin “X-WP-SPAM-SHIELD-PRO” (which is in no way associated with the real WP-SpamShield). We recommend that WordPress site owners remove the WordPress plugin called “Plugin Organizer”. As of version 9.2.3 it has added malware code that intentionally disables WP-SpamShield, and prevents site owners from re-activating it, even when “Plugin Organizer” is deactivated, leaving sites unprotected. [More information »](https://www.redsandmarketing.com/blog/malware-alert-plugin-organizer-wordpress/)

        You really are the king of spin.

        Report


  31. I would sincerely like to know WHY PluginOrganizer is still on the w.org repository? Can anyone answer this. It is obviously in violation and I do not see anyone addressing this as a factor in Moderators’ decision making process.

    Jeff, the author, has not peeped in at all and this makes me wonder what his connection with the moderators are. Sorry if this sounds like favorites talk, but I am beyond leery at this point after gathering personality traits from each responders language analysis collection which reveals personality, mental health and intent. The program is a bit like facebook “shadow accounts” only easier to process.

    If you want to extrapolate into Jeff’s mind set without any kind of degree in psychology or sociology, just take a look at his gravatar.

    Report


    1. I would sincerely like to know WHY PluginOrganizer is still on the w.org repository? Can anyone answer this. It is obviously in violation

      What is your reasoning for it being in violation of the guidelines? The code disabling WP-SpamShield was removed in October 2017. I’m not sure this recent commit was done entirely in the spirit of playing nice, but at least at first glance there is nothing that directly interferes with WPSS (renaming one’s own options would appear to be within prerogatives of a developer).

      after gathering personality traits from each responders language analysis collection which reveals personality, mental health and intent

      I’m not sure what you intended to tell us with that sentence, but it sure sounds creepy.

      Report


      1. Hi @pepe,

        at first glance there is nothing that directly interferes with WPSS

        Maybe at first glance, but WP-SpamShield is a finely tuned and complex plugin.

        Plugin Organizer breaks a lot actually. It’s very difficult to provide a rock-solid software, when another developer decides to make it easy to interfere with your code. (People would never consider this type of interference on their desktop computer’s software.)

        Depending on how the user configures PO, it can break miscellaneous form protection (one of WPSS’ key features: protection for third party contact forms other than CF7 and Gravity / protection from a number of random hacking attacks), advanced human spam detection features, and it causes JS not to load on non-form pages, which causes validation errors/false positives when forms are submitted, depending on the site’s caching setup. (To name a few.) We’ll post more details about all this soon.

        The code disabling WP-SpamShield was removed in October 2017.

        To clarify, the malware code that deactivated WP-SpamShield and kept it deactivated — even while Plugin organizer was deactivated — was removed in PO v9.2.4. However, it still breaks WP-SpamShield, and a lot of other plugins. Over the years, we’ve dealt with tons of tech support issues on WordPress sites that used Plugin Organizer, that were not even using WP-SpamShield.

        Report


      2. @Scott: Apparently we have reached the nesting limit here :(

        While I get that you are passionate about your product, people install Plugin Organizer to do the very thing that you criticize. While I probably wouldn’t install it on any of my sites, it’s because I don’t need it, I can code. But that does not mean the plugin is not useful to others.

        And yes, it’s probably very easy to break your site with it. Then again, that’s true for a lot of plugins. It does what it says on the box and comes with plenty of warnings. If people want to use such a plugin (and I see scenarios where it might be useful), they do so at their own risk.

        Report


      3. Scott,

        Plugin Organizer does not break anything on it’s own. A user has the potential to break their site and other plugins by configuring it incorrectly. As Pepe pointed out they can break their site by configuring a lot of plugins incorrectly.

        FYI I added code to Plugin Organizer to deactivate your plugin after you introduced code in yours to delete my plugin and change the database options. It’s too bad you refused to work with me from the beginning with the whole $_POST array bug your plugin introduced.

        Report


    2. I would sincerely like to know WHY PluginOrganizer is still on the w.org repository?

      Because the PO plugin author complied with the request from WP plugin team to remove the code which targeted WPSS.

      But WPSS author is unwilling to comply with request to remove code targeting PO. He did remove the added MU, but when he did so he also restored the function in version 1.9.19 which was the code that prompted the PO author to add its own MU targeting WPSS.

      The code added with WPSS 1.9.19 prevents PO from functioning as it was designed to do. It is true that PO can cause all sorts of conflicts with other plugins, but that is something for the site owner to decide. The whole point is that PO is designed to allow site owners to control load order for plugins and to selectively disable plugins from loading on pages where they are not needed (or where they might cause specific problems).

      Report


    3. Because I complied with the request from the WordPress admins to remove the couple of lines of code I put in the MU plugin that deactivated WP Spamshield to prevent it from deleting Plugin Organizer. WP Spamshield did not fully comply and the latest version still contains code that targets Plugin Organizer.

      Report


  32. What is really disturbing for end users is that both sides added codes to target other plugins (whatever may be the reason). If it is not stopped in the bud this can lead to many future repercussions with plugin authors to settle personal scores can add any codes to block or prevent or delete other plugins.
    That can lead to more security issues……..

    Report


    1. EXACTLY, thank you, Rahu, for making this statement. But I do thank pepe, as well, for letting me know about 9.2.4 removing the said code.

      = 9.2.4 =
      Removing code that deactivates WP-Spamshield as it is pointless to keep releasing countermeasures to prevent their malicious code.

      = 9.2.3 =
      Added code to prevent a malicious plugin from disabling Plugin Organizer by deactivating it at load time.

      = 9.2.2 =
      Fixed a bug with the gettext hook being called mutiple times to change the page title on a group view.
      Added code to prevent other plugins from altering posted data.

      Although 9.2.2 “added code to prevent” sounds one-off, yet it might be the same “concept” as WPSS protecting their users from “malware*”.

      *term used broadly.

      Report


      1. Maybe you should take a look at the changes instead of wildly speculating Tradesouthwest.

        Report


      2. It’s also revealing that 9.2.4 was released less than 24 hours after 9.2.3. To me, it’s clear it was a fairly quick realization that the change deactivating WP Spamshield wasn’t the right thing to do.

        Report


  33. Well this article and most of the discussion has been pretty one sided so far. I decided to go look into the author of the other plugin involved (Plugin Organizer) and it seems he has a pretty different account of what happened.

    http://www.jsterup.com/blog/security/wp-spamshield/

    Report


    1. Well this article and most of the discussion has been pretty one sided so far. I decided to go look into the author of the other plugin involved (Plugin Organizer) and it seems he has a pretty different account of what happened.

      Xerfyre, are you Jeff Sterup?

      Report


      1. No. But I am fed up with Scott and his attitude. He crashed my site and wont take responsibility for what he did. I think he got what he deserved after the way he’s acted since he started all of this.

        Report


    2. Thanks for linking to my page. Nice to see that some people are willing to get both sides of the story before passing judgement.

      Report


  34. I agree with TradeSouthwest. If both plug-ins did the same thing to each other, the response should be the same.

    I’ve been here 5 years quietly working on my WP sites, reading various blogs, learning lots of great stuff, and also getting a sense of personality of repeat authors by their writing style.

    Any issue presented to a reviewer should, in my opinion, be looked at and judged independent of past encounters or public input on the likeability of the developer. People who post should address the issue – not the developer.

    Reviewers should not be the final authority. I saw no mention of an appeals process developers can use that will be perceived as professional and impartial and disassociated in any way from emotions or passive-aggressive actions such as ignoring the developer or plugin for long periods of time. If there is such an appeals process in place and I missed it, I apologize.

    The process itself is well-written overall with one glaring problem. This line in #18 is completely inappropriate for any process that wants to be perceived as fair and impartial!

    We reserve the right to arbitrarily disable or remove any plugin from the directory for any reason whatsoever, even for reasons not explicitly covered by these guidelines.

    While you may believe you have the right to be ‘arbitrary’ that word has no business being in any serious review policy. The definition of arbitrary is “based on random choice or personal whim, rather than any reason or system.” Seriously? How could anyone approve such a statement in a review policy?! #18 undermines anything written in 1-17. How can any review be trusted when item 18 gives full authority to remove or disapprove a plugin for absolutely no reason other than the personal whim of a reviewer or any other reason whatsoever?! Number 18 needs to be removed as it is if this process is ever to be trusted.

    More important than the written policy, reviewers must believe that enemy-making or dislike of a developer should NEVER be involved in the professional process of review whether the reviewer is a volunteer or employee, new or well-established. Actions based on personal grudges or even like/dislike of a developer are never part of a professional process of review. Expecting unemotional review of a product in a reasonable time-frame should be the norm for any developer. I know it’s possible because I know it’s done by some reviewers here and I’ve seen it on many other moderated sites. If some reviewers need to move on because of burn-out cynicism and others need to be hired to take up the slack, then there must certainly be resources available to do so. It appears to me that the reviewers could be overwhelmed with items to review. I can only imagine how many plugins come in per week or month. It can’t be an easy job.

    I must also join the band-wagon of saying how very tired I am of being coerced to purchase things I don’t want on the admin page or any other page for that matter. This business needs to stop. Item 11 seems to agree with what we’re saying:

    Advertising within the WordPress Dashboard should be avoided.

    Perhaps items 5 and 11 could be tightened up to reflect that statement unambiguously.

    I’ve been in the role of having to make decisions and choices that affect others on a popular site for the benefit of all. I know how difficult it is to do, particularly if you’re dealing someone who is difficult or who you don’t get along with. I know how helpful it can be to have a clearly written policy to cite. One thing I always had to remember is that often english was not the primary language of the person I was conversing with, so meaning could be misinterpreted. Another important thing to remember is to deal with the issue at hand based on the rules and the product – never the person. Finally, always give the person you’re dealing with the benefit of the doubt. I’m sorry to see so many people basing their arguments here on how they perceive a person to be and not on the issue at hand. Many important points seem lost in the finger-pointing and running down of a person, whether right or wrong. The review process and equal, consistent judgement are the issues as far as I’m concerned. Just one coder’s opinion. I thank all volunteers for taking part of your time to make WordPress better in a positive way for all.

    Report


    1. I agree. But both developers didn’t do the same thing to each other. Part of the core of WP Spamshield is to target other plugins without the user’s knowledge or permission and cause them to stop working. Plugin Organizer didn’t do that until it had no choice but to respond to the WP Spamshield code that was deleting the Plugin Organizer files from user sites. I have reviewed the code and compared when they were committed and the changes made for both plugins as the author of Plugin Organizer suggests doing in his support threads. It’s pretty clear which developer was in the wrong. Which is why that developers code got removed from wordpress.org.

      Report


      1. Nope! It is NOT clear. Meaning: clear which developer’s code was at substantially disenfranchising WordPress users; and then what arbitration was taken to solidify the choice that w.org moderators made to before removing WPSS. Not to point-fingers; as it can be said that PluginOrganizer DID do what was asked of them. But why would there have to be a war of words rather than civil arbitration of the matter(s)? Answer: Continue reading.

        The only reason I choose to enter this conversation is related to what Paul just posted in this seam of the thread: “I saw no mention of an appeals process developers can use that will be perceived as professional and impartial and disassociated in any way from emotions or passive-aggressive actions such as ignoring the developer or plugin for long periods of time. If there is such an appeals process in place and I missed it and that is the whole reason why….” He also brings up rule #18 which I have to agree: IS ambiguous to take advantage of.

        I am and have always been pro Open Source. Yet there needs to be a more robust vehicle to handle privies and quirks which stem from large decisions made by smaller discourse. Explaining this using a quote from Zach Rosen.

        “Dries Buytaert and Matt Mullenweg recently posted calls to arms in defense of the “open web.” I, too, am a believer in the open web. It delivers on the promise of the Internet: a world in which everyone is connected, and you can command as much attention as your content deserves. But I agree with them that it is threatened by dominant technology companies who have an economic interest in creating their own “walled gardens” of Internet content that they control and monetize. [….] How many paid contributors to WordPress and Drupal are there? Maybe a few dozen. WordPress and Drupal lack the corporate sponsors of Linux because our open web companies have yet to get to critical mass. [….] Creatives, website designers and developers should all have an amazingly powerful set of tools that automate ALL the plumbing and grunt work so they can focus their precious time on creating amazing fast, responsive, web experiences. ”

        We as developers for little ole’ WP do not have the billions of dollars for infrastructure which means in order to make things fair and efficient there needs to be good/better tools to make things run good/better. Paul hits on this rather well in this thread. I respect him for this and hope that all devs—and enthusiasts—can jump on board to be more proactive, just like everyone in this comments quorum has been.

        If we don’t get involved then WP, Drupal… Open source becomes less extensible and we will NEVER get control of its quirks.

        Report


    2. If both plug-ins did the same thing to each other, the response should be the same.

      I think the response was the same: both plugin authors were told that they needed to remove code targeting the other. The PO author complied; the WPSS author didn’t & won’t (and has made it very clear that he doesn’t intend to because he considers the PO plugin to be “malware” — but that is his opinion and obviously not shared by the WP plugin team)

      Report


  35. Whatever happened, whoever those guys are, there’s only one fact: WP Spamshield has been, and still is, the most effective solution for fighting spam at WP sites. For comments, registration and contact forms all together. Far ahead of Akismet bundled with core WP installation. There is nothing else coming close to those results.

    Removing it from the repo that way, without further guidance and for whatever reason, is not only stupid but also harming WP and a lot of users that were and still are using this plugin for protecting their sites.

    Report


    1. I agree that WP Spamshield has been the most effective spam-fighting solution I have ever had — thoughnot without its own set of problems.

      But there is not a lack of guidance here – it’s very simple: WP now has a rule — plugins in the repository cannot be written so as to interfere with or prevent functionality of other repository plugins.

      All Scott had to in order to restore his plugin was to remove the code targeting Plugin Organizer. If he wanted, he could leave in code throwing off a warning– but this code has to go:

      static public function deconflict_po_01() {
      if( !is_admin() ) { return; }
      $pref = ‘PO_’; $cb = ‘__return_zero’;
      $all_options = wp_load_alloptions();
      $fix_options = array( ‘admin_disable_plugins’, ‘disable_by_role’, ‘disable_mobile_plugins’, ‘disable_plugins’, ‘plugin_order’, );
      foreach( $all_options as $option => $value ) {
      if( 0 === strpos( $option, $pref ) ) {
      $slug = str_replace( $pref, ”, $option );
      if( 0 === strpos( serialize( $value ), WPSS_PLUGIN_NAME ) || isset( $fix_options[$slug] ) ) { update_option( $option, 0 ); continue; }
      }
      }
      foreach( $fix_options as $i => $v ) {
      add_filter( ‘pre_update_option_’.$pref.$v, $cb, 100, 1 );
      }
      }

      This code essentially says, “if Plugin Organizer is installed, make sure that none of its options will work if applied to Spamshield”.

      The WPSS developer is unwilling to remove that code. He had asked the PO developer to give him a way to “whitelist” his plugin; the PO developer refused — and so he wrote his own script to do essentially the same thing.

      So it’s like a no-pets rule at an apartment building. It doesn’t matter how nice or helpful or wonderful a tenant is — nor does it matter that dogs and cats make wonderful companions –if the rule is no pets, then if a tenant decides to get a dog and the building management finds out, either the pet goes or the tenant goes.

      Except in this case, the rule is “don’t mess with other plugins” and there really is no room for any exception. If allowed, every plugin developer could copy Scott’s code and use it for their own plugins, and pretty soon Plugin Organizer wouldn’t work at all; and of course the same mechanism could also be used against other plugins.

      Maybe the process could have been better but Scott has made it clear he is unwilling to remove that code. So a better process doesn’t get us anywhere.

      Report


      1. I can understand what you say but I’m not smart enough to judge whether this is true or not, or whatever else. In fact I really don’t care. Not my problem. I’m a simple end user and I rely on WP repo for some plugins and themes I use for my sites.

        The only thing I realize clearly – and this was also the case with Postman plugin and some others – is that suddenly, for whatever reason, a plugin I use and that provides huge benefits and protection for my sites has suddenly disappeared from the repo without any further notice, explanation or guidance on how to proceed further.

        I’m not really supposed to read WP Tavern or other blogs in order to get an idea of what’s happening backstage. I would expect, at least, that the repo page still exists (with all previous support forum threads and plugin versions) and with a notice that would state a summary of what happened and some further instructions either for contacting the author or for finding alternatives.

        When Postman was removed and the plugin’s support forum was still working the only reply users got when asking what was happening was: there is nothing to discuss here, go away, comments are closed.

        I find this situation immature, stupid and sad.
        Same here. I understand there has to be a discussion among devs about the rules but end users are always taken as hostages in such situations.

        This being said – again, I’m not smart enough to really understand the whole context – but I really can’t get what’s wrong with a plugin that blocks another plugin that is supposed to block plugins… That’s really beyond the scope of my understanding.

        Report


      2. @Rushtin,

        I appreciate your feedback. That was a thoughtful assessment of things.

        I think you’ll find this comment interesting:

        We don’t have “rules”, we have “guidelines”.

        Some food for thought. Very subjective.

        Just to clarify — we complied with all the requests from the Plugins Team made on October 27th. We updated the code in record time…just over 5 hours after they contacted us (Oct 27 – v1.9.21). We received an email from them on Oct 29 that indicated we were good.

        We did not hear from them from October 29 to November 9th when we were informed that it was already banned. The request to remove the code you mentioned above was only made after it was already booted. The requirements keep changing from day to day. That’s one of the major issues.

        Report


      3. Rushtin is being an excellent calm, focused mediator –  not blaming or taking sides, just working towards an objective.  He says he is a problem solver but he much more.

        Report


  36. The request to remove the code you mentioned above was only made after it was already booted. The requirements keep changing from day to day. That’s one of the major issues.

    Scott, can you clarify?

    The code I highlighted above is from the classcompatibility.php file.

    As far as I can tell that code was introduced a while back, and existed up through version 1.9.19. Then in October, you modified or removed that code in version 1.9.20, and instead put code in to a MU plugin that was designed to prevent loading of PO. My impression is also that you did that because of a change the PO author had made to prevent WPSS from functioning, as his way of defeating the 1.9.19 code.

    Then the WP team told you to remove the MU, and you did that with version 1.9.21 (or at least the code targeting PO) — and did in fact issue that right away. But the same time you restored the classcompatibility file code from version 1.9.19.

    So my guess has been that when you removed the MU code and reported that, the WP team initially thought that everything targeting PO had been removed, but then subsequently they became aware of the restoration of the classcompatibility code (the stuff that starts at around line 306)

    Going back to my “no pets” analogy, I guess this would be like a tenant who has a chihuahua in the apartment for months without problems, and then trades the chihuahua for a labrador retriever – and then the landlord says “the dog” has to go. So the tenant trades back – gets rid of the lab but recovers the chihuahua, thinking that the problem was with the dog’s size – but then the landlord learns about the chihuahua and is doubly ticked off because the landlord meant no dogs of any kind.

    So I certainly see the source of the miscommunication. And if in fact you had no communication at all from the WP team between the day that you put out version 1.9.21 (removing the MU code) and the day of the removal … I agree that’s a bad way to handle things.

    But I think you know now what they want and why they want it. If you want to be angry over the process or the words used (“guideline” vs. “rule”, etc) that’s your right — but I am a problem-solver by nature, so when I work on projects I try to overlook process and personalities and focus on end results instead.

    Is there any process or solution that would make you feel willing to restore some version of Spamshield to the WP repository?

    Perhaps following the model of offering a basic plugin on WP along with a more fully-featured premium version?

    I can tell you that I am finding that there is not another plugin currently in the repository that meets my needs as well as Spamshield. I am experimenting around with others, but each has its own set of shortcomings. So I would love to see Spamshield come back, at least with the basic anti-spam functions.

    At the same time, I am guessing that you are going to have a hard time finding a distribution channel that will bring Spamshield to as wide a body of users as the WP repository. I am assuming you’ll have to go to a fee based model at a site such as envato & codecanyon. Perhaps I am mistaken … but that’s what I am expecting.

    So I would just suggest that you focus on end results and where you want to be. It’s normal in this world that people have disagreements from time to time– and easy to walk away in disgust. The harder thing is to move past the anger and work on finding a path to a solution that may involve compromises from all sides.

    Report


    1. What a perfect calm, clear, mediating reply.  Exactly what is needed.  Thank you.

      Report


    2. That’s pretty close to what happened. Except Scott targeted Plugin Organizer in earlier versions by reindexing the $_POST array incorrectly. Which wasn’t malicious but still created a bug. I asked him to fix it and he refused. So I released a version of Plugin Organizer that grabbed the $_POST array early on before his plugin re-indexed the it and I could get the data that had been posted in the correct format.

      He responded by releasing a version of his plugin that specifically targeted Plugin Organizer and deleted the files from it as well as changed the options. So I released a version that deactivated his plugin in the MU component of Plugin Organizer to prevent him from doing that. In response he released a version that introduced an MU plugin file of his own named so that it would load before mine that contained the code to delete Plugin Organizer and change the database options.

      That is when the WordPress admins got involved. They asked both of us to remove the code that targeted the others plugin. Which I was happy to do since all I wanted in the first place is for his plugin to stop targeting and breaking mine. I removed the lines of code that deactivated his plugin. He removed the lines of code that deleted mine. But he left in the code that changed the database options. I notified the admins after waiting two weeks for him to remove that code. That’s when they removed WP Spamshield. They had also been waiting for him to do something about it apparently and just got sick of it all.

      He won’t give up on this crusade he has embarked on. He will release his plugin from a different source eventually. But he will never admit his role in WP Spamshield being removed from the repository. That would be damaging to his ego. Before you run the new version of WP Spamshield you should take a look at the code to see what other things it is doing without your knowledge. I’m sure you’ll be surprised what you find. I was.

      Report


      1. @Jeff Sterup,
        I’m glad to see you’re using your real name now instead of @xerfyre. :)

        I’m not going to get into a point by point debate with you, but I will say: your description does not accurately portray what happened. I offered multiple times to work with you on compatibility fixes, and that was right at the beginning.

        Report


    3. Scott, I’ve now seen your latest blog post at https://www.redsandmarketing.com/blog/real-reason-wp-spamshield-kicked-off-wordpress-org/ so no need to reply to my question (can you clarify?) above– your post makes your position clear.

      I am sorry that you feel the way you do… but of course it is your right and certainly you are under no obligation to continue to offer or support free plugins on WordPress. So thank you for the work you have done in the past and good luck with whatever you choose to do in the future.

      Report


  37. Wow this is all totally messed up. I just found out about this when I went to wordpress.org and couldn’t find WPSS to download and googled wtf is going on. I have one site I manage which is using WPSS and since I update plugins on a regular basis it has what I assume is the latest version which is unfortunate. I’m going to have to find something else.

    Report


  38. Well It was nice of someone to link to my site from this post so that I could see that it exists through people clicking on the link. It’s also good that most people on here seem to have a good understanding of how everything happened and understand that WP Spamshield was removed for a good reason. It’s too bad the author of WP Spamshield had to take the action they did to harm people’s websites. That eventually got their plugin removed.

    Report

Comments are closed.