Lesson Learned: WordPress.org Plug-Ins Can Be Malicious - kenny chung : the frequency

the frequency a kenny chung blog

It’s 5am and I just completed a manual recoding of the share buttons on this blog. The reason? I had previously been using a WordPress.org plug-in titled “Facebook Like and Share, Twitter, Google +1, Google buzz buttons”. Yes, the keyword-stuffed name should’ve been a dead giveaway, but it did what I needed it to do – it created post-level Facebook Like, Twitter Tweet, and Google +1 buttons. I’d been using it for several months without actually checking out the code, and tonight I found this unsettling tidbit:

Vas Pro Social Media Share Button Black Hat Links
The highlighted portion contains the black hat hidden links included with the plug-in.

In the above screenshot, you can see that the plug-in included two hidden links within every single blog post. As a webmaster (and SEO), this was jarring. I suppose I thought WordPress.org plug-ins were policed better than that. But here’s the kicker – the plug-in has since been removed from WordPress.org. The nearest mention of it is this forum post where another user found the black-hat links that the plug-in appended to their posts and meta descriptions.

To say that I learned from my mistake would be an understatement. I basically rebuilt the social share toolbar code from the ground up, and improved upon it by using asynchronous code where possible. I also had to brush up a bit about WordPress and “The Loop“, which is a concept I had only previously read about in passing.

So what’s the takeaway? If you’re running WordPress.org on your own domain, be wary that WordPress will not notify you if a plug-in has been detected or flagged as malicious. Do the due diligence and review the code for plug-ins that don’t have many user reviews. And if all else fails, do it yourself!

By the way, if anybody wants the code I used, leave a comment or email me!

Leave a Reply

Creative Commons License
licensed under a Creative Commons Attribution-No Derivative Works 3.0 United States License.