On Tuesday we published a blog post about the 404 to 301 plugin inserting ad linksย into page content that only search engines could see. This is a technique called cloaking and will incur a penalty from Google.
Since then we have received some criticism from the maintainers of the WordPress plugin repository for the way we handled this. We have also received some criticism from the community for victimizing a plugin author.
Iโd like to share a few additional facts and then explain why I wholeheartedly stand by our decision to publish and the way we handled this.
- The plugin inserted links to websites into page content that would only show up when Google or another search engine crawled the site.
- The content was hidden to the site owner or anyone who did not visit the site with a search engine user-agent (browser identification string).
- The plugin asked you for permission to do this by displaying terms of service that described exactly what it was intending to do. The โcloakingโ portion of the terms of service was at the end after a long copy of the GNU general public license that was included. It was below the fold in a scrolling element, so would not have been noticed by anyoneย who didnโt scroll down. (See below for screenshot)
- On further investigation the ad domain, which is wpcdn.io, serves up three things:
- The Payday Loan content we already disclosed. (See below for content)
- A link to an adult UK based escort service. (See below for censored screenshot and content).
- A string of text that is somewhat unique: sdf98jhk (See below for content)
- If you google the string of text it returns 8,620 results and these appear to be WordPress sites that have had content injected by this plugin and that content has been indexed by Google. Random checks confirm that these sites are running the affected plugin. This confirms over 8,000 sites at a minimum were affected.
- Sadly if you google the adultย domainย that is being served, it appears to have infected many other websites including a schoolโs site that is now serving adultย content to Google. (See below for screenshot)
- The ad domain was registered on January 14, 2016.
- The plugin authorโs account was used to upload the changes.
- We were alerted to this plugin by a customer and upon investigation found that their siteย was surreptitiously serving up blackhat SEO content.
This wasย not a vulnerability
This is not a security hole in a plugin that requires the usual โresponsible disclosureโ to the plugin author. This was a plugin that had malware pre-installed by the authorโs account and was active on over 70,000 websites.
It was urgent that we notify the community and our customers about this so that they could immediately react and limit the damage.
The fact that the terms of service in the plugin actually ask for permission to engage in cloakingย (see below for screenshot) indicated to us that this was done with the plugin authorโs blessing, rather than being a case where a plugin authorโs account was hacked. The exact wording from the ToS was:
โBy clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it.โ
We were under absolutely no obligation to look after the plugin authorโs interests when we discovered this because it wasnโt a security hole that was accidentally written by the author. Someone had intentionally placed spam on a large chunk of the WordPress communityโs websites and was profiting from it. The terms of service indicated it was intentional.
We needed to react quickly and thatโs what we did.
How we handled this incident
On Tuesday this week Wordfence immediately notified our large security mailing list about the problem by posting on our blog and sending out an email linking to the post.
We alsoย notified the plugins@wordpress.org email address about the issue.
We made no attempt to notify the author. Presumably he already knew he was doing bad things based on his terms of service.
What happened once we sent out the notification
We were criticized for our approach by the WordPress.org plugin repository maintainers. We were told we should have contacted the developer first. Then if they donโt reply or we canโt find out how to contact them, we should contact plugins@wordpress.org second. And only then should we post, preferably after something has been fixed.
I strongly disagree with this approach and stand by our actions because this was a plugin that had malware intentionally pre-installed by the author. Why notify the author that theyโve been discovered?
It seems more helpful to put the community in the driverโs seat. Let them take immediate action to limit damage that has already been intentionally done to their websites and their Google reputation. And then worry about the plugin authorโs interests.
And so thatโs exactly what we did. We sent out an immediate notification to the community and included plugins@wordpress.org in that notification.
What has the plugin author done?
The plugin author now says that he has removed the malicious code as per his changelog. We have not independently verified this.
The author has posted a blog post which you can find here:
https://thefoxe.com/blog/404-to-301-plugin-detected-by-wordfence-here-is-what-actually-happened/
We are intentionally not linking to the post to avoid promoting his website.
The post starts by saying โThere are people, making money from otherโs mistakes, instead of correcting them.โ.
Weโd like to point out the author was making money by surreptitiously injecting spam links into website content and as a side effect, destroying those websiteโs search engine rankings. How are we obligated to correct his greed and lack of morals?
He was โshockedโ that he received negative reviews of his plugin. Weโd like to point out that there may be justification for those reviews.
The author says โI found that the links and ads are being shown at the top of the page content instead of showing small credit text at very bottom, for crawlers.โ. This suggestsย he knew he was cloaking, was doing it intentionally and thinks the problem is that the ads appeared to regular browsers too (in addition to search engines). Weโd like to suggest he read up on what cloaking is and why itโs bad.
He blames another developer who isnโt named, conflates security vulnerability with intentional malware, paints himself as the victim, accuses us of censoring his comments on our blog (we didnโt) and claims we profited by demonizing him.
Final thoughts
I created Wordfence because my own personal site was hacked by the Timthumb vulnerability back in 2012. I discovered the vulnerability which was a zero day, I wrote code that patched timthumb and then went on to lock myself in a room and code for 8 months straight to create Wordfence to help prevent this from happening to anyone else ever again.
Today, Wordfence is a team of more than 20 highly trained and qualified individuals that come from a wide range of sectors in the security profession and community. We provide a world-class firewall that is free for the community and open source. We invest heavilyย in providing additional free resources to help the community like our free WordPress securityย Learning Center andย like the prolific free support we provide on the wordpress.org forums.
I know what it feels like to have someone intentionally install their own malicious code on your site and profit from that code. It hurts your livelihood and reputation and it was such an awful experience Iโve dedicated my career for the last 5 years to making sure that does not happen to anyone else.
That is what happened in this case.
In this case we were under no obligation to protect the plugin authorโs interests. We notified the community first and we did it loudly. My team and I stand by our actions and we will do it again if we discover anyone else intentionally installing malware on community or customer websites.
We will always put our customers and the community first.
I welcome your comments but Iโd like to ask you for a favor: Pleaseย avoid any witch-hunting or personal attacks on any individuals involved in this, including the plugin author and anyone else associated with the plugin or this incident.
Yours Sincerely,
Mark Maunder โ Wordfence founder/ceo.
References:
The link to a UK based adult escort service that was being injected under certain conditions:
Censored screen capture of the home page of cityofescorts, an adult siteย injected into content by this plugin:
The payday loans content that was being injected under certain conditions. This affected our customer in the initial report and is how we discovered the issue:
The text โsdf98jhkโ that was being injected under certain conditions and that allows you to find affected sites using a google search.
The section (once you scroll down) in the terms of service of the plugin that describe that the plugin will be cloaking content on your site.
ย
Google results for theย adult website that was being injected by this plugin. It looks like a schools website is now serving adult content to google and we havenโt been able to confirm if this plugin is the culprit or itโs other malicious code.
The post We will always put our customers and community first appeared first on Wordfence.