404 to 301 Plugin Detected by WordFence – Here is What Actually Happened

Hello WordPress users, hope you are doing good!

Here is what I have learned today:

There are people, making money from other’s mistakes, instead of correcting them.

This evening, when I opened my email inbox, I was shocked to see that there were 20+  email notifications from WordPress.org. All of these were NEGATIVE reviews about my most popular plugin, 404 to 301 which is being actively used by 70k WordPress users. I immediately went through few of them and found that the source was one WordFence article stating that 404 to 301 Plugin Considered Harmful

I was shocked again! What? My plugin? How? I quickly went through each review and found that most of them were on same topic. From the WordFence article, I understood that it was the usage tracking feature being the culprit, hence making a negative impact on my profile. It was injecting third party ads and links to the page when the user’s website was being crawled by Search engine bots. It was not visible to normal users.

Reading WordFence’s scary article, which could create panic among users, they started pelting stones at me by flooding negative reviews even if they are not using/used the plugin. I have immediately found and removed the tracking feature completely and updated the plugin. But unfortunately, WordFence made a huge negative impact and that has made users hate me. I started replying to all of their comments, reviews and emails. But still negative reviews and comments kept coming in.

Now I realize that it is my responsibility to explain what happened with my plugin. So I thought of writing this blog post and let the 70k+ users know that the plugin is safe to use and what was happening before.

So here is what happened,

Few months back, I made an agreement for partnership with anther WordPress plugin developer. He needed few usage statistics (it was only visitors User Agent and IP address) of the plugin for his business. For me, it was fine as far is did not violate WP.org guidelines and did not break into the plugin users’ privacy. He did not want to add his own wp.org account as a committer for the plugin. Instead we used same account (my account) to commit both his code and mine. Upon installation, the plugin was asking users to agree or not agree to track their anonymous data and place small third party texts (which was used to add credits). He said it will be adding only a small text and when I did tested it, everything was perfect and working. Till yesterday, it was working and no-one ever reported this issue before.

Yesterday, someone noticed that this plugin is injecting third party ads and links to the front end when search engine crawlers were visiting their website. These links were detected by spam filters. So 404 to 301 became fraud; so am I, the developer. I found that the links and ads are being shown at the top of the page content instead of showing small credit text at very bottom, for crawlers. So, he made changes in his server to send ads & links as response. Yes, I clearly understand that this is cheating and someone who does this should be called as spammer. But in this case, I was honestly not aware of this. I take the blame for that. Changes were not a result of the plugin code, but from his server.

I made 3 mistakes:

  1. Used same account for all commits.
  2. Misunderstood the WP guidelines about remote content loading.
  3. Did not properly verify the remote server response, frequently.

I believe that the WordPress community will accept the fact that people make mistakes. I spent a lot of my hours to develop, maintain and support this plugin FREE of cost. So a small security issue which was unknowingly available in my code should not be treated like this. At least, I have fixed the issues right after the email notifications. The tracking feature is not at all available in our plugin right now.

The saddest thing was that even people who never used this plugin were simply posted negative reviews and those were more than 30 in number. People were started attacking me through Facebook, Twitter and through email. Someone sent me an email stating that “We will destroy your business”.

Mika from WP.org team then contacted me and discussed the issue. I explained what actually happened to them. They understood the situation and they were gentle enough to accept the mistake and value the efforts. They explained WHY it was a bad thing.

They said, First, we had NO idea WordFence was going to post. They didn’t warn us, and we informed them that proper behavior is to talk to YOU first, then if you don’t reply (or they can’t find you), they could contact us and WE will talk to you.

Then they said, Second, why is this wrong? Well as far as I can sort out, the “Enable UAN” feature is what does the tracking and 3rd party ads. Now, 3rd party ads at all MUST be optional and they cannot track users. We’re in the middle of re-writing our guidelines for clarity.

I respect the WP.org team.

If services like WordFence really care about the security and value the developer’s efforts, they should have contacted me instead of making a huge customer base from that security vulnerability. Or even if they were not interested to talk to me, they could have contacted the WP.org team before making this a public show. They even deleted my explanation comment at once and waited for people to comment bad things. Then, they published my second comment. If you go through the comments of WordFence article, you can see that they gained few new customers from their Super Hero action and my hours of hard work for the community and reputation went down.

This statement from WP.org team gained a lot respect for them.

I’m very disappointed in how WordFence decided to bring people’s attention to this, and said as much to them.

It sounds like you made a mistake. This happens. We don’t expect anyone to be perfect 🙂

Update : WordFence just published another article explaining why did they publish the article without informing the plugin author(that’s me). After reading this explanation, I support their act, even when it is completely against me. Mark from WordFence said, he made no attempt to notify me, assuming that I already knew this spam. As I have mentioned in this article, I knew this plugin was showing credit text, but never knew it was showing these spam ads and adult content. I didn’t know it was cloaking. I misunderstood the guidelines and thought showing credit text/links are not illegal and I saw this same message in ToS.

I apologize

  • For making a BIG mistake that I could have avoided easily.
  • For making a lot of users to look for alternative plugins.
  • For not detecting this issue by myself.
  • To the website owners, if you are affected by this incident.

I promise,

  • I will never share plugin commit access to others without having my control over it.
  • My plugins will never break any WordPress plugin guidelines.
  • My plugins will not break into users privacy.
  • My plugins will be up to the coding standard that WordPress suggests.

And I thank,

  • WP.org moderators for understanding the situation and dealing with false reviews from people who never used this plugin.
  • WordFence for reporting this.
  • Alexandar Gounder for the advice and encouragement he gave.

So, I really request you to accept this explanation of what happened and I promise that I will not let something as such happen in the future.

Feel free to add your concerns and comments below. Thanks!

There are 82 comments

Your email address will not be published. Required fields are marked *