BlogPress SEO: solved

I thought BlogPress SEO was bad, turns out, it’s worse. It’s malware. I had already discovered that it sent the admin email to the plugin’s author, but today, mtekk uncovered that it was adding an option to log in, solely with that email address. Yes that’s bad. I checked out the plugin code again, and noticed something that could solve all this.

You see, WordPress, by default, checks for updates to every plugin on It matches the plugin by name and slug (folder name), there’s a method to prevent this for a plugin, but BlogPress SEO doesn’t do that. With the help of Andrew Nacin, I registered blogpressseo as a plugin on, created an empty plugin file with the same name and a higher version number, added a readme.txt with an upgrade notice, and uploaded it to

I had already installed the plugin on my blog (well, an empty version of it, just the headers), so I could test it, and low and behold, it worked:

blogpress seo update

It’s a primitive form of a kill switch (which I wish WordPress had, but it’s better than nothing). The funny thing is: we’ll now also be able to see how many people are running this plugin and how many of them upgrade. So far, 26 people have been saved!

Update: Just posted more info on how I did this using the WordPress plugin update system.

50 Responses

  1. Norcross
    By Norcross on 14 November, 2010

    Glad to see this come to a resolution. And hat’s off to coming up with an ingenious solution to a clearly devilish plugin. Happy that you and Nacin were able to work together on this.

  2. Agent WordPress
    By Agent WordPress on 14 November, 2010

    Thanks a lot for help. But it won’t delete the entries in database. How to remove that?

  3. Ryan
    By Ryan on 14 November, 2010

    Bahahahaha, pure genuis!

  4. Ryan
    By Ryan on 14 November, 2010

    I thought it might be a good idea to leave an admin notice for them too. Many people will bypass the upgrade notice and won’t know that the plugin isn’t doing anything.

    Here’s a new version I created with a simple admin notice:

  5. Ozh
    By Ozh on 14 November, 2010

    Wicked idea, and put to good use. Now, I hope this won’t start a trend of people trying to take over popular plugins that are not hosted on :)

    • Zachary
      By Zachary on 14 November, 2010

      No kidding – This could get ugly.

    • Joost de Valk
      By Joost de Valk on 14 November, 2010

      Well it’s actually quite easy to prevent…

      • Zachary
        By Zachary on 14 November, 2010

        That’s good :-)

  6. Jeff Waugh
    By Jeff Waugh on 14 November, 2010

    Well played, sir!

  7. Andreas Nurbo
    By Andreas Nurbo on 14 November, 2010

    I commented on this on my blog since I think this action opens a can of worms that the WordPress community needs to deal with. I don’t really like it even if its for a good cause. introduces a killswitch?

    • Joost de Valk
      By Joost de Valk on 14 November, 2010

      I’ll reply to that in another post in a bit ;)

  8. Jan Egbert
    By Jan Egbert on 14 November, 2010

    This “solution” raises some serious questions. Andreas Nurbo is asking those questions here:

  9. Joost
    By Joost on 14 November, 2010

    Nicely done, but I have to agree with Andreas Nurbo. Now that this is out in the open, popular plugins that are not on and do not implement the trick are very vulnerable…

  10. Barbara Ling, Virtual Coach
    By Barbara Ling, Virtual Coach on 14 November, 2010

    Oh wow, that’s scary. Never even realized such ickness could be done, but it really shouldn’t surprise me. Brilliant solution on your part.

  11. Agent WordPress
    By Agent WordPress on 14 November, 2010


    What is trick?

  12. Luis
    By Luis on 14 November, 2010

    Wait, so if the code is bad, why even bother with this plugin? There are other SEO plugins for WordPress, what makes this one special?

    • Josh
      By Josh on 14 November, 2010

      He had the ill-considered idea to ask Joost to review it. And then he followed through and acted on that on that idea.

    • Joost de Valk
      By Joost de Valk on 14 November, 2010

      This one has a backdoor in it and several other things that make it more than just bad, it’s malware.

  13. Harry
    By Harry on 14 November, 2010

    so the best one made by Mr. Saurabh Nagar.
    *is it a freebies?

  14. Rav
    By Rav on 14 November, 2010

    Plugin author started backfire – blaming yoast – see this

    So I thought to send in a Review Copy once to a few select guys, so that they can write about it on their blog or send it to their valued reader.

    However here is what I got in the reply …

    This is a free plugin… I only promote paid plugin.

    In reply I wrote

    I am sorry I just have a free plugin as of now and I dont plan to offer a paid version any soon. Can’t you just promote the free plugin?

    The reply I got was shocking!

    Give me 1k to review this on my blog!

    and finally this guy reviewed for me and it was a free review

    • Joost de Valk
      By Joost de Valk on 14 November, 2010

      Heh yeah, it’s funny, he emailed me today after all this asking me to help him and why I was doing all this, and I was like “dude, you added a backdoor on purpose, you think I’ll ever trust you?”

  15. Josh
    By Josh on 14 November, 2010

    A clever (and much needed, IMO) hijack.
    This might be a one-off fix since plugin devs who aren’t hosted on are now disabling automatic updates. Now if Joost hadn’t said anything…
    Seriously though, since it’s all out in the open, I really doubt this will be a can of worms, unless a lot of these plugins aren’t being actively maintained. Oh. wait…

  16. John Havlik
    By John Havlik on 14 November, 2010

    Just make sure you periodically update the plugin, they’ll just release a 3.0 and you’ll get in a version escalation war.

    • Joost de Valk
      By Joost de Valk on 14 November, 2010

      Not really… They don’t have an update mechanism…

      • John Havlik
        By John Havlik on 14 November, 2010

        I’m not talking about fighting update mechanisms, as you said that is not a problem *yet*. What I am talking about is on their site, they could release a 3.0 and start peddling that. Remember their audience is not someone who would necessarily check first for something. Though it is more likely they’ll just rename their malware to continue peddling it.

  17. John Garrett
    By John Garrett on 15 November, 2010

    Sheesh! I’m glad I read this site.

    Not that I would have ever used something like blogpres seo anyway. I’m dumb but I’m not THAT dubm dumb :)

    Anyway, gotta pass this around to some friends to make sure they are up on this stuff. Thanks!

    p.s. – not only can I not believe he asked for the original review, but then to ask for help AGAIN?? mind boggling…

  18. SEO Freak Show
    By SEO Freak Show on 16 November, 2010

    This ‘could’ have caused a ton of issues for site owners if you never reviewed this plugin, thank you for looking out for us.

    Hopefully will get a bit more serious sooner than later…

  19. Bradley
    By Bradley on 17 November, 2010

    Wow this is disgusting. The guy also has the arrogance to set up a blog to blast you and titled one of his stories “Why big guys don’t like BlogPress SEO?”… gotta get this guy blacklisted asap.

    • John Havlik
      By John Havlik on 17 November, 2010

      That guy is even more childish:

      This is my personal challenge, do not rely on any toast who just works for money and gets laid in the night for money!

      That sounds like a defamatory comment.

      • Joost de Valk
        By Joost de Valk on 17 November, 2010

        Hehe it’s funny, really, more than anything else.

        • Bradley
          By Bradley on 18 November, 2010

          Yet he is charging people $1000 to review plugins as well. *sigh*.

          Go Yoast! Keep us in the know of the truth :)

  20. John Havlik
    By John Havlik on 19 November, 2010

    Another day, another nugget, if you visit their website you’ll see some usage graphs. We caused the user base to go from 65 to 6 :D. Unfortunately, it is up to 20 or so again :(.

    • Bradley
      By Bradley on 19 November, 2010

      Could be people testing the script in closed environments :P

  21. jimmy
    By jimmy on 24 November, 2010

    Its really funny how stupid people are ;)

  22. Adriana Web design Brisbane
    By Adriana Web design Brisbane on 26 November, 2010

    Wao, Thank you for this post. I do have that installed in my wordpress… The problem when you use a plugin is that then you are stuck with it and you have to solve the flaws, or overcome them! This is a great tip. I am web designer and starting into the wordpress word and loving it!

  23. Vann Digital Networks
    By Vann Digital Networks on 26 November, 2010

    I aint never heard of this BlogPress thing until I read about it on WordPress news.

    Glad I aint never use it.

    But then again,

    Aint gon never use a plugin I gotta pay for.

    And BlogPressSEO done showed me why I shouldnt never pay to download plugins.


  24. Daniel
    By Daniel on 7 December, 2010

    I had a random spam email turn up today from this plugin i thought it sounded good so searched the plugins in WP and found this and glad i did before i installed. How many are not.

  25. dotcompals
    By dotcompals on 7 December, 2010

    installed the plugin and activated, but i cant see it at the admin panel/. what’s next

  26. dotcompals
    By dotcompals on 7 December, 2010

    please ignore my above comment.deleted the plugin.