BlogPress SEO: solved

I thought BlogPress SEO was bad, turns out, it’s worse. It’s malware. I had already discovered that it sent the admin email to the plugin’s author, but today, mtekk uncovered that it was adding an option to log in, solely with that email address. Yes that’s bad. I checked out the plugin code again, and noticed something that could solve all this.

You see, WordPress, by default, checks for updates to every plugin on WordPress.org. It matches the plugin by name and slug (folder name), there’s a method to prevent this for a plugin, but BlogPress SEO doesn’t do that. With the help of Andrew Nacin, I registered blogpressseo as a plugin on WordPress.org, created an empty plugin file with the same name and a higher version number, added a readme.txt with an upgrade notice, and uploaded it to WordPress.org.

I had already installed the plugin on my blog (well, an empty version of it, just the headers), so I could test it, and low and behold, it worked:

blogpress seo update

It’s a primitive form of a kill switch (which I wish WordPress had, but it’s better than nothing). The funny thing is: we’ll now also be able to see how many people are running this plugin and how many of them upgrade. So far, 26 people have been saved!

Update: Just posted more info on how I did this using the WordPress plugin update system.

Tags: , ,


Yoast.com runs on the Genesis Framework

Genesis theme frameworkThe Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Whether you're a novice or advanced developer, Genesis provides you with the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Read our Genesis review or get Genesis now!

50 Responses

  1. NorcrossBy Norcross on 14 November, 2010

    Glad to see this come to a resolution. And hat’s off to coming up with an ingenious solution to a clearly devilish plugin. Happy that you and Nacin were able to work together on this.

  2. Agent WordPressBy Agent WordPress on 14 November, 2010

    Thanks a lot for help. But it won’t delete the entries in database. How to remove that?

  3. RyanBy Ryan on 14 November, 2010

    Bahahahaha, pure genuis!

  4. RyanBy Ryan on 14 November, 2010

    I thought it might be a good idea to leave an admin notice for them too. Many people will bypass the upgrade notice and won’t know that the plugin isn’t doing anything.

    Here’s a new version I created with a simple admin notice:
    http://demo.pixopoint.com/static/blogpresseo_pixomod1.zip

  5. OzhBy Ozh on 14 November, 2010

    Wicked idea, and put to good use. Now, I hope this won’t start a trend of people trying to take over popular plugins that are not hosted on wp.org :)

    • ZacharyBy Zachary on 14 November, 2010

      No kidding – This could get ugly.

    • Joost de ValkBy Joost de Valk on 14 November, 2010

      Well it’s actually quite easy to prevent…

      • ZacharyBy Zachary on 14 November, 2010

        That’s good :-)

  6. Jeff WaughBy Jeff Waugh on 14 November, 2010

    Well played, sir!

  7. Andreas NurboBy Andreas Nurbo on 14 November, 2010

    I commented on this on my blog since I think this action opens a can of worms that the WordPress community needs to deal with. I don’t really like it even if its for a good cause. WordPress.org introduces a killswitch?

    • Joost de ValkBy Joost de Valk on 14 November, 2010

      I’ll reply to that in another post in a bit ;)

  8. Jan EgbertBy Jan Egbert on 14 November, 2010

    This “solution” raises some serious questions. Andreas Nurbo is asking those questions here: http://bit.ly/che2xX

  9. JoostBy Joost on 14 November, 2010

    Nicely done, but I have to agree with Andreas Nurbo. Now that this is out in the open, popular plugins that are not on wp.org and do not implement the markjaquith.wordpress.com trick are very vulnerable…

  10. Barbara Ling, Virtual CoachBy Barbara Ling, Virtual Coach on 14 November, 2010

    Oh wow, that’s scary. Never even realized such ickness could be done, but it really shouldn’t surprise me. Brilliant solution on your part.

  11. Agent WordPressBy Agent WordPress on 14 November, 2010

    @all

    What is markjaquith.wordpress.com trick?

  12. LuisBy Luis on 14 November, 2010

    Wait, so if the code is bad, why even bother with this plugin? There are other SEO plugins for WordPress, what makes this one special?

    • JoshBy Josh on 14 November, 2010

      He had the ill-considered idea to ask Joost to review it. And then he followed through and acted on that on that idea.

    • Joost de ValkBy Joost de Valk on 14 November, 2010

      This one has a backdoor in it and several other things that make it more than just bad, it’s malware.

  13. HarryBy Harry on 14 November, 2010

    so the best one made by Mr. Saurabh Nagar.
    *is it a freebies?

  14. RavBy Rav on 14 November, 2010

    Plugin author started backfire – blaming yoast – see this
    http://blogpressseo.com/wordpress/how-can-i-review-a-free-plugin/

    So I thought to send in a Review Copy once to a few select guys, so that they can write about it on their blog or send it to their valued reader.

    However here is what I got in the reply …

    This is a free plugin… I only promote paid plugin.

    In reply I wrote

    I am sorry I just have a free plugin as of now and I dont plan to offer a paid version any soon. Can’t you just promote the free plugin?

    The reply I got was shocking!

    Give me 1k to review this on my blog!

    and finally this guy reviewed for me and it was a free review

    • Joost de ValkBy Joost de Valk on 14 November, 2010

      Heh yeah, it’s funny, he emailed me today after all this asking me to help him and why I was doing all this, and I was like “dude, you added a backdoor on purpose, you think I’ll ever trust you?”

  15. JoshBy Josh on 14 November, 2010

    A clever (and much needed, IMO) hijack.
    This might be a one-off fix since plugin devs who aren’t hosted on wp.org are now disabling automatic updates. Now if Joost hadn’t said anything…
    Seriously though, since it’s all out in the open, I really doubt this will be a can of worms, unless a lot of these plugins aren’t being actively maintained. Oh. wait…

  16. John HavlikBy John Havlik on 14 November, 2010

    Just make sure you periodically update the plugin, they’ll just release a 3.0 and you’ll get in a version escalation war.

    • Joost de ValkBy Joost de Valk on 14 November, 2010

      Not really… They don’t have an update mechanism…

      • John HavlikBy John Havlik on 14 November, 2010

        I’m not talking about fighting update mechanisms, as you said that is not a problem *yet*. What I am talking about is on their site, they could release a 3.0 and start peddling that. Remember their audience is not someone who would necessarily check wordpress.org/extend first for something. Though it is more likely they’ll just rename their malware to continue peddling it.

  17. John GarrettBy John Garrett on 15 November, 2010

    Sheesh! I’m glad I read this site.

    Not that I would have ever used something like blogpres seo anyway. I’m dumb but I’m not THAT dubm dumb :)

    Anyway, gotta pass this around to some friends to make sure they are up on this stuff. Thanks!

    p.s. – not only can I not believe he asked for the original review, but then to ask for help AGAIN?? mind boggling…

  18. SEO Freak ShowBy SEO Freak Show on 16 November, 2010

    This ‘could’ have caused a ton of issues for site owners if you never reviewed this plugin, thank you for looking out for us.

    Hopefully WP.org will get a bit more serious sooner than later…

  19. BradleyBy Bradley on 17 November, 2010

    Wow this is disgusting. The guy also has the arrogance to set up a blog to blast you and titled one of his stories “Why big guys don’t like BlogPress SEO?”… gotta get this guy blacklisted asap.

    • John HavlikBy John Havlik on 17 November, 2010

      That guy is even more childish:

      This is my personal challenge, do not rely on any toast who just works for money and gets laid in the night for money!

      That sounds like a defamatory comment.

      • Joost de ValkBy Joost de Valk on 17 November, 2010

        Hehe it’s funny, really, more than anything else.

        • BradleyBy Bradley on 18 November, 2010

          Yet he is charging people $1000 to review plugins as well. *sigh*.

          Go Yoast! Keep us in the know of the truth :)

  20. John HavlikBy John Havlik on 19 November, 2010

    Another day, another nugget, if you visit their website you’ll see some usage graphs. We caused the user base to go from 65 to 6 :D. Unfortunately, it is up to 20 or so again :(.

    • BradleyBy Bradley on 19 November, 2010

      Could be people testing the script in closed environments :P

  21. jimmyBy jimmy on 24 November, 2010

    Its really funny how stupid people are ;)

  22. Adriana Web design BrisbaneBy Adriana Web design Brisbane on 26 November, 2010

    Wao, Thank you for this post. I do have that installed in my wordpress… The problem when you use a plugin is that then you are stuck with it and you have to solve the flaws, or overcome them! This is a great tip. I am web designer and starting into the wordpress word and loving it!
    thanks!

  23. Vann Digital NetworksBy Vann Digital Networks on 26 November, 2010

    I aint never heard of this BlogPress thing until I read about it on WordPress news.

    Glad I aint never use it.

    But then again,

    Aint gon never use a plugin I gotta pay for.

    And BlogPressSEO done showed me why I shouldnt never pay to download plugins.

    VDN

  24. DanielBy Daniel on 7 December, 2010

    I had a random spam email turn up today from this plugin i thought it sounded good so searched the plugins in WP and found this and glad i did before i installed. How many are not.

  25. dotcompalsBy dotcompals on 7 December, 2010

    installed the plugin and activated, but i cant see it at the admin panel/. what’s next

  26. dotcompalsBy dotcompals on 7 December, 2010

    please ignore my above comment.deleted the plugin.

Trackbacks