I thought BlogPress SEO was bad, turns out, it’s worse. It’s malware. I had already discovered that it sent the admin email to the plugin’s author, but today, mtekk uncovered that it was adding an option to log in, solely with that email address. Yes that’s bad. I checked out the plugin code again, and noticed something that could solve all this.
You see, WordPress, by default, checks for updates to every plugin on WordPress.org. It matches the plugin by name and slug (folder name), there’s a method to prevent this for a plugin, but BlogPress SEO doesn’t do that. With the help of Andrew Nacin, I registered blogpressseo as a plugin on WordPress.org, created an empty plugin file with the same name and a higher version number, added a readme.txt with an upgrade notice, and uploaded it to WordPress.org.
I had already installed the plugin on my blog (well, an empty version of it, just the headers), so I could test it, and low and behold, it worked:
It’s a primitive form of a kill switch (which I wish WordPress had, but it’s better than nothing). The funny thing is: we’ll now also be able to see how many people are running this plugin and how many of them upgrade. So far, 26 people have been saved!
Update: Just posted more info on how I did this using the WordPress plugin update system.