Hacked WordPress Plug-in Put On Double, Secret Probation

A plug-in that was pulled from the official WordPress plug-in directory has been restored, but will be monitored closely, after the plug-in’s owner claimed a rogue contractor introduced malicious code into the popular web publishing add-on.

Black Hat SEO
A popular plug-in was restored to the official WordPress plug-in directory after code linked to SEO spam campaigns was removed.

Social Media Widget, a free plug-in for the WordPress blogging platform with more than a million downloads, was restored to the WordPress.org official plugin directory on Thursday, days after it was found injecting WordPress websites with spam links to web sites offering Pay Day Loans. In a post on a support forum for Social Media Widget, Samuel Wood, a WordPress administrator, said that WordPress.org was willing to give the owner and the plug-in, Brendan Sheehan, a second chance.

“Naturally we do take a very hard line on spam, and obviously an author putting malicious code into a plugin is enough grounds for us to bring down the ban hammer,” Wood wrote on Friday. “But there are natural circumstances where an author may not be at fault.”

Social Media Widget (SMW) appears to be such a case. It is one of the 20 most popular WordPress add-ons and allows WordPress web site operators to include links to their other social media accounts. In an e-mail interview with The Security Ledger and in comments on the SMW support forum, Brendan Sheehan, the owner of SMW and co-founder of the online marketing firm Media Compass, said that the malicious PHP code was “a mistake that we will not let happen again.”

According to accounts provided by Sheehan and others, the source of the malicious code was a third party contractor who was hired to update the SMW widget. Those changes were made without Sheehan or Compass’s knowledge and have since been backed out of the widget.

“We trusted the wrong people with our plugin code and take full responsibility. We are a marketing company at heart and are not actually developers, so in order to provide major updates and improvements, we had to seek outside help. Some of these people deceived us and abused our trust and naivety. We had no idea that the malicious code was in fact malicious or could do something like this. We only went by what was told to us by those we trusted with the plugin code. We will not make this mistake again.”

Sheehan said that the company has no plans to update it again.

“We have decided that since SMW is stable and pretty feature-packed as it is right now, major updates won’t be necessary for the foreseeable future. Thus, we won’t need to hire outside work, as we can handle minor updates…We will not release any update until we know exactly what every line of code is doing; we have learned our lesson.”

Wood said that administrators for the official WordPress Plug-in directory believe Sheehan’s account of how the SMW widget was corrupted, and – in light of the large install base for the widget – are giving him and SMW another chance.

“In this case, the original author of the plugin and the current maintainer of the plugin have made it clear what has occurred here. Basically, the current maintainer is not a professional programmer, and put his trust in the wrong freelancers to do the coding work for him.”

That said, SMW will be watched closely. “We’ll be watching the plugin for changes,” he said. “The plugin is back up for now, and as long as it stays clean, it’s fine.”

Sheehan and his company recently purchased the plug-in from its creator, Brian Freytag. Suspicion was initially on Sheehan, whose company provides search engine optimization (SEO) services to web site owners.

Contacted by The Security Ledger, Freytag said that he decided to sell the SMW widget, which he developed as a side project, to earn some money for his upcoming wedding.  Sheehan, he said, was looking for “a high-profile plugin to start with to bring a little legitimacy to the venture.” He struck him as a legitimate – though not technically sophisticated – buyer.

“Seeing the code. I know he isn’t a coder. I saw a couple of the things he pushed out after I gave it to him and I kind of cringed at the quality of the code. It was very amateur. Then he got a freelancer in there and the quality in the code improved. Basically rewrote the entire thing.”

However, that reliance on third party coders ended up costing Sheehan, SMW and – by extension – Freytag, who says he regrets relinquishing control of Social Media Widget.

“If you build something highly respected in the community, don’t risk watching it burn. Just take it down yourself and say ‘thank you’ to the people who supported you so strongly in the time it was available,” he told The Security Ledger.

Spread the word!

4 Comments

  1. Hi Paul,

    Good article. I tweeted it and shared it on my Facebook page. For the life of me, I can’t see why you aren’t using Akismet. There are two spam ‘comments’ up on the right side now, something this very post is all about. This kind of takes away the professionalism but maybe you have your own reasons. I’d love to know what they are. Does Aksimet miss some real comments? I know it misses some spam but not many. Good luck!

    • Hey. Thanks for writing, Brian. Of course I use Akismet. But it’s not perfect. Two got through, but around 50 got blocked. I make it a point of staying on top of the spammy links and get them removed as soon as I notice them. Thanks for the heads up!!

  2. Pingback: Popular Wordpress Plug-in Caught Spamming Is Put On Probation

  3. Pingback: 62 - Mildly Amusing » Technophilia Technology Podcast