Updates to this story are at the bottom of the post…
Making the rounds today from Techie Buzz is a discussion about a WordPress plugin called “BlogPress SEO”. Now, as you know, any plugin that promises linkbacks without you having to work at it is clearly doing something that’s not above the board. That promise, among others, is what BlogPress SEO states.
From what we’re reading over at Yoast and Mtekk, the plugin has back doors that will let the author bypass the login screen completely and be into the admin area of your blog in a snap. Even Matt Cutts, head of the webspam team at Google gives his warning over Twitter.
Regardless of the bad SEO practices and the malware-esque manner of the plugin, there is one essential lesson in this:
Don’t download plugins that aren’t in the WordPress plugin repository.
When this news came to our attention, the first thing I did was to search for it in the WP plugins repository. It wasn’t there. Which is good, because I know the folks who review all the plugins that are allowed into the repository and I’d be surprised if it were allowed in with suspect SEO and backdoor login hacks. Clearly the WordPress team is on their game.
It took me a while to find the site where you download the plugin and the site smacks of spam and scam. It just has that thrown together look. That should have been the first clue.
So, when you find a “cool new plugin” that people think you should download, check WP.org first. Then ask around the WP forums. Remember, too good to be true, often is.
Yoast posted a couple pieces of good news on the BlogPress SEO plugin problem. In his first post Yoast explained (in brief) how with the help of über WordPress coder Andrew Nacin (who helped me out a great deal with my book on WP), he created a “new” plugin of the same name and put it into the WP.org plugin repository, then when people updated the real BlogPress SEO plugin, what they got was an empty, harmless plugin instead:
In a follow-up post Yoast explained how he and Andrew pulled this off. Yoast’s method isn’t without criticism. He did abuse the system of how WordPress looks for and updates plugins, themes, and WordPress itself. I would say that this is a case of using a “evil” tactic for good. BlogPress SEO is just bad news. There are bigger issues like, does WordPress need some kind of kill switch to prevent these things from happening in the first place? Or does WordPress need a system of “verified authors” like we do for Chrome extensions?
Until now I think the system has worked really well. And let’s be clear here, BlogPress SEO wasn’t in the WP.org plugin repository. That plugin would never have passed muster to get into the repository in the first place. I don’t think the system is broken, maybe it just needs a tweak or two.
If you did install BlogPress SEO, I suggest not only changing your admin password, but use a new email address for it as well. And remember if the plugin isn’t in the WP.org repository be very, very careful about installing it at all.