Sub-topic: How I was unfairly moderated on the WordPress support forum for posting about a plugin which breaks multiple WordPress plugin repository rules and potentially damages WordPress users sites!
I’m a long term user of the Display Widgets plugin, the plugin was so usefully I added the plugin directly into the Stallion Responsive Theme over 5 years ago and last year forked** the plugin to create the Display Widgets SEO Plus Plugin.
** Forking a plugin means making a copy of it, fix bugs/add new features and possibly take the plugin in a different direction.
I forked the Display Widgets plugin (version 2.05) because the developer had stopped maintaining the plugin (over 2 years without an update, wasn’t answering support requests) AND I wanted to fix bugs and extend the Display Widgets features (v2.05 is quite basic in widget logic features).
Who Knew You Can Buy Open Source Plugins!
Around May 2017 the original Display Widgets plugin developer sold the plugin to a new developer (WordPress username @displaywidget).
I took the above screenshot mid July 2017, the developer has been a member of the WordPress site for 2 months, controls a plugin with 200,000 plus active installs and has posted no information about themselves! To new plugin developers, trust is a very important factor when creating free plugins, add some information about yourself so your users can check you out.
In June 2017 the new developer released an update (version 2.6.0) of the Display Widgets plugin and it’s version 2.6.* of the plugin I’ll be reviewing (nothing major wrong with the old v2.05 code).
Display Widgets Plugin Version 2.6.0 Review
The new developer rewrote the code to update the general code, unfortunately the new code broke (added a new bug) one of the basic Display Widget features: when visiting “Appearance” > “Widgets” the Display Widgets options are supposed to load when viewing a widget, with version 2.6.0 you had to click the “Save” widget button for the display widget options to show!
Version 2.6.0 didn’t appear to fix any of the (small) bugs present in v2.05 and didn’t extend any of the core widget logic features.
What it added was an automated download of another plugin (a geolocation widget: was over 50MB in size!) from a private server!
Automatically installing code from a private server is against the WordPress plugin repository rules.
The new code also connected to another server to track visitors data including:
IP Address (can potentially track you to your street address)
Webpage Visited (URL of the webpages a visitor visited)
Site URL (the URL of the WordPress site the Display Widgets plugin is installed on)
User Agent (which browser the visitors uses etc…)
Automatically tracking user data etc… without the permission of the site owner is against the WordPress plugin repository rules.
I reported the infringements to the plugin repository, simply email them via email@example.com and explain what’s you think is wrong.
Version 2.6.0 was removed from the plugin repository. If you are using version 2.6.0 of the Display Widgets Plugin on your site, remove it NOW.
The plugin repository are very understanding, a week or so later the developer released a new version (v2.6.1).
Display Widgets Plugin Version 2.6.1 Review
The new developer reverted back to the old v2.05 base code fixing the bug mentioned above (having to click “Save” to see the options).
Still no 2.05 bug fixes, still no core widget logic features extended.
The automated download of the 50MB geolocation plugin was removed.
Version 2.6.1 was still tracking user data without permission (see v2.6.0 review above), though he’d changed which server was connected to (no idea why, still tracked the same data???).
I reported the infringements to the WordPress plugin repository, version 2.6.1 was removed from the plugin repository. If you are using version 2.6.1 of the Display Widgets Plugin on your site, remove it NOW.
The plugin repository are very, very :-) understanding, the developer released a new version (v2.6.2).
Display Widgets Plugin Version 2.6.2 Review
Version 2.6.2 is pretty much v2.6.1 with an option to tick to turn on the tracking and a privacy notification.
The above is all that’s required for a plugin developer to track your visitors data: basically click an option to turn a feature on and inform the site owner “I’m tracking your user data”. I contacted the plugin repository and they confirmed the above is all that’s needed: it’s not up to the plugin repository what WordPress site owners add to their sites, their rules are to make sure the site owners are informed about what they’ve installed NOT to protect them from installing bad plugins.
This is the content of my WordPress support forum post: https://wordpress.org/support/topic/display-widgets-plugin-geolocation-tracking-visitors-without-permission/
Display Widgets Plugin Geolocation Tracking Visitors without Permission
I have a question regarding the visitor data you are tracking/storing and your terms at http://geoip2.io/terms.html
We will collect website information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned. Before or at the time of collecting such information, we will identify the purposes for which information is being collected. We will collect and use such information solely for fulfilling those purposes specified by us and for other ancillary purposes, unless we obtain the consent of the individual concerned or as required by law. Website data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to-date. The following data is currently collected for analysis and in order to optimize GeoIP2.io’s performance:
Website and Page URL – Collected to track service usage by Country, Region and Domain; we reserve the right to blacklist certain domains that exceed reasonable service usage
Visitor’s User Agent and IP Address – Required to determine Visitor’s Country of origin
with the knowledge or consent of the individual concerned. Before or at the time of collecting such information, we will identify the purposes for which information is being collected.
As “the individual concerned” how and when did you inform me you are collecting my user data and how did you gain my consent and how did you inform me the reason for collecting my data?
You have my IP address (184.108.40.206), the user agent (Mozilla Firefox etc…), the webpage I connected from (one of my localhost test servers on my PC), it’s a WordPress Post (/embed-tests/) for testing WordPress embed code. You even know the folder (/str-2016-09/) on my PC I was running the test server from and that it’s running WordPress 4.8.
Example data you’ll have in your weblog:
220.127.116.11 - - [04/Jul/2017:10:46:24 -0700] "GET /api/update/?url=http%3A%2F%2Flocalhost%2Fstr-2016-09%2Fembed-tests%2F&agent=Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A54.0%29+Gecko%2F20100101+Firefox%2F54.0&geo=true&p=9&v=0&ip=127.0.0.1&siteurl=http%3A%2F%2Flocalhost%2Fstr-2016-09 HTTP/1.1" 403 3 "http://geoip2.io/api/update/?url=http%3A%2F%2Flocalhost%2Fstr-2016-09%2Fembed-tests%2F&agent=Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A54.0%29+Gecko%2F20100101+Firefox%2F54.0&geo=true&p=9&v=0&ip=127.0.0.1&siteurl=http%3A%2F%2Flocalhost%2Fstr-2016-09" "WordPress/4.8; http://localhost/str-2016-09"
I got the example by changing the GeoIP2.io URL (in the geolocation.php file) to one of my domains and checked it’s logs. You will have almost identical entries in your weblogs (only difference will be the time I connected).
Your terms also state:
“We will make readily available to customers information about our policies and practices relating to the management of such information.”
I guess I’m considered a customer?, please make available information about your policies and practices relating to the management of my information.
How do I gain access to the data you store about me?
I don’t want my data tracked by GeoIP2.io. How do I get you to delete the data and stop you from collecting anymore of my data? Note I’m with an ISP with dynamic IPs: my IP changes every time the router is turned off/on.
Can I suggest you do some serious research regarding privacy laws.
Take into account the new developer at the time of my forum post above hadn’t supplied any other way to contact him. At the time I didn’t even know if the developer was male/female (near the end of thread he posted an email address with the name Kevin).
The WordPress support forum was the ONLY point of contact for support regarding the Display Widgets plugin and I was a plugin user asking a legitimate question regarding privacy laws.
How I Was Unfairly Moderated on the WordPress Support Forum
I did NOT receive a satisfactory response from the developer, but was warned by a WordPress support forum moderator to basically stop asking questions!
Multiple threads related to the Display Widgets plugin were (and still are) closed and some of my replies were deleted!
The Display Widgets Plugin developer took this as some sort of win and gloated, I responded (see screenshot below).
About 4-5 days later my forum posts were unfairly moderated for that response. I’m shocked that one response (that was my ONLY response AFTER the moderator warning) was enough to be moderated, seriously!!!
Since I was unfairly moderated I removed my four WordPress plugins from the plugin repository and decided I will no longer inform the plugin repository of other plugin developers breaking the WordPress plugin repository rules: this wasn’t my first time, I’ve reported multiple problem plugins.
If any of the WordPress support forum moderators want to defend their actions, the comments are open and I rarely moderate users :-)
Display Widgets Plugin v2.6.2.* Includes Hacking Code!!!
After being moderated I noticed another issue with the Display Widgets plugin related to code which looks like it generates a WordPress Post dynamically when logged OUT users visit a site!
Screenshot of some of the code below, it’s from the geolocation.php file:
This code allows the Display Widgets plugin developer to dynamically generate a WordPress Post on Display Widget plugin user sites (up to 200,000 sites – I think at least 50,000 updated to the 2.6.* code).
It works by first checking if the visitor is logged in, the reason for this is if the user is logged in it’s probably the WordPress site owner and a hacker doesn’t want the owner to know they are doing something malicious on the site!
If the visitor is logged in (the site owner for example) the plugin hacking code does nothing, but if the user is logged out (a normal visitor OR Google and other search engines) it connects to the plugin developers server and can grab data from the private server to create a dynamic WordPress Post with whatever content they like!
From a hacking perspective this is great, the hacker can insert SPAMMY links on a Display Widget users site to help rank the site(s) linked to, can add advertising code (AdSense for example), the dynamic content could even include ways to hack into your server to make other changes. If you’ve used any of the Display Widgets v2.6.* versions you need to do a WordPress security audit of your WordPress site (it might have been fully hacked).
Had I not been unfairly moderated on the support forum my first step would have been to email firstname.lastname@example.org to inform them about the malicious code. Next step would be to post on the Display Widgets forum warning users to delete the Display Widgets plugin ASAP: for the record it’s safe to downgrade to the 2.05 version (the old version with minor bugs).
Since I was unfairly moderated, I did nothing.
Update: The Display Widgets Plugin version 18.104.22.168 (which includes the hacking code) has again been removed from the plugin repository (3rd time it’s been removed): I guess one of the thousands of hacked sites noticed and reported the issue. It will be interesting to see if the plugin repository give the new developer a third chance, I’ll be shocked if they do as this infringement is a clear case of malicious behavior (you don’t accidentally add code like this).
If the Display Widgets plugin isn’t reinstated I’ll use the Display Widgets 2.05 code (download from https://downloads.wordpress.org/plugin/display-widgets.2.05.zip has a few small bugs) to create a version of the plugin with a few bug improvements and link to it from this review. If the Display Widgets plugin developer is given another chance I’m not wasting my time on it.