Technology Tips and Tricks – The Mansurovs
19Oct/090

Beware of wordpress plugins

By Nasim Mansurov

I was going through some of the popular wordpress plugins on wordpress.org the other day and found a plugin called "flash clock widget" that I kind of liked. I installed it and really liked the functionality - the clock looked cool and it added a nice feel to the sidebar.

Flash Clock Widget

Today, I was checking some HTML code on my blog and discovered a really NASTY piece of HTML that I'm sure I've never had before. It was an external link to some sort of bookcase. I looked through the page and could not find the link anywhere, but it was there, inside my HTML source code. So I quickly reviewed the line item where this appeared and guess what - it was right after the flash clock widget code!

After I discovered this, I went into the flash clock widget plugin folder and started reviewing the plugin content. Everything seemed to be OK until I got to line number 69 that had this:

$flashtag .= ClockFlash_pleaseInstall();

Hmm, that looked suspicious - ClockFlash_pleaseInstall? I then looked for the "ClockFlash_pleaseInstall" function within the code and found this inside the function:

if($options['link'] == '' || $reset == '1')
{
$options['link'] = file_get_contents( 'http://bestaccountantservices.com/upgrade/Clock1/link.php' );
$needsave = 1;
}

Wait a second...this flash plugin pulls stuff from another website? I then opened the link in my browser and voila! Busted! The advertising was coming from that website! Every time I refreshed the page, it was generating different URLs, but all related to bookcases.

It is very sad to see such abuse of a plugin. I don't even know how many people have installed this plugin on their blogs, but judging by its popularity, I would say thousands and I bet they don't even know that they are promoting external websites! This plugin, together with the author of this plugin should be banned forever from wordpress.org and wordpress users should be notified about it.

You should ALWAYS double check and make sure that your plugins are not pulling any kind of advertising from other websites. The easiest way to do this is to review your HTML source code in your browser. Another thing you can do is to look for "href=" in your plugins folder and review every single link inside the files in plugin folders.

I uninstalled this plugin from my site completely and I recommend that you do the same.

Nasim Mansurov is a professional photographer based out of Denver, Colorado. He is the author and founder of The Mansurovs, along with a number of other online resources. Read more about Nasim here.
Tagged as:
Posted in: CMS Leave a comment
2 Views
Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Diigo
  • LinkedIn
  • Live
  • MySpace
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • Twitter
  • Yahoo! Bookmarks
  • Yahoo! Buzz

No related posts.

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment


No trackbacks yet.

« Another book review from Packt Publishing ERP (Enterprise Resource Planning) - Part One »

Categories

Popular Posts