WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 4 years ago

#10273 closed defect (bug) (invalid)

Ban plugins that, optionally or surreptitiously, display authors’ ads

Reported by: demetris Owned by: ryan
Milestone: WordPress.org Priority: normal
Severity: major Version: 2.8.5
Component: WordPress.org site Keywords: close
Focuses: Cc:

Description

There was an incident last year where the author of an ad-manager plugin admitted that his plugin replaced users’ ads with his own ads.

Quoting from http://wordpress.org/support/topic/205094

I just thought if people can't be bothered to read/modify the source code to suit your own needs, then you should probably be paying for my time to write and test these codes for you.

This plugin is still hosted on wp.org; its author just had to remove the stealing code.

Now I just saw another recent thread in the forum about another plugin that is reported to be doing the same thing:

Developer shows own adsense?

http://wordpress.org/support/topic/280213

In this case, displaying the author’s ads is optional. However, a forum member says that they turned this option off and the plugin still displays its author’s ads.

I downloaded the plugin in question to see. Before installing it, I looked at the files. All author’s adsense code is save in a long string that is base64 encode. I did not go on to test it: for me, hiding code like this is reason enough no to trust a plugin, and I think it should also be reason enough to remove a plugin from the repository.

WHAT TO DO ABOUT ALL THIS

Of course, to say the least, all this reflects badly on WP and wp.org.

Since we cannot probe into the souls of plugin authors to know whether their ads are displayed by a coding mistake (that is, when the user opts not to display the plugin author’s ads) or on purpose, I propose to ban from wp.org any plugin that has code to display its author’s ads, even when this is an option that can be turned off.

Change History (6)

comment:1 @Denis-de-Bernardy6 years ago

  • Milestone Future Release deleted

comment:2 @mrmist6 years ago

  • Priority changed from high to normal

Better to ban the use of obfuscated code in hosted plugins / themes IMO. Then if people choose to show ads, or whatever, at least it is an informed choice.

comment:3 @Denis-de-Bernardy6 years ago

it's tough to detect this automatically. like, checking for base64decode can easily be worked around using call_user_func().

comment:4 @mercime6 years ago

  • Version changed from 2.8 to 2.8.5

comment:5 @nacin5 years ago

  • Keywords close added
  • Milestone set to WordPress.org site

comment:6 @Otto424 years ago

  • Resolution set to invalid
  • Status changed from new to closed

These should be reported to plugins@… if and when somebody finds a plugin doing bad things. Appropriate action will then be taken.

Note: See TracTickets for help on using tickets.