Opened 16 years ago
Closed 14 years ago
#10273 closed defect (bug) (invalid)
Ban plugins that, optionally or surreptitiously, display authors’ ads
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | WordPress.org | Priority: | normal |
Severity: | major | Version: | 2.8.5 |
Component: | WordPress.org Site | Keywords: | close |
Focuses: | Cc: |
Description
There was an incident last year where the author of an ad-manager plugin admitted that his plugin replaced users’ ads with his own ads.
Quoting from http://wordpress.org/support/topic/205094
I just thought if people can't be bothered to read/modify the source code to suit your own needs, then you should probably be paying for my time to write and test these codes for you.
This plugin is still hosted on wp.org; its author just had to remove the stealing code.
Now I just saw another recent thread in the forum about another plugin that is reported to be doing the same thing:
Developer shows own adsense?
http://wordpress.org/support/topic/280213
In this case, displaying the author’s ads is optional. However, a forum member says that they turned this option off and the plugin still displays its author’s ads.
I downloaded the plugin in question to see. Before installing it, I looked at the files. All author’s adsense code is save in a long string that is base64 encode. I did not go on to test it: for me, hiding code like this is reason enough no to trust a plugin, and I think it should also be reason enough to remove a plugin from the repository.
WHAT TO DO ABOUT ALL THIS
Of course, to say the least, all this reflects badly on WP and wp.org.
Since we cannot probe into the souls of plugin authors to know whether their ads are displayed by a coding mistake (that is, when the user opts not to display the plugin author’s ads) or on purpose, I propose to ban from wp.org any plugin that has code to display its author’s ads, even when this is an option that can be turned off.
Change History (6)
#3
@
16 years ago
it's tough to detect this automatically. like, checking for base64decode can easily be worked around using call_user_func().
#4
@
15 years ago
- Version changed from 2.8 to 2.8.5
http://wordpress.org/extend/plugins/bowob/
- Plugin with pop-up ads, previously free then asks for money when in use
http://wordpress.org/support/topic/338431?replies=1
http://wordpress.org/support/topic/328060?replies=1
Better to ban the use of obfuscated code in hosted plugins / themes IMO. Then if people choose to show ads, or whatever, at least it is an informed choice.