Make WordPress Core

Opened 15 years ago

Closed 13 years ago

#10273 closed defect (bug) (invalid)

Ban plugins that, optionally or surreptitiously, display authors’ ads

Reported by: demetris's profile demetris Owned by: ryan's profile ryan
Milestone: Priority: normal
Severity: major Version: 2.8.5
Component: Site Keywords: close
Focuses: Cc:


There was an incident last year where the author of an ad-manager plugin admitted that his plugin replaced users’ ads with his own ads.

Quoting from

I just thought if people can't be bothered to read/modify the source code to suit your own needs, then you should probably be paying for my time to write and test these codes for you.

This plugin is still hosted on; its author just had to remove the stealing code.

Now I just saw another recent thread in the forum about another plugin that is reported to be doing the same thing:

Developer shows own adsense?

In this case, displaying the author’s ads is optional. However, a forum member says that they turned this option off and the plugin still displays its author’s ads.

I downloaded the plugin in question to see. Before installing it, I looked at the files. All author’s adsense code is save in a long string that is base64 encode. I did not go on to test it: for me, hiding code like this is reason enough no to trust a plugin, and I think it should also be reason enough to remove a plugin from the repository.


Of course, to say the least, all this reflects badly on WP and

Since we cannot probe into the souls of plugin authors to know whether their ads are displayed by a coding mistake (that is, when the user opts not to display the plugin author’s ads) or on purpose, I propose to ban from any plugin that has code to display its author’s ads, even when this is an option that can be turned off.

Change History (6)

#1 @Denis-de-Bernardy
15 years ago

  • Milestone Future Release deleted

#2 @mrmist
15 years ago

  • Priority changed from high to normal

Better to ban the use of obfuscated code in hosted plugins / themes IMO. Then if people choose to show ads, or whatever, at least it is an informed choice.

#3 @Denis-de-Bernardy
15 years ago

it's tough to detect this automatically. like, checking for base64decode can easily be worked around using call_user_func().

#4 @mercime
14 years ago

  • Version changed from 2.8 to 2.8.5

#5 @nacin
14 years ago

  • Keywords close added
  • Milestone set to site

#6 @Otto42
13 years ago

  • Resolution set to invalid
  • Status changed from new to closed

These should be reported to plugins@… if and when somebody finds a plugin doing bad things. Appropriate action will then be taken.

Note: See TracTickets for help on using tickets.