Beware of Rogue WordPress Plugins that Inject Spammy Ads

WordPress is a great Content Management System which powers 26% of all the websites. You can easily customize your WordPress site and add required features using Plugins. The Plugins are authored by 3rd parties and made available at the WordPress Plugins repository. But, can you trust every WordPress Plugin out there?

Last week the security company WordFence exposed the wrongdoing of a WordPress Plugin named "404 to 301". This Plugin injected ads which were visible only to search engine crawlers but not for visitors. This technique is called cloaking, and is banned by Google.

Quoting Google:

Cloaking refers to the practice of presenting different content or URLs to human users and search engines. Cloaking is considered a violation of Google’s Webmaster Guidelines because it provides our users with different results than they expected.

It’s not just Blackhat SEO, there are more things here. First, some of the ads inserted by the “404 to 301” Plugin were objectionable. And the Plugin users weren’t aware that ads are injected into their site and served to crawlers, as most don’t read the Plugin ToS. The Plugin’s ToS says:

Third party text networks supply text for display in 404 to 301. These networks may collect your visitors’ IP addresses, in native or hashed forms, for purposes of controlling the distribution of text links. 404 to 301 collects anonymous aggregated usage statistics. By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it.

After WordFence blogged about this, here is what the Plugin author posted in forum.

I confirm this code injection issue and removed the entire script related to tracking feature. It was being handled by one of my partner developer who made this changes in tracking.

Whether or not the Plugin author is simply trying to pass the buck, but the main thing is, your website’s rank and reputation are at stake — a ban or penalty from Google can affect your business badly, and can take months to recover.

It’s pretty clear that this "cloaking" has occurred with the full knowledge of the author. All time downloads totaling 288,451 and with 70,000 active installs, imagine the amount of Ad impressions it would have got. If some of them are high-traffic sites, the author would have earned insane amount of money just by injecting Ads on other’s content.

Let’s assume, if it served 200,000 impressions on a daily basis at $2 CPM, it could have easily fetched $400 per day, doing nothing. Well! It’s only an example. No body knows how many ad impressions were served, and the total page views of all those sites that had the Plugin installed.

This is not the first time a bad WordPress Plugin was brought to limelight. Here are some earlier reports (about two other Plugins, and the damage they caused were very severe) by the excellent Sucuri.

As per Sucuri, the Plugins available at the official WordPress Plugin Directory go through some screening process. "But it can’t detect all tricky backdoors and new types of malware. With the huge number of plugins and updates, it’s just not feasible."

Some interesting reading

Fortunately, were have some very good security companies like Sucuri, WordFence et al that can detect and expose this type of ad injections and backdoors.

Anyway, it’s always a good idea to limit the number of Plugins you use – and only the Plugins which have good reputation. That greatly reduces the chances of getting hacked, and also helps in the website performance point of view.

About the author

Ramesh Srinivasan founded back in 2005. He is passionate about Microsoft technologies and has a vast experience in the ITeS industry — delivering support for Microsoft's consumer products. He has been a Microsoft MVP [2003 to 2012] who contributes to various Windows support forums.