WP-Forums is hackable

drmike-128.jpgI’m no longer supporting WordPress but I wanted to mention this as I had been suggesting this WordPress plugin to folks in the WordPress Multiuser forums previously.

It’s been announced that the wp-forums plugin is hackable and a security risk.  Considering that the author hasn’t been around much, don’t expect a fix for it any time soon.

I, for one, have been suggesting folks use Simple Forum instead.  There’s no import route though for you to use.

WordPress says no to Sponsored Links in Themes but gets caught adding them into their own sites

Wordpress ethics

WordPress ethics

Yep, it’s yet another post on the topic of Sponsored links found within WordPress themes.  Now, before I begin, let me state my opinion on the matter:  Personally, I don’t care.  I can see why some folks consider such links to be “evil” and I can understand why some folks consider them to be a “necessary evil.”  If I really wanted to use a theme that had such links, I’ve got to admit that I would take a look at the site that’s being linked to and make a choice to leave them in or remove them.  That’s up to me.  I still think my idea of doing a tag labeled “Sponsored Links” within the main WordPress theme site would have been a better idea than removing them.  Let the “purchaser” decide with the best information made available in front of them.

But what bothers me about all this though is what occurred recently on the BrowseHappy.com site.  You know the one.  Where a number of Automattic staff, volunteersdevelopers, and others had that discussion and Matt Mullenweg goes out of his way to show how he listens to his endusers try to explain to him how a website that hasn’t been updated in years, contains outdated information, and even he finds to no longer apply really shouldn’t be linked to from the WordPress backend, totally ignores them, and we still have the link on the backend. (Quick aside: Instructions on how to remove said link.  Not sure if they apply on the latest 2.3.2 version of WordPress but you should get the idea.)

So imagine my surprise a few weeks ago when I was reading a thread over on the wordpress.org forums on browsehappy.  I decided to take a look at the site as I remembered that site having Adsense affiliate code links on it and I wanted to see if they were still there.

 

Browse Happy link

Browse Happy link

Imagine my complete surprise (I’m going link happy on the post, I know) to discover that there was actually a hidden link to freecookingrecipes.net in the footer of that site.  As well as a hosted image.

Hmm, well that was strange.

I saved some quick screen captures to cover my ass in case anyone doubted me, reported it to that thread on wordpress.org and fired off an email to the WordPress Security email address.  The links disappeared within a few minutes but my comment on the wp.org forums went unanswered and the email to security went unanswered as well.  Again, someone must have heard because those links were gone within 15 minutes.

OK, let’s think about this for a second and cover some history.  The folks at WordPress have done the hidden links previously and appear to not really be willing to talk about it.  Matt says on his blog (I can’t find it right off.  I guess you don’t get that link tonight.) that he made a mistake and/or the linkage was placed without his own personally knowledge. (Again I can’t find it right off so that may not be 100%.  Please forgive me if it’s not.) edit: Here it is.

So anyway, let’s give some thought about this link and what it is doing there.  I’ve been thinking about it for quite sometime and I can think of three methods of how it got there.  Let me list them and explain the reasons why they shouldn’t be the cause. (Please note that I said “shouldn’t” instead of actually proving them not to be the cause.  Keep reading.  You’ll understand shortly.)

  1. The link was placed there by a well meaning Automattic employee, done with the holiday spirit in mind and everything’s fine and
    browse happy code

    browse happy code

    cool.  Gotta admit that this is the one that I want to believe but I can’t see it.  The link was hidden and not visible within the browser. (Note the screencap to the right.) If the link was added with good intentions, it was done in such a strange way.  I would think that you would want folks to be clicking on that link but no one could see it.  Also a quick check of the main WordPress developers at the time showed no one else having such a link.  If an Automattic employee had been exciting with adding in such a link, you would have thought that they would add the same link to their own personal websites.  This was not the case.

  2. The link was placed as part of a hack against the website.  I’m iffy about this one for two reasons, one more important than the other.  The lesser argument, which Options makes here is how was the hacker, if there really was one, able to upload an image to the server.  Granted, if they had access, they could have done it but wouldn’t they have gone after juicer options like the main wordpress.org site? (Which, by the way, did not have the link.) The other argument ag
    ainst this comes from personal experience.  I’ve had sites hacked before and every time it’s ever happened, someone else somewhere else has had the same thing happen to them.  Hackers don’t pick a single site as a target, at least I’ve never seem them do it.  A quick Google search shows no discussion about folks getting hacked with this link.  In fact many pages have posters who seem quite happy to be adding in link to this site.
  3. The link was placed as a sponsored link with the intention of at least one member of Automattic staff.  Gotta admit that I don’t like saying this but this is really the only choice we have left.  There are arguments against this of course.  The main one being of course  how they got caught previously with the hidden links to advert pages on the wordpress.org site a few years back.  Matt made a big deal with pulling themes with sponsored links in them from the WordPress Themes site. They make a big deal in the WordPress.com support forums over affiliate links and usually either get them removed from the blog or ToS the blog.  It’s real hard though trying to find solid arguments against this as being where those links came from.  I really can’t think of any but I’m trying.

That’s all I wanted to say.  I think I’ve provided a case for what I believe really happened.  I’m sure folks will disagree with me but I can’t do much about that.

Two forums threads on the topic as well as that email to security went unanswered. Email to the recipe site went unanswered as well. (I was curious.)

edit: Please excuse any typos.  It’s been a long day and it’s time for me to go home.

WordPress.com nofollow plugin for WordPress

Per a request for it, I’ve written up a WordPress plugin for adding in
a nofollow tag to links to any blog with a ‘wordpress.com’ within the
URL of the link. This was actually done for a WordPress Multiuser setup
that I host so that they wouldn’t get any link love. (Also because my
client doesn’t think much of wp.com)
Install it via the regular methods. If you’re running WordPress
Multiuser, I’d just drop it into the mu-plugins subdirectory.
Based on the Wikipedia nofollow plugin for WordPress

edit: I’ve gone ahead and removed this.  It appears some folks out there, instead of seeing how and why this plugin was offered, would rather insult me over it.  It’s not worth my time.

Is Automattic the new Enron?

mattron_sm.jpgConsidering how bad things have become with WordPress, one has to wonder if they’re going to become the new Enron. Considering they have no ethics policy in place and how some employees use that to their advantage, one has to wonder what’s going to occur.

And, yes, I can give tons of examples. Today, I have better things to be doing.

edit: The image comes from elsewhere. I didn’t create it.

Is it a blog or a news report?

drmike-128.jpgDavid expresses his annoyance recently when 6 of the top 10 posts over in wp.com land were all from the CNN blogs. As I write this, there’s five posts listed in the top 10.

It’s a pity that Automattic feels that news reports from sites (I wouldn’t call them blogs either.) within their VIP program are more important than the thousands of bloggers who make up the rest of the site.

Today’s Scary Thought from WordPress.com’s front page

Would someone *PLEASE* explain to me why this post about shit eating is listed as wordpress.com’s hawt post?

At least there’s no pictures.

No, I’m not kidding.

Yes, I’m all for free speech and all that. Heck, I’ll even live with Matt’s warped sense of Free Speech (And I can’t believe I just wrote that) but not as the number one post for all of wordpress.com.

I’ll upload a screen cap later on. I can’t do graphics work on this terminal.