Popular Wordpress Plug-in Caught Spamming Is Put On Probation 76
chicksdaddy writes "Social Media Widget, a free plug-in for the WordPress blogging platform with more than a million downloads, was restored to WordPress's official plugin directory on Thursday, days after it was found injecting WordPress websites with spam links to web sites offering Pay Day Loans. In a post on a support forum for Social Media Widget (SMW), Samuel Wood, a WordPress administrator, said that WordPress was willing to give SMW and its owner a second chance after he claimed to have been the victim of a contract developer gone rogue. 'Naturally we do take a very hard line on spam, and obviously an author putting malicious code into a plugin is enough grounds for us to bring down the ban hammer,' Wood wrote on Friday. 'But there are natural circumstances where an author may not be at fault.' SMW appears to be such a case. It is one of the 20 most popular WordPress add-ons and allows WordPress web site operators to include links to their other social media accounts. Brendan Sheehan, the owner of SMW, said, 'We trusted the wrong people with our plugin code and take full responsibility. We are a marketing company at heart and are not actually developers, so in order to provide major updates and improvements, we had to seek outside help. Some of these people deceived us and abused our trust and naivety...We will not make this mistake again.' Wood said the folks at Wordpress decided to accept that story — but that they're watching SMW closely. 'Basically, the current maintainer is not a professional programmer, and put his trust in the wrong freelancers to do the coding work for him...We'll be watching the plugin for changes,' he said. 'The plugin is back up for now, and as long as it stays clean, it's fine.'"
Re:That's fucking stup-- (Score:5, Insightful)
I know! We'll write everything in-house instead! Once I've got my custom language compiling, I'll start work on the relational database engine. We should have the site finished some time in 2030.
Sooner or later, you're going to have to trust someone else's code. I guarantee you, whatever projects you work on, you're using someone else's code for something, and probably sight-unseen.
Re: (Score:2, Interesting)
Firstly I want to make it clear I don't think it's a matter of being a "PHP dev" that makes people stupid, since I'm a freelancer myself and am sometimes forced to use PHP. I wouldn't say I'm stupid or incompetent. I will however say that you're missing the point grandparent was trying to make, mislead as it was. You're acting like the matter of wheel reinventing and copy and pasting is so black and white. It's not, it isn't unreasonable to expect people to take a quick look and test over a new plugin befor
Re:That's fucking stup-- (Score:4, Insightful)
You can not trust every single piece of code you see while at the same time reusing other people's code, it's naive to make the leap of logic you did.
And I never said you did; the leap of "logic" was on the part of the GP, not me. He said, and I paraphrase, if you install code you haven't reviewed, you deserve whatever you get. I said that, sooner or later, you must trust some code, not that every random piece of code is worthy of trust.
And in this case, it's quite possible that people did perform a review of this plugin; after all, it hasn't been spamming the whole time it's been available. They performed an update on their plugin without vetting the update. Sure, that's not best practice, but I do the same thing on my personal computer at home all the time, even if I don't do it on my production systems. If I hosted a podunk little blog on Wordpress? I probably wouldn't vet every "security patch" for every plugin I used either.
GP is a great big case of "blame the victim" mentality. Someone was malicious. They deliberately inserted malicious code into a trusted repository.
Re: (Score:1)
I recently broke my WordPress cherry, and I have to say the experience was extremely frustrating because 90% of the resources are not aimed at "developers" or even "PHP developers". Trying to find any real information about the API was incredibly frustrating.
The entire WordPress ecosystem seems to oriented towards semi-technical users who just want to click this thing and copy some files around. Basically people with blogs and brochure-ware sites who want a twitter icon without opening a text editor.
Re: (Score:2)
I will however say that I end up being hired to fix shitty PHP code more often than not. Kind of worrying... It's why I'm on my way out of this sorry excuse for a career. I don't recommend it.
It sounds challenging... then again rewrite may be better than fixing, as long as the pay is good....
Re: (Score:2)
You do realize we are talking about a Wordpress widget?
Re: (Score:2)
GP made no such qualification. He was speaking in general about how stupid it was to reuse code you hadn't written yourself.
Re: (Score:2)
Re:That's fucking stup-- (Score:4, Insightful)
Sooner or later, you're going to have to trust someone else's code. I guarantee you, whatever projects you work on, you're using someone else's code for something, and probably sight-unseen.
It's not everyone's code you can't trust.
It's only (1) the code you will actually distribute with your software, and (2) uncommon dependencies that are not part of widely used software packages.
And even then, you have to be able to trust the code of people working for you; e.g. the coders you hire. If you can't do that, then you can't get anything done.
So you should check into their background, and make sure the people you hire to make your code are either under a good contract or surety bond that protects your interest, and effects some risk transfer by providing you the right to sue for damages, especially, in case of obvious or provable malice.
That way you align your worker's interest with yours, by ensuring that if they conduct an intentional abuse they are at risk.
Troll (Score:5, Insightful)
That's fucking par for the course for PHP devs...
And there's the troll.
Re:Troll (Score:5, Insightful)
Is it still trolling if it's true?
Re: (Score:2)
In some cases, yes. But in this case it wasn't true. So there is an extra troll factor added.
Re: (Score:1)
Whatever buddy, go back to masturbating in you mom's basement.
Re: (Score:1)
Just because you're a php whore doesn't make it any less true.
I'm a PHP Whore? Really?
Why don't you post with your account instead of "Anonymous Coward", and we'll talk about it?
At least I have the BALLS to post with my logged-in user name. Unlike you.
Re: (Score:2)
Another way to troll by telling the truth is saying something like, "You have never denied that you killed a girl in 1990." It can be a hilarious troll, but it's still a troll.
Re: (Score:2)
Yes, because it's a false generalization. It's not like we are all C&Ping from hotscripts.com. People who do so aren't developers.
PHP is a flexible and powerful language. Not to mention it's by far the most popular scripting language. It's also easy to learn, hence it can easily be abused and/or misused. Something I also see a lot of in JavaScript.
So, yes, GP is a troll.
true and false (Score:1)
It's not really any less true for a good many other languages...
Re:That's fucking stup-- (Score:4, Interesting)
It's a tool like any other, and it definetely has its place. What doesn't have a place is people who reject tools for pseudo philosophical reasons rather than utility.
Re: (Score:3, Insightful)
foreach (array('PHP', 'Perl', 'Java', 'C', 'C++', 'Javascript') as $language) {
}
"There does not now, nor will there ever exist, a programming language in which it is the least bit hard to write bad programs." -- Lawrence Flon
Well, I guess I won't be using WordPress soon. (Score:5, Insightful)
That's a nice attitude to have. "The author of this plugin was caught injecting malicious code into every website using it, but we'll keep it on the downloads page so long as he agrees to follow the honour system?"
How fucking stupid do you have to be?
Comment removed (Score:5, Funny)
Re: (Score:2)
Agreed
Full responsibility = ban
Examples have to be made.
Re: (Score:2)
marketing (Score:5, Insightful)
IOW, "we are scum whose very purpose in life is to force unwanted messages into your eyes and ears, but trust us that this incident of unwanted messages was accidental."
Re: (Score:2)
...and "social media" is, like, the pinnacle of modern spam. Indie game developer? "Like us on Facebook for a chance to win Horse Armor!" Big news network? "Don't forget to follow our forecasts on twitter!" Celebrity? "Had #lunch with @CalvinKlein, you should #buyTheirStuff! I did! #shamelessplug #andthelunchtastedgood #LOLhashtags"
In short, SMW was banned for its very purpose--just not permanently enough.
Re: (Score:2)
Teach them to read diffs! (Score:3, Insightful)
For f*cks sake, there's no reason a supervisor shouldn't at least run a diff of the code and recompile (if applicable) before pushing a release. Unless there are huge changes, it shouldn't take more than 10 minutes. If anything looks really weird or out of place, start asking questions, preferably to someone else.
Re: (Score:1)
it would take torvalds about 3 seconds
"oh, it's php... bin it"
This is what they deserve. (Score:5, Informative)
"We trusted the wrong people with our plugin code and take full responsibility. We are a marketing company at heart and are not actually developers, so in order to provide major updates and improvements, we had to seek outside help."
The first headline on their website states, "Blink Web Effects creates innovative web applications and tools - totally free and open source." If they're not developers, why are they a company to begin with? It is really tiresome to see fucking marketing hacks thinking they are enlightened and entitled while they pay some 3rd world country developer to build their company.
This is what they deserve. Good riddance.
Re: (Score:1)
Pull the other one, it's got bells on (Score:5, Funny)
A contract programmer pulled a fast one on a marketing company to get their product to spam people. Yes, absolutely, I can believe that. So can my friend the Easter Bunny.
Re: (Score:3)
Sure, you start paying us like doctors, lawyers, and so on, and we'll talk about liability. But the reality is, the software industry would implode with the requirement for liability insurance, as the stuff we work on is far too complicated for even the brightest of programmers, and the pay is often times way too low. You want to sue a PHP programmer making $40K / year because some el cheapo company hired him / her to bang out a site with no lead time and zero patience? Good luck with that.
Although I'd love
Re: (Score:2)
Liability insurance for developers does not cost very much. My consulting company has an insurance policy for the work we do, and the premium is based on how much money the company makes. I'm making enough to fund two full time people and my liability policy is around $1000 per year.
The biggest thing that keeps developers safe is the minimum legal costs of taking someone to court for long enough to sort out blame on a software project. If I botch $10K worth of development, it's impossible hire a legal te
Re: (Score:2)
But is that because the programmers/companies which do take out insurance are exactly the group who care about their reputation and business and so would be less likely to need to use the insurance anyway?
If you start mandating that all companies need insurance, then I think you'll see premiums increase because the ratio of bad to good developers will increase.
Re: (Score:2)
Sure, you start paying us like doctors, lawyers, and so on, and we'll talk about liability. But the reality is, the software industry would implode with the requirement for liability insurance, as the stuff we work on is far too complicated for even the brightest of programmers, and the pay is often times way too low
Programming errors and provably intended malice are different things.
Errors are understandable... the company developing the software has a duty to ffix errors, but the individual programm
Re: (Score:1)
Re: (Score:1)
There are plenty of trade jobs in the same income brackets as programming which are required to follow basic liability standards for the work they do when it pertains to legal compliance and safety.
Jobs where crappy work that puts others at danger or loss will cost them their livelihood, or worse: most construction sub-contractors, locksmiths, welders, linemen, auto mechanics, accountants, farmers. At least half that list makes more like 2/3 what the average programmer makes.
Part of the issue right now is
Re: (Score:2)
Programming is the job of writing precise specifications.
A picture might be worth a thousand words, but there's a good reason we have books of only words, and not merely picture books.
Word Press? Not so much... (Score:1)
Hard line on spam (Score:1)
Naturally we do take a very hard line on spam...
Yes, of course, it's not like WordPress got caught spamming [slashdot.org] themselves.
China (Score:1)
Re: China (Score:1)
As the PR officer of The Association of Scapegoated Jews, Blacks and Arabs, I'd like to thank you for helping shift focus towards the inscrutable Chinese. They are a truly dishonest race that is nothing like the financially generous Jew, the unincarcerated black and the non-wife beating Arab.