Earlier this week we mentioned a recent instance were a review was left for a WordPress plugin were the reviewer stated that they “almost 99% sure” that there was website was hacked due to the plugin. The review provided no evidence to back up that the plugin actually had any role in the website being hacked and others claims in the review indicated to us that the person making the claim wouldn’t be a reliable source for such a claim. That someone would be making a likely false claim about a security issue related to WordPress isn’t at all surprising when you consider that we have found that even have major WordPress focused security companies have widelt making a false claim, which they support with evidence that shows they are incorrect. What does seem surprising is how this is handled on the WordPress Support Forums, which plugin reviews are part of.
Another recent review also made an unsupported claim of a plugin being exploited. Once again there wasn’t any evidence for this, here is the full review:
Just spent a couple days cleaning up a URL injection hack on a site of mine. All seemed good, then I get a notice from Wordfence of a file change in Feed them Social, I go back to the site, and it’s once again compromised.
I suspect this plugin has been exploited.
The developer of the plugin provided an explanation for a file changing in the plugin was giving by the developer:
I did make an update 2 days ago changing a link to our website in a js file, that is all. Wordfence is known for showing these types of changes.
Beyond that, if the file change had involved something added by a hacker that wouldn’t necessarily be an indication that the plugin was exploited, as we have seen from dealing with numerous hacked websites, hackers frequently place malicious files in random locations on websites.
The developer then asked for a moderator to review the situation:
@modlook Is this an acceptable reason for a one star review? That is a pretty serious allegation to make, with no proof. As I mentioned an update was made to change a link to slickremix.com in a js file, I did not see a reason to make a whole version change to our plugin based on this. Wordfence will notify you of any plugin changes as I have seen this for myself. Coincidence appears to be the culprit here in my humble opinion.
A moderator responded:
Yes, it is
Mutters “I wish I had coffee”
Here’s the the thing: reviews are feedback. How you, the author, replies is much more valuable than any 1 star review. Reply well, people do read these reviews.
Without more information from the user it’s hard to determine what he’s referring to. While I doubt your plugin had anything to do with @cacarr site being exploited we still need to hear from him.
It isn’t clear to how the review is feedback, as there is no evidence that the issue the reviewer was experiencing had anything to do with the plugin. The moderator’s comment even alludes to that, when they said “Without more information from the user it’s hard to determine what he’s referring to.”. Considering just the mentality behind the two reviews we mentioned it isn’t to hard to believe that people would be scared away from a plugin based on an unsupported security claim, no matter what the developer’s response was.
It would be one thing if any claims of vulnerabilities in plugins were allowed in the Support Forums, but from our experience claims that are actually supported are not as welcome. We have seen in the past that those have been removed from the Support Forum or in one instance earlier this year when we tried to find out the names of several intentionally malicious plugins were, so that we could warn people through our free plugins and service, the thread was closed to stop that from happening.
It doesn’t make much sense to us that claims that plugin are vulnerable without evidence are allowed, while actual vulnerabilities are hidden away (in some cases leaving people unaware that a plugin they are using is and will remain vulnerable).