The “Mark Zahra” Problem That the WordPress Community Deals With
The poor treatment of WordPress plugin developers by those in control of WordPress has recently gotten attention because of an odd, largely unexplained, situation involving removing a chart showing the install growth of plugins on their WordPress Plugin Directory pages.
One of the people that was prominently featured in the discussion over that was someone named Mark Zahra. He seems like a good example of an all too common archetype in the WordPress space. That would be someone who conflates things being done that benefit their own business interests with what is in the interest of the wider WordPress community and pushes an overly positive view of the community. That overly positive view contrasts with those people’s own behavior, which is harmful to others in the community who are actually focused on the interests of the wider community. One of his tweets gives a good flavor of what that looks like in 280 characters or less:
I have not seen the #WordPress plugin community band together for one cause to this extent in a while.
The frustration is clear. All we needed was a platform to have our voices heard.
You can be part of it. Star/watch this Trac ticket and comment: https://meta.trac.wordpress.org/ticket/6511
It’s the kind of thing that sounds good, but if you look a little in to Mark Zahra, you find he is someone that is trying to take advantage of trusting individuals in the WordPress community and helps promote unethical WordPress plugin developers to the detriment of the wider WordPress plugin community. He does that through his website WP Mayor.
WP Mayor’s Deceptive Paid Reviews
Head to WP Mayor’s homepage and you will be told that it is “your trusted source for WordPress reviews” and that they will “empower you to make informed decisions for your website”:
But scroll down to the bottom of the website and you will find that they are offering to do reviews for a fee:
On the page for that, they are promoting trust in a very different way, “Get featured on the most trusted WordPress review site since 2010.”:
Also, on that page they link to some of the sponsored reviews and what we found looking at them, is they didn’t disclose they were sponsored. There is a vague disclosure included, which would be hard to describe as anything other than deceptive. At the top of the page is the disclosure in very small light gray text against a white background:
Here is what that says:
Disclosure: Every review on WP Mayor involves thorough research and hands-on testing by our team of web and WordPress experts. In some cases, a review may be sponsored, but our final verdict remains truthful and unbiased. Here’s why you can trust us.
So you have no way of knowing which reviews are sponsored and which are not.
We only noticed that message when we did an in-page search for mention of sponsorship on one of the reviews, so it is easy to miss.
If they are not willing to be honest about when a review is sponsored, that makes it hard to believe the reviews should be trusted. In looking closer at one of the reviews, we found that it read more like an ad and failed to provide accurate and useful information. We wouldn’t call is truthful or unbiased. That isn’t surprising when it could be a sponsored review or what better be called an ad.
Review Reads Like an Ad
Trustworthy reviews of WordPress security plugins are desperately needed, as the developers of so many of them are promoting them in highly dishonest ways. Take one of those, a plugin named Security Ninja, which is marketed by the developer with this claim of protection from their plugin:
prevent 0-day exploit attacks
Preventing zero-day vulnerabilities would be really good to have, as zero-days are vulnerabilities being exploited before the developer knows about them, so even if you keep software up to date it won’t protect against this.
For someone knowledgeable on the subject, there is an oddity to the claim, since to protect against zero-day vulnerabilities, you would need to be able to broadly protect against vulnerabilities, as there isn’t something unique about zero-days that you could detect and block. Yet, the marketing doesn’t make a broader claim of protection.
So what is going on? The reality is that the plugin doesn’t actually protect against zero-day vulnerabilities or vulnerabilities, more generally. The plugin doesn’t actually contain functionality that should do that. In line with that, when we have tested the plugin and many other security plugins against real vulnerabilities, the plugin has always failed to provide protection.
Either the developer of the plugin doesn’t have a basic understanding of security or they are intentionally lying to people in their marketing of the plugin. That would be a good reason to avoid the plugin.
Another reason to avoid it is that the plugin’s developer hasn’t even been making sure to keep it secure. Earlier this year, while doing a security review of a plugin chosen by our customers, we found that the Freemius library contained multiple vulnerabilities. Among the security plugins using the plugin and hadn’t checked over the code they were including in their plugin, was Security Ninja.
WP Mayor did a review of the plugin a month ago and the reviewer had a positive view of the plugin. The content reads like a run through of marketing copy for the plugin, not a review. It didn’t mention the misleading marketing we noted above or question other highly questionable claims made about it. What they also didn’t do was to actually see if the plugin provides real protection. The beginning of their final thoughts made this claim:
Testing security plugins is always a bit tricky because it’s hard to simulate a real security attack. That is, a malicious actor trying to infect my site with malware.
It actually isn’t that hard to do. We do it frequently. If you can’t do that, then you shouldn’t be recommending security plugins, as that is the information you really need. Instead, the review was based on the things that werre mentioned next in the final thoughts:
With that being said, I can make a few hands-on conclusions based on my experience.
First off, I think that the Security Ninja interface is really well done. It’s clean and easy to use while still giving you a good amount of detail.
Second, you get a good number of features to protect your site.
An xkcd comic comes to mind with that; which involves reviews for a tornado warning app, where the first review gives it five stars and says:
Good UI! Many alert choices.
The last review gives it one star and says:
App did not warn me about tornado.
As with a tornado warning app, what matters with a security plugin is if it protects against real threats. A lot of features included in security plugins don’t offer real protection, while creating problems and sometimes introduce security vulnerabilities of their own. You don’t have to take our word for that. The developers of iThemes Security, upon removing many of its features, admitted that they were not useful.