As part of our effort to create a better understanding in the WordPress community of the handling of security by the developers of plugins through our new Plugin Security Scorecard, we are trying to collate graded plugins from the same developers. That turns out not to be easy with some of the most prolific developers and it appears intentional on the part of at least one of them.

Awesome Motive doesn’t appear to have a good reputation in the WordPress community. That is to the extent that people are willing to mention their name. There is what could be called a toxic positivity in the WordPress community, where only positive things are allowed to be said. So Awesome Motive is often mentioned without mentioning their name. Here was someone willing to name them when talking about one of their many problematic behaviors.

To give a chance to the other side, here is who someone who portrays themselves as a journalist, Matt Medeiros, defending them:

There’s two major variables on the line: Our friends employed at Awesome Motive and Awesome Motive’s brand.

Lots of our WordPress friends work at Awesome Motive. When we openly criticize business decisions or marketing tactics, we’re also criticizing their work, their livelihood and how they provide for their families. Is that fair to them?

 

Do the founders seeking an Awesome Motive acquisition feel that Syed & Co. are the best stewards for their product or do they simply want to cash out in a down market?

I haven’t seen an AM executive address these concerns publicly and I take the silence at face value. This is far beyond a pricing and promotion experiment. This is a brand strategy. Brands are delicate, I assume they know this.

 

If customers keep buying, founders keep selling, and our peers keep working there – it’s time we move on from the debate. Awesome Motive isn’t the company you want it to be, it’s the company they want it to be.

It’s odd for a journalist to say that silence means that someone thinks what they are doing is okay, instead of being more likely to be an admission of guilt. It’s even odder to suggest that you shouldn’t “openly criticize business decisions or marketing tactics” of a major company. It almost like this person doesn’t understand journalism at all. The “openly” element gets back to what we already mentioned about the WordPress community being unwilling to allow criticism to be voiced.

Awesome Motive appears to understand how negative their brand is and avoids mentioning it in listing for the plugins on the WordPress Plugin Directory. We do mean avoid mentioning it, as a search for awesome motive shows only three results, of which, none are their plugins.

It isn’t that they are trying to keep the plugins separate. Here is all the promotion of their other plugins in the listing of one plugin:

And even more with another plugin:

Rabbit Hole of Acquisitions

That would help to link those plugins together, but in other cases, you end up in a rabbit hole trying to figure out what is going on. Take PDF Embedder, the three displayed contributors are all from Awesome Motive:

All the updates from the last year have come from one of them.

On the website for the plugin, the copyright is attributed to WPAuth LLC, with it linking to the website’s homepage. Meanwhile, in 2021, it was claimed that LionSher Technologies had acquired the plugin from Lever Technology. What appears to be LionSher Technologies’ website shows it as one of their brand:

Another of their listed brands, Envira Gallery, has had all its recent updates done by another Awesome Motive employee. That plugin doesn’t list any Awesome Motive employees as contributors to it.

Awesome Motive claimed to have acquired Envira Gallery and Imagely in October of last year. They didn’t mention LionSher Technologies or mention the other plugin LionSher Technologies’s claimed to own, but it appears they took those over as well.

WordPress Could Require Disclosure

There is no reason that we can think of that WordPress couldn’t require developers to disclose that they own plugins and it doesn’t seem like there would be negative, other than for developers, like Awesome Motive, trying to hide their involvement with plugins. An Awesome Motive employee is a Senor Team member of the team that runs the plugin directory and was for about five years one of only four people on the team, which might explain why WordPress hasn’t taken action on this.

Should We Warn About This?

After looking in that whole situation, it leads us to wonder if our Plugin Security Scorecard should lower the grade of plugins in situations where we know the developer isn’t disclosing their ownership. We are going to continue to consider that, but we would love others’ input, either in the comments or privately through feedback. (Any other suggestions on the tool are also welcome.)

WPBeginner Verified

At the bottom of one of their websites, while trying to figure out what plugins are theirs, is the claim that the website (or maybe the plugin) is verified by two entities:

The one that says “stripe VERIFIED” is simply an image. There doesn’t seem to be something from Stripe with that name. There is something called a stripe verified partner.

The one, “wpbeginner | verified,” links to another Awesome Motive website. What is linked to is a review of the plugin claimed to be written by the head of Awesome Motive. It isn’t disclosed that they are reviewing their own solution. Also, they don’t even bother to claim there are any cons with it:

Looking further at that, they claim this about that WPBeginner verified badge:

• Get a WPBeginner verified badge: All products listed on Solution Center will be eligible to showcase a WPBeginner verified badge on their sites. Since WPBeginner verified products are fully vetted and handpicked, this badge can help communicate to your potential customers that your product is legitimate and trustworthy.

Looking at the Solution Center referred to there, everything mentioned is either an Awesome Motive solution or is a solution paying them affiliate revenue. Looking at the Security section tells you a lot about what is really going on there:

(They are claiming that the Jetpack plugin has 27+ million installs, while WordPress puts it 4+ million.)

Among the plugins they list is one that is rapidly losing users and is market with pretty blatant lies, the developer of another admits the threat they protect against isn’t happening, and another developer has had a litany of security problems with providing two of the security plugins listed. We could on further with that.

Notably missing from that are the best firewall plugins. Our own, NinjaFirewall, and Wordfence Security.