On Monday, a serious vulnerability was fixed in the WordPress plugin PublishPress Capabilities, which we detailed for customers on Tuesday (we also warned about less serious vulnerability the same day). On Wednesday, the vulnerability was widely exploited.

That is a situation that could have largely avoided by the WordPress plugin team, if they had automatically updated the plugin before the exploitation happened, instead of after (or by websites enabling WordPress to automatically update plugins). Instead, what WordPress did through the team running their support forum (which is led by one of two people that also control the plugin team), is shutdown and largely deleted the discussion where users were helping other to deal with the hacked websites.

The support forum moderator that shutdown the discussion, Steve Stern, claimed the discussion wasn’t helping anyone:

Adding on to this topic is not really helping anyone, thus it is now closed.

That goes against what people in the threat were saying. Here is part of one reply:

Thanks for the thread

Here’s another:

Thanks for posting all of the details here.

And another:

I’m glad I found this thread as I did wonder if it was a plugin that had caused the issue and knowing that it was and that the new version should protect against it happening further is reassuring.

We can’t link to those comments, though, because Steve Stern or one of the other moderators deleted those, as well as most of the replies on the topic. So you have the moderators, whether intentionally or not, covering up that the WordPress community actually found this helpful, and they shut it down. This is far from the first time this has happened.

When replies are deleted, there is no sign that was done, but there are still remnants left, as the listing for the topic list that there were 25 voices involved, but only 12 replies, which doesn’t add up:

You can also still see comments from the developers of the plugin replying to deleted replies.

So why would the moderators do that? The unfortunate explanation for the moderators’ inappropriate behavior seems to be that many of them are not mentally or psychologically well. But if that isn’t the case, then another troubling possibility is that they are cutting off the community helping each other to help certain security companies, as this was part of the Steve Stern’s message:

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

(Based on are being brought in to re-clean hacked websites after Sucuri, they are not a reputable company to clean up hacked websites. Wordfence has promoted security practices that lead to these kinds of hacks.)

That behavior from the moderators goes against how they portray how the forum is handled.

Here was the same moderator, Steve Stern, a week ago, claiming that replies are rarely deleted:

I’m sorry but no. Unless it is an extreme case, posts and replies are not edited here.

Forum topics will only be edited or deleted if they represent a valid legal, security, or safety concern.

See https://wordpress.org/support/forum-user-guide/faq/#will-you-delete-my-post-once-the-problem-is-solved and https://wordpress.org/about/privacy/

What was deleted from that topic didn’t contain a “legal, security, or safety concern”, but did show that users were helping each other before a moderator stopped that.

If you read over the guidelines for the forum, you would think that helping other is the point of the forum. Here are some of the lines from that.

These forums are available to help you solve problems with WordPress as well as any themes or plugins hosted on the WordPress Directories.

Above all, users are expected to be kind, helpful, and respectful. Assume the best of people and try to make things better. Beyond just seeking solutions, users are encouraged to help others. If they know the answer to someone else’s question, it is greatly appreciated that they offer assistance. This is by no means mandatory, and no one is compelled to help anyone else.

The forums are here for providing users with a venue to get help with problems.

The last quote comes from a section titled “Do not spam“, the next line states you shouldn’t be promoting on the forum:

In light of this, please refrain from using signatures, new topics, or responses to existing topics as a venue to promote your plugins, themes or services.

Apparently, it is okay for moderators to promote services, while restricting the community from helping each other. (Interestingly, the Guidelines previously had been written differently and the section was titled “Do Not Advertise or Promote Products”, but that didn’t stop the moderators from doing the same thing.)