Developers of Popular WordPress Security Plugins Make False Claim About Who Created Another Popular Plugin
Recently there was a change made with the WordPress Plugin Directory that should shed more light on who is actually behind WordPress plugins. There are problems with that, which led us to noticing a clearly wrong claim made about who is the creator of a WordPress plugin with 300,000 installs.
With the even more popular Really Simple Security plugin, which has 4+ million installs, the plugin is listed on the plugin directory as being by Really Simple Plugins:
Following the link, you are taken to a user page for a user that has no plugins:
Something is wrong there. Here, by comparison, is how the page looks for a user with plugins:
We noticed that while we were trying to figure out what other plugins come from the developer of Really Simple Security to add some security related information to our Plugin Security Scorecard. Looking at plugins listed as being from one of the contributors to Really Simple Security, we noticed this claim for Burst Statistics, which has 300,000+ installs:
From the creators of UpdraftPlus, WP Optimize and All In One Security
Burst Statistics was created by experienced developers who also created:
* UpdraftPlus: WP Backup & Migration Plugin
* All-In-One Security (AIOS) – Security and Firewall
* WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
With a proven track record of providing top-notch, user-friendly solutions, you can trust that Burst Statistics meets the same high standards.
All three of those plugins have the owner listed as “David Anderson / Team Updraft.” They didn’t develop all three of those. Three years ago, we discovered that the ownership of All-in-One Security, under its previous name, All In One WP Security & Firewall, had changed hands without it being disclosed. It was rather concerning as the plugin has 1+ million installs. WP-Optimize also was created by someone other than the two other plugins. So what is going on there?
Part of the answer is that TeamUpdraft (which is presumably the same as Team Updraft) announced they had acquired Burst Statistics a week ago. So they didn’t create the plugin. While they made the announcement a week ago, on March 6 the text of the Burst Statistics page was changed to say they created it. That was done by the original developer of Really Simple Security.
Previously, the page for Burst Statics made this claim about the creators of it:
From the creators of Really Simple SSL & Complianz
Burst Statistics was created by experienced developers who created Really Simple SSL & Complianz, with over 6,000,000 active installs combined. With a proven track record of providing top-notch, user-friendly solutions, you can trust that Burst Statistics meets the same high standards.
Considering that change was made more than a month before the announcement, it appears that again TeamUpdraft was hiding their ownership for a plugin for a while. They haven’t corrected the claim that they created the plugin.
It should go without saying that the developers of security plugins being dishonest is a significant problem as trust is critical to security. It therefore shouldn’t be a surprise to hear that the All-In-One Security (AIOS) and Really Simple Security haven’t been well secured and they don’t offer much security.