After installing a plugin recently (ShareThis) from the WordPress plugins directory, I decided that it wasn’t what I expected so I deactivated and then uninstalled it. Guess what? Not only is there still a “ShareThis” tracker running in the background on my site, but the elements are still on my page. This plugin is MALWARE at this point. Why is it still in the directory? Better yet, does anyone have any idea how I can actually get rid of it? I contacted the developer through the support forum to no avail (surprise!).

*Drinks coffee and moves topic*

Those plugins are software as a service. That means the plugins are an interfaces to those other companies servers. That’s allowed and the code for the plugin is 100% GPL compatible.

The code on their servers may not be but again, that’s allowed as software as a service.

I’m not being glib here: if you don’t like their service then do not use their plugin.

I decided that it wasn’t what I expected so I deactivated and then uninstalled it. Guess what? Not only is there still a “ShareThis” tracker running in the background on my site, but the elements are still on my page.

If you are not getting help from the plugin author then the Fixing WordPress (this forum) is the place to ask for help.

What is the URL of your site?

spyware (spī?war?)?
n. Software that secretly gathers information about a person or organization. (Check!)
n. Any malicious software that is designed to take partial or full control of a computer’s operation without the knowledge of its user. (Check! — in that it can’t be removed or stopped)

I think I may not have been quite clear. The ShareThis plugin installed non-removable VISUAL elements on my page and in my code — see screenshots below. When I say non-removable I mean they persist after so-called uninstall, and that is definitely NOT okay. This is doubly true in this case, where it was not disclosed that elements and code would be permanent even after “uninstall” — that’s ridiculous.

I’m trying to make someone higher up aware of this thing because there’s no way this should be allowed in the official WP plugins directory. I could understand if it were a plugin I had downloaded from a third-party website, but I got this right here on WP.org and that is so wrong.

Visual elements still on page
Code still in page source
Active tracker
Plugin not installed

I’m trying to make someone higher up aware of this thing because there’s no way this should be allowed in the official WP plugins directory.

Feel free to contact the Plugins team via [email protected] if you like. Please don’t be disappointed if they explain Software as a service again.

When I say non-removable I mean they persist after so-called uninstall, and that is definitely NOT okay.

That would be correct, if it was true. It’s not. Removing the plugin removes the code for it as well. Checked. Tested.

Now, you may have some aggressive caching happening on your site. Not uncommon for full-page HTML caching to exist. With aggressive caching, when you change the content of your site, you need to clear the cache to see changes occur. That’s the most likely explanation.