Warming from Wordfence – This plugin injects spam content

Do the authors have a response to this claim?

Wow, I just read the blog article at Wordfence. Cannot believe plugin developers can get away with this. I hope the WordPress repository maintainers remove and band this user.

It’s not a matter of a ‘claim’…It’s in the TOS.

———–
It turns out that this is not a hacked site. It is content that is injected by a plugin called 404 to 301 plugin which has 70,000 active installs and has a 4.5 star review from 56 reviewers. When you install the plugin it asks you to agree to a long agreement which includes parts of the GNU general public license. But at the end it also includes the following text (you have to scroll down to find it):

Third Party Text Links

Third party text networks supply text for display in 404 to 301. These networks may collect your visitors’ IP addresses, in native or hashed forms, for purposes of controlling the distribution of text links. 404 to 301 collects anonymous aggregated usage statistics.

By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it. Your website’s layout, performance and interaction with human visitors should not be altered or affected in any way. Please note that this feature can be deactivated at any time under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN, without affecting any other feature available in 404 to 301.

You can justify it any way you like but it’s still a shady practice considering most people don’t read the TOS. It’s a clear ethical violation of the user’s trust.

I hope you didn’t misunderstand, I’m not justifying it. I completely agree with you, this is why I posted it 4 times and 4 threads.

Hi all,

I confirm this code injection issue and removed the entire script related to tracking feature. It was being handled by one of my partner developer who made this changes in tracking.

I rectified that it was not a hacking attempt but was inserting links after you accept the TOC. I will make sure to check each lines of code before committing to wp.org in feature.

Please update the plugin to latest version, if you still believe in my work. I am sorry for the confusions and lack of responsibility.

Just stop using this plugin. Instead, make a 404.php file in your theme folder with the following code:

<?php header( 'Location: https://www.yoursite.com/' ) ; ?>

I know how irritating this is! I am sorry for that. I accept the mistake and I take the 100% responsibility. That is why I have immediately removed the entire tracking feature.

I will make sure that only I have the permission to commit the code in future.

immediately disconnected from 50 sites. It is a shame EVEN if you, the author, say NOW that you made a mistake.

I’m closing this topic.

Give this a read:

https://www.ads-software.com/support/topic/code-insertion-1?replies=8#post-8763060

People make mistakes and this has and is being dealt with in an appropriate manner.