cyrusos

Hi @otto42

Thank you for your explanation.

I know that you are the developer of the WordPress Active Install check script and you are the right person that can help us regarding our concern.

First I should say that yes I know that only plugins that use the wp.org for updates will count as an active install and I checked some of the plugins and found some of the plugins that are doubtful.

Please let me know if someone writes such a fake generator request scripts then he can send requests as a normal request too, so it is not possible for you to check is it a normal or a fake request.

1. If you do not check the IP of requests so it will be so easy to send fake requests to the server, like using a TOR IPs or residential IPs
2. I don’t know is it possible to send a request with a real site IP but maybe a professional hacker can do it. Fakes a real site IP address and sends a request to the server by that site IP so it will be as a normal site!
3. He can send these requests to a bunch of plugins and you could not detect it and delete his plugin too!
4. He can use this script to send fake requests to a plugin and when you check that plugin you will delete that plugin accidentally.
5. You don’t have any reporting system inside the plugins page so users can not report it. When someone reports it, first your scripts will check for fake active installs and then someone checks it again if it is suspicious.

Please let me know your feedback.

Thanks.