+44 0330 223 3428
Call Us
+44 0330 223 3428

WPTavern: SI CAPTCHA Anti-Spam Plugin Permanently Removed from WordPress.org Due to Spam Code

WPTavern: SI CAPTCHA Anti-Spam Plugin Permanently Removed from WordPress.org Due to Spam Code

The SI CAPTCHA Anti-Spam plugin has been removed from the WordPress Directory due to its author including spam code. The plugin added a CAPTCHA image test to WordPress forms to prevent spam and was compatible with forms generated by bbPress, BuddyPress, Jetpack, and WooCommerce. It had more than 300,000 active installs at the time of removal.

Mike Challis, the original author of the plugin, said that a WordPress.org user named “fastsecure” became the new owner of SI CAPTCHA Anti-Spam in June 2017. Challis was not aware of the new owner’s plans for the plugin but posted a notice on the WordPress.org support forums to inform users about why it was removed.

“The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts,” Challis said. He also linked the incident to a ring of WordPress plugins that researchers at Wordfence say were part of a coordinated spam campaign. Display Widgets, one of the most notable plugins in this group, was recently permanently removed from WordPress.org for a series of violations wherein the author had injected malicious code.

Challis said the new owner failed to display any spam on sites due to how the code was implemented, but the code could have been activated at a later time:

The new owner put spam code in versions 3.0.1 and 3.0.2 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database.

SI CAPTCHA Anti-Spam users who still have the plugin installed may see an update available in the WordPress admin. Plugin team member Samuel (Otto) Wood removed the malicious code and released 3.0.3 as a clean version that is a safe update for users who still rely on the plugin. Wood recommends users find an alternative, because SI CAPTCHA Anti-Spam will not be re-listed in the directory or receive any future updates.

The incident is another reminder for users to be on alert when WordPress.org plugins change hands, as the buyers do not always disclose their actual intentions for the plugin. Users in search of an alternative to SI CAPTCHA Anti-Spam will find many alternative options on WordPress.org. AntiSpam by CleanTalk, Simple Google reCAPTCHA, and CAPTCHA Code are a few examples that may work as replacements, depending on what other plugins you need the anti-spam capabilities to support.



Source: WordPress

Related Post
WPTavern: WordPress 5.0.2 to Bring Major Performance Improvements, Scheduled for December 19

WPTavern: WordPress 5.0.2 to Bring Major Performance Improvements, Scheduled for December 19 Processed with VSCOcam with c1 preset WordPress 5.0.1 was released yesterday as a security release with fixes for seven vulnerabilities that were privately disclosed. It includes a few breaks in backwards compatibility that plugin developers will want to review. WordPress 5.0.2 will be […]

Read more
WPTavern: WPWeekly Episode 341 – Recap of WordCamp US 2018

WPTavern: WPWeekly Episode 341 – Recap of WordCamp US 2018 In this episode, John James Jacoby and I recap WordCamp US 2018. We discuss what’s new in WordPress 5.0.1 and when users can expect to see 5.0.2. We also chat about the new path that WordPress is on and where it may lead. John shares […]

Read more
WPTavern: WordCamp US 2019 to be Held November 1-3 in St. Louis

WPTavern: WordCamp US 2019 to be Held November 1-3 in St. Louis photo credit: Wikimedia Commons Dates for WordCamp US 2019 were announced today, less than a week after wrapping up a successful camp in Nashville. Unlike all previous years held in December, next year’s event will take place November 1-3 in St. Louis, Missouri. […]

Read more