The SI CAPTCHA Anti-Spam plugin has been removed from the WordPress Directory due to its author including spam code. The plugin added a CAPTCHA image test to WordPress forms to prevent spam and was compatible with forms generated by bbPress, BuddyPress, Jetpack, and WooCommerce. It had more than 300,000 active installs at the time of removal.
Mike Challis, the original author of the plugin, said that a WordPress.org user named “fastsecure” became the new owner of SI CAPTCHA Anti-Spam in June 2017. Challis was not aware of the new owner’s plans for the plugin but posted a notice on the WordPress.org support forums to inform users about why it was removed.
“The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts,” Challis said. He also linked the incident to a ring of WordPress plugins that researchers at Wordfence say were part of a coordinated spam campaign. Display Widgets, one of the most notable plugins in this group, was recently permanently removed from WordPress.org for a series of violations wherein the author had injected malicious code.
Challis said the new owner failed to display any spam on sites due to how the code was implemented, but the code could have been activated at a later time:
The new owner put spam code in versions 3.0.1 and 3.0.2 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database.
SI CAPTCHA Anti-Spam users who still have the plugin installed may see an update available in the WordPress admin. Plugin team member Samuel (Otto) Wood removed the malicious code and released 3.0.3 as a clean version that is a safe update for users who still rely on the plugin. Wood recommends users find an alternative, because SI CAPTCHA Anti-Spam will not be re-listed in the directory or receive any future updates.
The incident is another reminder for users to be on alert when WordPress.org plugins change hands, as the buyers do not always disclose their actual intentions for the plugin. Users in search of an alternative to SI CAPTCHA Anti-Spam will find many alternative options on WordPress.org. AntiSpam by CleanTalk, Simple Google reCAPTCHA, and CAPTCHA Code are a few examples that may work as replacements, depending on what other plugins you need the anti-spam capabilities to support.