WordPress Plugin Spam
So to make a website these days, you actually need quite a lot. First you need a domain name. Next you’re going to need a place to host the site, and of course you are going to need a content manager. Unless you made it your life’s work, you probably didn’t code your own theme, and who the heck writes their own plugins? Basically in order to make a website you have to rely on the millions of hours of coding that came before you.
There are a lot of content managers out there today, but unless you want to spend way too much time to get less than mediocre results, you are probably going to go with WordPress. WordPress is running a full third of the internet, works fairly well, is very user friendly, has thousands upon thousands of “good enough” themes, and plugins as far as the eye can see. It is the obvious choice for many wanting to run their own websites.
However, there is a downside to being the hottest platform on the web. Ethically deficient code writers are having a field day by writing plugins that take a rather baleful approach to coding. Upon opening the plugin, you might be greeted with prompts to sign up with a service. This means your website will have a substantial portion resting upon an indemnified 3rd party who will more than likely have a tiered system where the useful bits all require an expensive subscription.
Then there are the ones that use your site’s back end to promote their other software and services. Now I don’t mind a promotional sidebar on their own plugin’s settings page, but when you start placing your ads on my Dashboard or any other settings page, you have demonstrated that you are a piece of shit and your plugin needs to be deleted immediately.
The worst ones try to stop you from deactivating/deleting their plugin. I swear to god, one of them somehow managed to reinstall itself. This, quite frankly, is outright malicious code, but somehow they are still being promoted on the WordPress.org/plugins page with absolutely no way to know the good guys from the bad.
At the very least the plugins pages should have some kind key or legend to indicate the kind of plugin you are about to try out. Are they truly free? Are they committed to staying truly free? Is it software as a service? Does it require registration to work? Are their multiple service tiers that provide additional functionality? Is telemetry data being collected from your site, users, or visitors? Until the plugin is installed and activated, you really have no way of knowing what the actual terms are.
So basically, plugins are like phone apps but for WordPress, and like those apps there are a lot of privacy and security issues that makes using them hazardous to anyone trying to run a website. What is most disturbing is the lack of any meaningful effort on the part of the WordPress Foundation to rein in bad actors using their platform to spread malicious code.
Kudos
Speaking of bad actors, I had several submissions this week from a spammer. Nice try, but I review the submissions in the text editor, so your poisonous hyperlinks have no power here.
A happy thank you to TOR for his contributions, and of course we can all thank reddit for filling out this week’s jokes. As usual, the submission page is ready to receive any jokes you would like to include (and apparently spam as well), so keep’em coming!
I think it’s really important for the independent web to have a platform, and to the extent that WordPress can serve that role, I think it’s a great privilege and responsibility. — Matt Mullenweg
Pax,
-f2x