Is That WordPress Plugin Update Really MALWARE Instead? How to check.

Share Button


Today is wondrous Sunday!  The day I was supposed to (get this, I hope you're sitting down) "rest" (OMG!) and "take a break"  (Jeepers, say it ain't so!)

And I was, honestly and truly.

I really was!


Until I read this chilling post, and realized – I simply *have* to alert my readers.

BlogPress SEO: solved

Now, Yoast is beyond brilliant when it comes to WordPress; his blog is something you simply must follow (you can subscribe by email here or grab his RSS feed here).

Anywhos, there I was, blissfully consuming my 34th cup of coffee, wrapped up in my nice fluffy blue 21 year old house coat (funny how you just cannot get rid of down-home comforts, eh?) and simply enjoying my 4am.

I'll bet you're familiar with my state of being, right? 

After all, imagine that you had just awakened, your family was still happily asleep so you could (sit down again, another impossible scenario is steamrolling to you this instant) get some work done, and you fire up your feedreader.

Figuring that you'd start checking out what your peers were writing, you calmly scroll through your entries and then you read…..THIS.

…I thought BlogPress SEO was bad, turns out, it's worse. It's malware. I had already discovered that it sent the admin email to the plugin's author, but today, mtekk uncovered that it was adding an option to log in, solely with that email address. Yes that's bad. I checked out the plugin code again, and noticed something that could solve all this….MORE….

Now, I don't know about you, but put the words:

  • malware


  • admin email


  • wordpress plugin

all together, and you've concocted a sure-fire recipe for me to leap up in a state of extreme agitation (without spilling a drop of coffee, mind you, I'm not that hopeless) and shriek to the monitor:

"Jeepers self, shall I covertly panic now or in 2 seconds?"

Luckily sanity did prevail (raising a passel of kids and mooses and Twitter Budgies does that for me) and I continued reading.

Here's what happened.

NOTE!1.)  A WordPress plugin was created on a site that promised:

We have developed a superb wordpress plugin which can actually get 100's of backlinks like crazy, all on autopilot.  As soon as you install the plugin, the plugin will find all relevant blogs in the network which are similar to your niche. So if you write about dogs then the plugin will find all blogs which talk about dogs. Once the plugin find the relevant blogs, it will mutually exchange links between the blogs. So if you have 300 posts in your blog then it will find 300 similar posts in the network, and in turn mutually links with those posts. So you will get around 300 backlinks right away. The more you write the more backlinks will be found by the plugin for your posts. This is a ongoing process and I can assure you that you will see gradual increase in traffic over time. ….MORE…..

NOTE!2.)  The download was from the original site, NOT the WordPress plugin repository.

In other words, that made sure no security checks were possible.

Can you say," Danger Will Robinson?"

NOTE!3.)  The BlogPress SEO plugin was written to steal your admin login info AND make it possible to login to your WordPress blog without a password.

To quote  Yoast :

Update: It get's worse. As pointed out by this post, BlogPress SEO is pure malware, as it contains a function that allows someone who knows your admin email address (you know, the one they just sent to themselves when you installed the plugin) to log in without a password… That's purely criminal.

That post was written by mtekkmonkey, that blog can be found over at M'tekk's Crib  and the feed is here (definitely add!).

So I'll bet you're wondering just what mistake the plugin author made?

You'll love this:

NOTE!4.)  The BlogPress SEO WordPress plugin author wrote to BOTH Yoast AND mtekkmonkey and asked for a review.




Wow wow wow wow.

But here's a quick fix Yoast inflicted on that malware BlogPress WordPress Plugin!

This is sheer brilliance.

…With permission, he made a blank plugin by the same name over at the WordPress Repository that simply had a higher version number.

To wit:

With the help of Andrew Nacin, I registered blogpressseo as a plugin on, created an empty plugin file with the same name and a higher version number, added a readme.txt with an upgrade notice, and uploaded it to….

I had already installed the plugin on my blog (well, an empty version of it, just the headers), so I could test it, and low and behold, it worked…

It's a primitive form of a kill switch (which I wish WordPress had, but it's better than nothing). The funny thing is: we'll now also be able to see how many people are running this plugin and how many of them upgrade. So far, 26 people have been saved!…MORE….

Wasn't that smart of him?

Which brings me now to:

What *you*, gentle reader, need to do *now*

If you've installed the Blogpress SEO plugin, *uninstall* it now.

Change your admin password.

And tell all of your network about this problem (feel free to point them to this site if needed).

In closing

When finding a nifty-neato WordPress plugin, you need to search for it FIRST on Google like so:

to see if anyone has experienced any problems already. 


An educated blogger is always the best kind of blogger!

And one last thing:

Ideally, always and only download WordPress plugins from the official WordPress Plugin Repository.

While it's still no absolute guarantee of safety, it's as near as that as you can get.

Want more information?  Check out:

Hope you found this article useful!   It sure caught my attention, indeed.

Grow strong,

Barbara Ling

About the author

Barbara Author: Barbara Ling. 17+ Year veteran marketing entrepreneur, currently specializing in teaching others how to build a viral fanbase/community online using Facebook, Pinterest, blogging, coffee (lots of coffee, or maybe tea if that's your preference) and more! See my Google Profile here!

Share Button

And don't forget...

My Best Picks

Looking for the best Authority groups/masterminds/goodies online? Here are my favs:

And don't forget our FB Perking Up Profits Group as well - the best powerful friendly Authority Marketing Group around!

  1. Thank you, Barbara! I was just about to have my first cup of coffee when this popped up on TweetDeck.
    The nerve of some people, right?
    This sounds suspiciously like another plugin I "heard" about. I don't want to be sued for defamation of code, so I will just take your advice and do my due diligence.
    Enjoy the day!

  2. Wow Barbara
    There are definite advantages to not being a techie lol   For one, I don't upgrade anything without checking with my techie frineds.  Glad you are alerting everyone.  thanks Barbara.
    Patricia  Perth Australia

  3. So far I've restrained myself to downloading and installing plugins ONLY through the built-in WordPress utility.  (and done enough damage just whith those!) Boy am I glad I didn't run into THAT one.  Thanks for the heads-up… I'm off to paint this warning in my barn.

  4. The plugin is in its early stages but has been tested thoroughly on a number of blogs. It may not work on all blogs especially those that use complex themes and javascript implementations. Plugins can extend WordPress to do almost anything you can imagine. In the directory you can find, download, rate, and comment on all the best plugins the WordPress community has to offer. Plugins offer custom functions and features so that each user can tailor their site to their specific needs.

    • Beautiful comment – amazing that the same comment is on 38 thousand other sites.

      I’ve removed your site and such from your comment – I welcome your input but not solely to get your link on my site. Please come back and become a valued member of the community instead, okay? I’m happy to have your Beagle training link in that case. Thanks!

  5. You certainly know how to wake up a sleepy Wednesday afternoon here in New Zealand! Nearly fell off my chair!
    Thank goodness I hadn't used that plugin but it does open up the whole "how safe are these dern things" question.  It's easy to think that each shiny new plugin should be greeted with glee and promptly installed.  I'd never considered that perhaps I should be doing due diligence on them first.
    Thanks for the heads-up.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>