There’s seems to be a new way of luring users of WordPress to spam sites: WordPress Plugin Spam.

Like most other plugin authors I regularly check what others are saying about them; actually I have a Google Alert set on the names). The other day I received an an e-mail from this service telling me that there is a new fork of my pagebar plugin called Advanced pagebar. Hey cool, some one build a new plugin based on my code.

The plugin was called  “Advance Pagebar – New way to navigate Pages …”. Surprisingly the link “http://wordpress.org/extend/plugins/advance-pagebar/” did not work. What the heck?

After consulting my favourite search engine I finally grabbed a copy of the suspicious plugin (link omitted intentionally).

The “author” of this new plugin changed not much. First he adapted the plugin header:

Original header:

Plugin Name: Pagebar2
Plugin URI: http:
//www.elektroelch.de/hacks/wp/pagebar
Description: Adds an advanced page navigation to WordPress.
Version: 2.59
Author: Lutz Schröer
Author URI: http://elektroelch.de/blog

Changed header:

Plugin Name: Advance Pagebar
Plugin URI: http://***.com/advance-
pagebar/
Description: For using the plugin, read the  Advance PagebarInstruction Page  .Adds 
an advanced page navigation to WordPress.
Version: 6.143.3
Author: Lutz Schröer
Author URI: http://***.com/

(The three stars was the original address.)

Great stuff, he didn’t even change my name! By using the high version number “6.143.3” the spammer wants to pretend that it’s a mature plugin.

Additionally he changed the readme.txt file:

Original:

=== pagebar ===
Contributors: Lutz Schroeer
Donate link: http://elektroelch.de
Tags: navigation, navi, page, comments
Requires at least: 2.7
Tested up to: 3.01
Stable tag: trunk

Fake:

=== Advance Pagebar - New Way to Navigate Pages ===
Contributors: Lutz Schroeer
Donate link: http://111waystomakemoney.com/donate/
Tags: admin, plugin, footer, links, copyright, administration, blog,Google Adsense, 
WordPress,Plugin,widget,post,plugin,admin,sidebar,comments,images,twitter,page,google,lin
ks,image,ad,admin,administration,ads,adsense,advertising,affiliate,AJAX,amazon,analytics,a
nti-spam,api,archive,atom,audio,authentication,author,automatic,Avatar,blog,blogroll,book,
bookmark,bookmarking,bookmarks,buddypress,button,calendar,captcha,categories,category
,cms,code,comment,comments,community,contact,content,counter,CSS,custom,dashboard
,database,date,del.icio.us,delicious,Digg,edit,editor,email,embed,event,events,excerpt,Fac
ebook,feed,feeds,filter,flash,flickr,form,Formatting,gallery,google,google,maps,html,image,im
ages,integration,iphone,javascript,jquery,language,lightbox,link,links,list,login,mail,manage,
maps,media,menu,meta,mobile,mp3,music,myspace,navigation,News,nofollow,notification,p
age,pages,password,paypal,performance,permalink,photo,photos,php,picture,pictures,plugi
,plugins,Post,posts,profile,quotes,random,Reddit,redirect,register,registration,related,rss,sc
roll,search,security,seo,Share,sharing,shortcode,sidebar,simple,slideshow,social,social,book
marking,social,media,spam,statistics,stats,Style,tag,tags,technorati,template,text,theme,t
hemes,thumbnail,time,TinyMCE,title,tracking,tweet,twitter,update,upload,url,user,users,vid
eo,widget,widgets,wordpress,wpmu,xml,yahoo,youtube navigation, navi, page, comments

Requires at least: 2.7
Tested up to: 3.01
Stable tag: trunk

Hey, that guy must me an SEO expert (No offense, Yoast!).

Original:

Pagebar adds a nice page bar to your blog posts, multipaged posts and 
paged comments:
 

Fake:

Pagebar adds a nice page bar to your blog posts, multipaged posts 

For detailed description of the plugin visit plugin page at [Advance Pagebar](http:
//111waystomakemoney.com/advance-pagebar/).

The spammer also added additional text to the readme.txt

**Demo:**
demo: [Advance Pagebar Demo](http:
//***.com/advance-pagebar/).

Warm Regards,
Rahul  

[Advance Pagebar](http://***.com/advance-
pagebar/).

What a nice guy: Warm Regards! And his name is Rahul? That’s Indian, isn’t it?

Finally he changed the changelog:

== Changelog ==
= 6.143.3 =

* initial release

Version 6.142.3 is the initial release? Sure!

If you look at other files you can see that the spammer simply changed all occurrences of pagebar2 with Advance pagebar

Original:

if (!empty($_POST ['pagebar2update'])) {

Fake:

if (!empty($_POST ['Advance Pagebarupdate'])) {

The spammer also like to put some links into the settings and he also got a donation page. How cute!

For More Useful Plugins Visit:WordPress Plugins


If u like the plugin please Donate:Plugin Donation Page


For Instructions Visit:Plugin Page

He actually put some work into the fake plugin! At the end he added an index.html file to the plugin directory, for whatever reason:

WordPress Advance Pagebar - New Way To Navigate Pages Plugin

Advance Pagebar - New Way To Navigate Pages Plugin


Pagebar adds a nice page bar to your blog posts, multipaged posts

For detailed description of the plugin visit plugin page at Advance Pagebar.

			Author: Lutz Schroeer		

Tags: ad, admin, administration, ads, adsense, advertising, affiliate, AJAX, amazon,
analytics, anti-spam, api, archive, atom, audio, authentication, author, automatic, Avatar,
blog, blogroll, book, bookmark, bookmarking, bookmarks, buddypress, button, calendar,
captcha, categories, category, cms, code, comment, comments, community, contact,
content, copyright, counter, CSS, custom, dashboard, database, date, del.icio.us, Digg,
edit, editor, email, embed, event, events, excerpt, Facebook, feed, feeds, filter, flash,
flickr, footer, form, Formatting, gallery, google, google adsense, html, image, images,
integration, iphone, javascript, jquery, language, lightbox, link, links, list, login, mail,
manage, maps, media, menu, meta, mobile, mp3, music, myspace, navi, navigation, News,
nofollow, notification, page, pages, password, paypal, performance, permalink, photo,
photos, php, picture, pictures, plugin, plugins, Post, posts, profile, quotes, random,
Reddit, redirect, register, registration, related, rss, scroll, search, security, seo, Share,
sharing, shortcode, sidebar, simple, slideshow, social, spam, statistics, stats, Style, tag,
tags, technorati, template, text, theme, themes, thumbnail, time, TinyMCE, title, tracking,
tweet, twitter, update, upload, url, user, users, video, widget, widgets, wordpress, wpmu,
xml, yahoo, youtube navigation		

Click
for Beautiful WordPress Plugins

There a link to the WordPress plugins page. Really? No! (Therefore I added three strokes to the domain.) The spammer actually registered a domain to perfect his fraud. This page lists some other plugins which are infected the same way but their names aren’t changed. What an honour for pagebar! I think I should inform the authors about this spam attack.

The spam page

Brave as I am I visited the site which the spammer links to:

Looks like a regular site about WordPress plugins. The source of the page does not contain any suspicious JavaScript or Flash. Further down there is even real content:

Looks like actual content. As you can see, there are even some comments on the posts:

• John says:
  September 8, 2010 at 8:27 am

  hey man, nice blog…really like it and added it to bookmarks. keep up with good work

• Anton Dirksma says:
  September 8, 2010 at 10:46 am

  Hey, very nice website. I actually came across this on Bing, and I am happy I did. I will definately be coming back here more often. Wish I could add to the conversation and bring a bit more to the table, but am just absorbing as much info as I can at the moment. Thank You

The list goes on like this. On the first look the comments look genuine but if you inspect the content and the commenting times a bit closer you’ll realize that these were created automatically.

Backstage

So who’s behind this? Let’s consult nic.com:

Registrant:
111waystomakemoney

hyderabad
india
hyderabad, Andhra Pradesh 500016
India

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: 111WAYSTOMAKEMONEY.COM
Created on: 30-Aug-10
Expires on: 30-Aug-11
Last Updated on: 30-Aug-10

As I suspected it’s a guy from India (Rahul is a very common name in Bollywood films). It gets really funny if you enter the address in Google maps: it’s the Begumpet Airport. LOL!

Conclusion

Altogether it’s still spam but this is a small step further. The common WP user does not expect spam inside of plugins and, if I get the GPL right, there’s nothing you can do about it. All of the captured plugins are released under the GPL.Everybody can do almost anything with it as long as he re-releases it under the GPL. This spammer does nothing illegal and even if he would, how are the chances to stop him? NIL. The only thing we can do is to keep an eye on the site and to warn the affected original authors.

Wait, there’s another thing we can do: Thank the team of Automattic for removing such spam plugins from the official plugin site rapidly!