Interesting new kind of WordPress Plugin Spam

There’s seems to be a new way of luring users of WordPress to spam sites: WordPress Plugin Spam.

Like most other plugin authors I regularly check what others are saying about them; actually I have a Google Alert set on the names). The other day I received an an e-mail from this service telling me that there is a new fork of my pagebar plugin called Advanced pagebar. Hey cool, some one build a new plugin based on my code.

The plugin was called  “Advance Pagebar – New way to navigate Pages …”. Surprisingly the link “” did not work. What the heck?

After consulting my favourite search engine I finally grabbed a copy of the suspicious plugin (link omitted intentionally).

The “author” of this new plugin changed not much. First he adapted the plugin header:

Original header:

Plugin Name: Pagebar2
Plugin URI: http:
Description: Adds an advanced page navigation to WordPress.
Version: 2.59
Author: Lutz Schröer
Author URI:

Changed header:

Plugin Name: Advance Pagebar
Plugin URI: http://***.com/advance-
Description: For using the plugin, read the  Advance PagebarInstruction Page  .Adds 
an advanced page navigation to WordPress.
Version: 6.143.3
Author: Lutz Schröer
Author URI: http://***.com/

(The three stars was the original address.)

Great stuff, he didn’t even change my name! By using the high version number “6.143.3” the spammer wants to pretend that it’s a mature plugin.

Additionally he changed the readme.txt file:


=== pagebar ===
Contributors: Lutz Schroeer
Donate link:
Tags: navigation, navi, page, comments
Requires at least: 2.7
Tested up to: 3.01
Stable tag: trunk


=== Advance Pagebar - New Way to Navigate Pages ===
Contributors: Lutz Schroeer
Donate link:
Tags: admin, plugin, footer, links, copyright, administration, blog,Google Adsense, 
eo,widget,widgets,wordpress,wpmu,xml,yahoo,youtube navigation, navi, page, comments

Requires at least: 2.7
Tested up to: 3.01
Stable tag: trunk

Hey, that guy must me an SEO expert (No offense, Yoast!).


Pagebar adds a nice page bar to your blog posts, multipaged posts and 
paged comments:


Pagebar adds a nice page bar to your blog posts, multipaged posts 

For detailed description of the plugin visit plugin page at [Advance Pagebar](http:

The spammer also added additional text to the readme.txt

demo: [Advance Pagebar Demo](http:

Warm Regards,

[Advance Pagebar](http://***.com/advance-

What a nice guy: Warm Regards! And his name is Rahul? That’s Indian, isn’t it?

Finally he changed the changelog:

== Changelog ==
= 6.143.3 =

* initial release

Version 6.142.3 is the initial release? Sure!

If you look at other files you can see that the spammer simply changed all occurrences of pagebar2 with Advance pagebar


if (!empty($_POST ['pagebar2update'])) {


if (!empty($_POST ['Advance Pagebarupdate'])) {

The spammer also like to put some links into the settings and he also got a donation page. How cute!

For More Useful Plugins Visit:WordPress Plugins

If u like the plugin please Donate:Plugin Donation Page

For Instructions Visit:Plugin Page

He actually put some work into the fake plugin! At the end he added an index.html file to the plugin directory, for whatever reason:

WordPress Advance Pagebar - New Way To Navigate Pages Plugin

Advance Pagebar - New Way To Navigate Pages Plugin

Pagebar adds a nice page bar to your blog posts, multipaged posts For detailed description of the plugin visit plugin page at Advance Pagebar. Author: Lutz Schroeer Tags: ad, admin, administration, ads, adsense, advertising, affiliate, AJAX, amazon, analytics, anti-spam, api, archive, atom, audio, authentication, author, automatic, Avatar, blog, blogroll, book, bookmark, bookmarking, bookmarks, buddypress, button, calendar, captcha, categories, category, cms, code, comment, comments, community, contact, content, copyright, counter, CSS, custom, dashboard, database, date,, Digg, edit, editor, email, embed, event, events, excerpt, Facebook, feed, feeds, filter, flash, flickr, footer, form, Formatting, gallery, google, google adsense, html, image, images, integration, iphone, javascript, jquery, language, lightbox, link, links, list, login, mail, manage, maps, media, menu, meta, mobile, mp3, music, myspace, navi, navigation, News, nofollow, notification, page, pages, password, paypal, performance, permalink, photo, photos, php, picture, pictures, plugin, plugins, Post, posts, profile, quotes, random, Reddit, redirect, register, registration, related, rss, scroll, search, security, seo, Share, sharing, shortcode, sidebar, simple, slideshow, social, spam, statistics, stats, Style, tag, tags, technorati, template, text, theme, themes, thumbnail, time, TinyMCE, title, tracking, tweet, twitter, update, upload, url, user, users, video, widget, widgets, wordpress, wpmu, xml, yahoo, youtube navigation Click for Beautiful WordPress Plugins

There a link to the WordPress plugins page. Really? No! (Therefore I added three strokes to the domain.) The spammer actually registered a domain to perfect his fraud. This page lists some other plugins which are infected the same way but their names aren’t changed. What an honour for pagebar! I think I should inform the authors about this spam attack.

The spam page

Brave as I am I visited the site which the spammer links to:

Looks like a regular site about WordPress plugins. The source of the page does not contain any suspicious JavaScript or Flash. Further down there is even real content:

Looks like actual content. As you can see, there are even some comments on the posts:

  • John says:
    September 8, 2010 at 8:27 am

    hey man, nice blog…really like it and added it to bookmarks. keep up with good work

  • Anton Dirksma says:
    September 8, 2010 at 10:46 am

    Hey, very nice website. I actually came across this on Bing, and I am happy I did. I will definately be coming back here more often. Wish I could add to the conversation and bring a bit more to the table, but am just absorbing as much info as I can at the moment. Thank You

The list goes on like this. On the first look the comments look genuine but if you inspect the content and the commenting times a bit closer you’ll realize that these were created automatically.


So who’s behind this? Let’s consult


hyderabad, Andhra Pradesh 500016

Registered through:, Inc. (
Created on: 30-Aug-10
Expires on: 30-Aug-11
Last Updated on: 30-Aug-10

As I suspected it’s a guy from India (Rahul is a very common name in Bollywood films). It gets really funny if you enter the address in Google maps: it’s the Begumpet Airport. LOL!


Altogether it’s still spam but this is a small step further. The common WP user does not expect spam inside of plugins and, if I get the GPL right, there’s nothing you can do about it. All of the captured plugins are released under the GPL.Everybody can do almost anything with it as long as he re-releases it under the GPL. This spammer does nothing illegal and even if he would, how are the chances to stop him? NIL. The only thing we can do is to keep an eye on the site and to warn the affected original authors.

Wait, there’s another thing we can do: Thank the team of Automattic for removing such spam plugins from the official plugin site rapidly!


4 responses to “Interesting new kind of WordPress Plugin Spam”

  1. lisa white Avatar
    lisa white

    This fucker got me!

    how do i remove it from my blog? Just delete the plugins?

    1. Simply delete the plugin and load the original one from the official plugin repository ( Always get your plugins from the official site unless you really trust the author of a site.

  2. Yeah, great post. The guy got my plugin too (WP Greet Box). I’m thinking of adding some kind of backdoor that will only trigger on unauthorized uses. But then that would put users at risk, so I don’t want to do that. Now… if only he uses one of our plugins on his own site, we can backdoor the bastard and kill his entire site from the inside-out. Just a thought…

  3. very useful post for me and by Google Maps we can find location easily
    For more inforamtion :

Leave a Reply

Your email address will not be published. Required fields are marked *