Did WordPress check submitted plugin ?

This come to my mind, what are the process to get your plugin hosted on wordpress extend ? is the people at wordpress actually check the submitted plugin and make sure these plugin doesn’t consist any malicious code ?

During weekend , i happen to test some of the plugin in order to tweak some of the setting of my blog and i found this plugin – Last Year Widget which is perfectly meet my need, it show your archives post on previous year during the same period.

I thought that the plugin that i download from wordpress main site, shouldn’t have any problem, but when i using it on my sidebar, it seem like the display a bit funny, i thought is some CSS issue and planning to edit the code, guess what i found ?

<span style="visibility: hidden;"><a href="http://www.sterling-adventures.co.uk"> </a></span>

if you are not into html/web programming/web design, what it does is putting this link on your blog when you use it, but didn’t show up, you won’t see it but you are giving him free link back.Today if someone can just hide a link like this, tomorrow maybe one of the famous plugin are the reason your blog been hack !

i advice anyone that using a lot of plugin should check your source code and checking is there any link that you don’t know but is found in your source code ? on a side note WordPress Exploit Scanner is really sux because it cannot tell this plugin got problem.

Share it with your friends, thanks !
Share on FacebookTweet about this on TwitterShare on Google+Share on TumblrBuffer this pagePin on PinterestEmail this to someone

You may also like...

  • The best thing to do would be to write a post to the support forum of the plugin asking the author to remove the link. I have done so, and if the plugin isn’t updated it will be removed the WordPress.org

    Thanks for blogging about it.

  • Hi,

    I’m the author of this plug-in and wondered what the issue is…
    Is it “wrong” to have a link back to the author? It asks for nothing and costs nothing.
    I don;t understand the point you are trying to make – this markup can’t be affecting your site; it’s hidden. 😉
    Many other plug-ins do exactly this – in fact it was another plug-in that I used a while back (I’d downloaded it from the WordPress hosted library too) which gave me the idea, as it did exactly the same thing… 😕

    Cheers,
    Pete