Mike Challis, the long-standing original author of the “Fast Secure Contact Form” plug-in posted an article here about what suddenly happened to the plug-in he made available for WordPress users for so long. Shame, because this was a great, stable plug-in and it always seemed to work no matter what kind of theme you used. I just noticed it was removed so I will be taking the steps of removing it from any of my sites as well and I recommend to any web developers who have this on their site that they do the same IMMEDIATELY.
In the explanation linked above, Mr. Challis cites this report from Wordfence showing other plug-ins that have been compromised by nefarious spammers. Now, Mr. Challis had sold his plug-in, so we know he’s not responsible for what someone who purchases software does to the code afterwards, but this incident does highlight a vulnerability inherent in a community-driven, open-source platform like WordPress and the vulnerability the 23% (and growing) of websites who use WordPress are exposed to. Not to mention the fact that the millions of WordPress users and their organizations are exposed to real threats to their data and systems. In addition to that, WordPress takes a hit to its reputation along with innovative software developers like Mr. Challis.
Plug-in Author Reputation
This incident highlights another risk we web developers are exposed to and that is the risk to our reputations. I don’t blame Mr. Challis for wanting to “cash out” by selling his plug-in, that’s what many developers strive to do, it’s what motivates many to innovate, and that’s understandable. This is another wake up call! If you are a PHP developer and wish to sell a WordPress plug-in, it is highly advised to provide stipulations in the sale transfer that the purchasing party agrees to uphold the quality standards and a promise not to dilute the reputation of the plug-in by using any tactics that could inadvertently tarnish the reputation of the original author.
One of these easiest ways to know if a plug-in is reliable is by seeing who its author is. Mr. Challis’s name was always synonymous with software stability and I will continue using any of his other plug-ins, but I do wonder what the best solution for these situations is. In this situation, something so commonplace as contact forms on a website should be a core component of WordPress anyway. I know installing JetPack, which is freely distributed (at this time) by WordPress provides a contact form out of the box, but this incident raises other concerns regarding security, safety, innovation and integrity.
We don’t want WordPress to clamp down too hard on plug-in authors because that will affect innovation, but at the same time, any plug-in updates that attempt spam tactics or security breaches should never make it to the repository and notices in the plug-in manager should be made very prominent so all users are aware of such incidents faster. These should be the highest level of WordPress alerts that even warrant emailing the WordPress owners. A more immediate response should help the community more actively police our themes and plug-ins and ensure swifter retribution towards those trying to compromise the integrity of the WordPress community, which hurts everyone including WordPress, web developers, and any organization who uses WordPress.