Wednesday, 17 August 2016

WP Plugin 404 to 301 - Considered Harmful

Yesterday we received a site cleaning request where one of our customers was seeing spammy links, Payday Loans in this case, injected into their WordPress website page content. The links were only appearing when the site was visited by a search engine crawler. This is common when a site has been hacked.

It turns out that this is not a hacked site. It is content that is injected by a plugin called 404 to 301 plugin which has 70,000 active installs and has a 4.5 star review from 56 reviewers. When you install the plugin it asks you to agree to a long agreement which includes parts of the GNU general public license. But at the end it also includes the following text:

Third Party Text Links
Third party text networks supply text for display in 404 to 301. These networks may collect your visitors’ IP addresses, in native or hashed forms, for purposes of controlling the distribution of text links. 404 to 301 collects anonymous aggregated usage statistics.
By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it. Your website’s layout, performance and interaction with human visitors should not be altered or affected in any way. Please note that this feature can be deactivated at any time under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN, without affecting any other feature available in 404 to 301.
404 to 301 – Copyright © 2016.
I’m reasonably sure that no sane webmaster would agree to:
  1. Cloaking, which is specifically banned by Google and will result in a search engine penalty.
  2. Allowing ads to be inserted into their site over which they have no editorial control, including PayDay loan ads.
We are contacting the WordPress plugin repository maintainers who will likely remove the plugin by the time you read this post. Now that you’re fully informed, we suggest you make up your own mind about whether or not you want to keep this plugin installed if you have it on your site.

Source: Wordfence Blog