No good deed goes unpunished, and that is how I feel today. Three months ago, our web sites were attacked by a hacker group; most likely the group of hackers that call themselves Anonymous. It took me a few hours to complete, but I developed a small WordPress plugin to reclaim my web sites from hacker control; to remove all of the infections and protect my sites from future attacks. I was very upset about the attack and decided the best way to get revenge was to share my plugin with the world. It took me a few days to get all of the bugs out of the system and get it ready for the public. And it actually did go public, having earned over three thousand users, even ranked 2nd from the Top 10 WordPress Security Plugins made by an independent blogger. But now, three months later, the plugin itself is under attack, threatening my business, and web sites.
The issue revolves about a perceived security threat of the plugin. The security threat is not caused by the plugin, but is caused by improper configuration of a web server. Web servers are designed by default to deliver multiple types of content. Often, this content is evaluated by the file extension. Normal behavior is when an unsupported file extension is seen, and the result is not executed but is displayed as a text file. It would take extra effort to break this normal behavior and make invalid file extensions executable which is is the responsibility of the web hosting provider, and NOT the responsibility of web application developers. The truth is, my plugin contains live viruses and .htaccess malwares ‘protected‘ by naming the files with an invalid file extension specifically designed to ensure that not only can users easily add virus definitions, but also to ensure that hackers cannot use these virus definition files themselves to attack the site.
But tell this to WordPress, most particularly Mr. Mark Riley, because they don’t want to hear it. They have banned my plugin from the WordPress respository which makes it harder for the users who have already been enjoying the protection that my plugin provides an easy access for plugin upgrades. The attached image below is the actual e-mail exchange that transpired between Mark Riley and me.
The Web Security Tools plugin is designed to remove that URL with others from web sites, so of course, that URL needs to be contained within the plugin. They banned my plugin because it is protecting web sites against a threat? Who are they protecting then? The hackers or WordPress users? Clearly, they are only protecting the hackers with this move.
My first response was to find a list of major media contacts and quickly emailed out a raw press release. The press release took me about 5 minutes to make. I also posted that press release on a free press release site. After reading the press release and the blog posts on this web site, Firetown.com operated by Mr. Mike Damman, a news site dedicated to releasing information often suppressed by major media decided to publish the story.
I guess when you are on the right, the help just pours out easily. One of my good friends found a web site on the internet that listed my Web Security Tools WordPress plugin as #2 in the top ten WordPress security plugins. While reviewing their post, they had some good ideas for improving the plugin by protecting it against the bad server configurations that I already spoke of. I decided to make one more attempt to make peace with WordPress, and sent them the following offer.
But did I receive a response? Of course not! Did I receive a response from Matt Mullenweg , the owner of WordPress, NO! WordPress does not care about its users; it seems to care more about protecting hackers. WordPress.Org publishes many plugins and themes which contain severe security threats which make it easy for hackers to break into WordPress blogs, but they won’t publish a plugin which stops these security threats?
You have to ask yourself why. There are two answers to that question I can come up with: the first possible answer is that the support at WordPress does not know anything about security, and do not realize how important the Web Security Tools plugin is in protecting internet security. The plugin not only protects WordPress web sites, but protects the entire internet because hackers are using these hacked WordPress sites to attack other web sites, such as Amazon.Com, Twitter, Facebook, and government-controlled sites. The second possibility is that ,WordPress is secretly supporting the hacker group Anonymous and wants their application to continue helping hackers to terrorize the internet.
THIS NEEDS TO STOP! NOW!
I am going to start a petition and a massive press release campaign against WordPress. The goals are simple, pressure WordPress into restoring Web Security Tools, otherwise continue spreading the truth until every last WordPress user stops using WordPress and switches to a more secure blogging platform.
I need your help. Please email me rritoch [at] gmail.com if you are willing to help us stop Anonymous and restore Web Security Tools availability at WordPress.com . We need people to write and publish press releases and donations to help us get this information out to the world. You could be helping millions of people who are currently being terrorized by hackers.
Edited February, 4 2012 : Please Sign our petition