See you around the posts, Eric!

- Don

I agree completely about sharing passwords with any online service; don’t. Ever. A few years ago this was a rampant issue, with all sorts of sites being bold enough to ask. Now some sites do still process account joining (is that the right term?) through their own servers but thanks to tools like Oauth it’s become less and less of a commonality. Personally, I do use Oauth for a few Twitter integration projects I use but that’s because it’s, mostly, obvious that I’m not sharing the info with anyone.

That being said I am extremely disturbed whenever a site asks me for my email acccount info like LinkedIn does (whereby they grab my contact list). I Just. Don’t. Trust. Them.

Thanks for stopping by; ironically I enjoy your blog so I’m glad I could reciprocate

Eric

Thanks for the props man; I’m glad you found this topic worthwhile enough to write about.

My biggest issue with Automattic not doing anything about this is that it’s such an easy to reach, low hanging, fruit for a company with the level of funding they have. Hopefully they’ll do something about this, but my experience tells me they won’t.

Thanks again
Eric

I always thought the same potential for malice exists with Twitter apps. People willing give up their Twitter password to “get more followers” or “manage their followers” or to “tweet your buddy a beer” but does anyone ever stop to think about what these apps could be doing?

There’s no way to guage or prove it but I would venture to say that AT LEAST 30% of Twitters have the same password on Twitter as they do for Facebook and perhaps even for their main Email address. Once a hacker has one valid password (plus all your demographic data scraped from Facebook and other social apps) they can much more easily start hacking all your other accounts as well…

So, to the consumers of FREE I say…”Buyer Beware!”

- Don

And yes, with that kind of cash rolling in there is no excuse for not having some sort of oversight. You just gave me a post subject, and I will most certainly include links to your post, and the posts that you included in your article. Thanks again for the heads up. “-)

Side note: I found your site on the blogging sub-Reddit.

1&2: That’s not a bad idea man; no idea how to get Automattic to implement it in WordPress but still a good idea. Maybe a plugin scanner / profiler would make for a good security plugin? Might make a good premium plugin.

I realize there’s technically no legal responsibility for Automattic to do anything about this issue but I do believe there’s a moral responsibility (which I know is a weak, weak, argument). Automattic built a system that allows third party developers to have their code installed with the click of a link if that code is hosted by Automattic / WordPress.

I’m not talking about all plugins here; those that are downloaded from a separate site are used at the users risk (though the plugin author is still responsible for any repercussions whether they own up to it or not). This may seem a bit of a double standard, and honestly, I accept that it probably is, but Automattic is a multi-million dollar organization that puts out the code millions of people rely on. It seems to me that there is a “trust” imbued by the plugins that come from Automattic that they are approved by WordPress. It hardly seems appropriate for Automattic to do nothing to protect their users from the very plugin eco system they themselves created and profit from.

Wah Wah!! I know. Sigh…

3. Dude, I feel your pain on the constant requests. At least 10 times a month I get emails from users demanding my help on their project. It. Does. Get. Old.

I do try and help those users that have a new issue (something not covered in the docs or a previous comment) but, honestly, my plugins just aren’t that popular (5,000 downloads or something like that).

I definitely believe there is a market for some premium plugins; I just don’t think lack of quality was one of them. Some plugins are so complicated and useful that to not get paid wouldn’t be cool. To be honest, I wish I would have gone the premium route for wp-click-track. So much work goes into it to make it better and better and better (which I think I’ve done from 0.1 to the current 0.6) that I would be way more motivated and productive if there was cash involved

I would be careful about charging for anything that has a GPL license on it. The way I understand the GPL (please correct me if you know better) is that with the GPL license anyone who purchased the code can then release it for free under a different name so long as the code continues to be released. I like GPL just not for $$ projects.

Yup, the McDonalds metaphor wasn’t good or even applicable. Just a weak metaphor. Let us never speak of it again.

1 & 2. I think that they should be able to roll back the published version of a plugin in the repo if a patch contains actual malware. (After the fact though, I don’t want any pre-release approval for each update like with the iPhone.) I think that should be the extent of it though. But on the other hand, I don’t really think it’s necessarily their responsibility. I still say that falls upon the end user. If you download malware, it’s kinda your fault. (The same goes for anyone who installs malware on their computer because a site said they needed to install a bogus ActiveX control.)

3. [Insert "emphatic NO OF COURSE NOT" and insults here] I actually haven’t been doing a whole lot of active development on the plugins at the moment, aside from working on bug fixes and making sure everything works with new releases of WordPress. I’m planning to eventually scrap and rewrite a couple of them and make them paid (but GPL still). Why? Because I can’t take the support anymore. I’ve pretty much stopped checking my support inbox now. I can’t spend hours helping people for nothing. I get an occasional small donation, but the ratio isn’t very good. (And I certainly shouldn’t have to put up with people *demanding* that I help them style something so it works better with their theme, and sending multiple emails because I didn’t respond within the hour.) Too much work, stress, and headache.

Charging a modest sum in some manner (whether it be paying for the plugin itself, for support, or something else) should help cut down on that kind of crap and allow me to actually put time into developing the plugin, and helping people who care enough to support the development. There are a few developers, such as Gravity Forms, who are doing something along similar lines now, and it’s working well for them.

It works like this: Provide an awesome product (and be trustworthy) and people will pay. If you don’t deliver, then people won’t pay. You can’t have better motivation than that.

I don’t quite buy the McDonalds metaphor though. McDonalds may not be the best food, but the alternative “better food” certainly isn’t free. McDonalds is closer to the free end of the spectrum than a restaurant with better food…

1. I guess it could apply to desktop software but you’ve got to admit it’s quite the leap we’re making. Kudos on making the connection with what I was saying: there should be some oversight of WordPress plugins to: all software should have oversight.

2. You ask that like those are the only two options (plus I disagree with this being a minor risk). Instead, what about how Google handles the Android store? Google handles the review process post-hoc so there is no cluster fuck like the iPhone.

3. Wow. Um, no, I don’t think paying for the plugins is the answer either. I write two free plugins without making a cent and I believe they are both very well maintained and I have never, ever, had the urge to add in malware.

No disrespect, but I notice you’re a WP plugin developer. Are you saying your plugins aren’t maintained and you’ve put malware in? I bet the answer is an emphatic NO OF COURSE NOT (along with an appropriate amount of insults I’d wager). The point is that I don’t think there’s any more “honor” or desire for quality for so called premium plugins (McDonalds charges but it’s a far cry from even a basic definition of “good” for example).

At this point I’m really thinking the bare minimum answer is a little bot to parse the plugins looking for “suspicious” strings or function calls. Or something similar; I have faith that Automattic are smart people and can figure it out if they wanted to. I just don’t think they do.

2. Would you rather have this minor risk, or would you rather have WordPress Extend become something like the iPhone App Store?

3. This is just further reason for people to move towards “premium” plugins. Pay for your plugins and you won’t have the problem. The software will be better maintained, and the developers wouldn’t have the temptation to add in malware.