Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: plugins

  • Plugins: Kick Rocks

    Plugins: Kick Rocks

    Once upon a time there was a company called WP Bins (not their real name). They had a plugin that was flagged by the forum folks for going batshit on a review, demanding to know the definition of a review.

    Schrödinger’s Review

    A review is a forum post of someone’s experience using your plugin.

    That’s it. We ask people to be honest and fair, to use nicer language, but really there aren’t too many limits. This tends to result in developers angry due to subpar/uninformative reviews.

    I really get that. Getting a review of “This doesn’t work” sucks, and it’s as useful as tits on a snake. But the thing is, a review is someone’s experience. They can be wrong sometimes (like if they blame your plugin for something that isn’t your fault) but in general reviews are not malicious — they are either really happy or really angry.

    WP Bins reached out to complain about a ‘non’ review:

    It is someone crying because they have to pay extra for functionality included in the free version. This is not a review based on our product or what it can do, it is someone crying that we have the audacity to charge for the time/effort/resources spent to offer it to them.

    We took a look and saw the review was a complaint that functionality they need isn’t in the free version. Which, you know, annoying, but valid. That’s a complaint. And the developer is free to say “We know, it’s not going to be free.”

    I have often said the way in which you reply to a review is more important than the review, and Bins was a great example of that. The first comment was fine (basically saying “As our website states, those features are premium”). It was a bit snarky, but in the RTFM (read the fine/fucking material) kind of way.

    But Bins also flagged the review for moderation. A mod stepped in, explained sorry, it’s a valid review, and that’s where we went off the rails.

    And By The Way …

    Bins and the Mods got into a pissing match of “It is a review!”/”It’s not a review!” until the Mods put their foot down and said “You asked us to look, we did, it stands.”

    Sometimes you don’t get what you want.

    Then Bins escalated to Plugins. We went in, cleaned up the (public) argument about if it was/wasn’t a review, explained we were doing so to protect Bins from their own frustration (which we understood completely) and then checked out the plugin.

    This was the risk any time someone asked me to look at their forum drama. I always checked their plugins, because invariably the people who were the bitchiest about unfair reviews were breaking guidelines.

    Bins was:

    • Prompting users for a license, claiming it was required for updates
    • Emailing users on activation/deactivation
    • Not sanitizing

    The first one was assumed to be a gaff. That is, they meant to say a license was needed for premium updates. Their methodology ran afoul of the guidelines, so it was explained how to correct that.

    The email they were told to review.

    The sanitizing was a requirement. And we’re talking basic stuff here:

    'zip' => ( isset( $_POST['premium_addon_zip'] ) ) ? $_POST['premium_addon_zip'] : '',
    'slug' => $_REQUEST['plugin_slug'],

    Kick Rocks

    That’s when they got mad.

    We will not be reopening the plugin on the WP repository if you can’t accept the fact that reviews are for reviewing products. And, if you cant accept that leaving one star (as oppose to 2 or 3) SOLELY because we have a premium version, well, is petty and childish (to use your lingo).

    We don’t need the WP repo. We did it for users and to be part of the “community”. But if this is how the community responds to our philanthropy, then kick rocks!

    Go ahead and pull the plugin.

    I will note, we absolutely told Bins they were being petty and childish over a single one star review. He was being a truculent toddler.

    And before we could reply:

    If you are willing to delete my reply because of protecting me, then why couldn’t you delete theirs? You even mentioned that it was a piss poor review and hard to tell what the hell they are saying. So, why would you leave that up? I don’t need you to take down my responses. My response was sound. We have a great user base and people that can actually read what we put out the for them. Including the price structure and our model.

    So, leaving his comment and removing mine is pathetic. Since we are slinging around insults here 😉

    Bins got told “The review is a bad review, but it’s still a review” and “Do you want to turn this into a permanent closure?”

    They chose to argue that there were not conflicts, and there was no email (there was, I got one). No mention about the license thing, no mention about security. Oh and they demanded we restore their bitching.

    When someone gets there, and zeroes in on the one thing they feel is unfair, without stopping to address the security stuff, it’s no longer worth the time of day to talk to them.

    Backtracking

    At this point, we told Bins the plugin was closed, restored their angry comments, have a nice day. They were not banned!

    Not until they made a fake account and left 5 star reviews for themselves.

    But that’s not here yet.

    Bins came back to plugin to ask we remove their ranty comments because even though we said a single bad review wouldn’t hurt them much, they were getting no sales.

    NO SHIT, SHERLOCK!

    The review wasn’t the issue! Their reply was the issue! Who the fuck wants to use a plugin if the developer is going to accuse them of being fake!?

    We re-removed the angry replies and reiterated that if they wanted to come back:

    1. Fix the problem with the emailing
    2. Remove the license ‘requirement’ and make it clear it was only for premium support
    3. Fix security

    That’s reasonable, right?

    Bins said thank you, and then made the sock puppets I mentioned earlier.

    Bin and Bag it

    At this point, everyone gave up on Bins.

    A month later, Bins emailed plugins and explained the sock puppet was their spouse (note: people argue this a lot, please DO NOT ask your partner to leave a review for you! It’s disingenuous unless they say “I’m X’s husband! I love this plugin!”)

    You were banned for your overreaction to a single bad review. Your actions following that escalated and exacerbated the situation.

    You called people names, you sent MULTIPLE emails alternately demanding we fix or remove your plugins, without addressing the issues we’d raised. Then you got [your partner] to make an account and leave a review as a paying user (which is incredibly biased, seeing as [they’re your partner]). We made an attempt to shield you from backlash, you demanded we allow your post to stand. You made legal threats.

    At this point, it’s HARMFUL to the volunteers to permit you to run wild on our system and we are declining to permit you to do so.

    Your use of our systems are at-will. We are no longer willing to permit you to use them, and since you have no code hosted here, you have no need to do so.

    Bins grumbled but accepted this.

    The Moral of the Story?

    Reviews can really, really suck. They can be low quality, they can be worthless, they can be outright wrong.

    But they remain one thing: Someone’s experience with your plugin (or theme).

    You don’t have to agree with them, but you sure as shit shouldn’t rant and rave about people being ‘fake’ and how unfair it is that someone doesn’t like your choices. People don’t have to like your work! I know it sucks when they don’t but if Bins had just said “We understand your frustration. We charge for X because blah.” then none of this would have happened.

    The other thing you don’t do is try to ‘fix’ the problem with good reviews from friends and family. That doesn’t teach you anything and makes you look like a scammer. You want reviews from those random people, as they will tell you what’s happening in the real world.

    Finally?

    It’s totally okay to charge for add-ons/features to your plugins! But remember, people don’t have to like that.

  • Plugins: Stealing The Butt (vulgar)

    Plugins: Stealing The Butt (vulgar)

    Note: This post contains foul and abusive language.

    Alex (fake name) is a weird one.

    Alex submitted a plugin and their email was sending auto-replies, so we flagged them for that. Their plugin was also missing a readme and they failed to escape code. Three annoying but small issues.

    That was March.

    No reply came, so they got auto-rejected in June.

    We Made Changes

    A couple more months pass and Alex has ‘made changes’ and replied:

    We made some changes to the code but our plugin is identical to a competitor that is approved in your community which doesn’t make much sense to these changes since the other one was approved.

    Now, I will admit, I missed the ‘identical’ the first time but for what it’s worth, that is incorrect.

    The competitor escapes the line in question.

    But more to the point, Alex had a hell of a time replying to emails. We’d send, it’d auto-reply, we’d ask them to fix it. On and on. Finally they got their head out of their ass and explained it was Brazilian law to have that autoreply … for customers.

    Ah! Well we (Plugins) ain’t the customer, this is a DEV relationship, please change the email and off we go.

    Except … they then tell us they copied the code and rebranded it and they said we probably can’t host the code.

    Can You Steal Open Source?

    People hate that I call it theft.

    Suck it up, butter cups.

    If you take someone else’s code, put your name on it and make no other technical changes, and present it as your own original work, you stole it.

    I will die on that hill.

    Now if you take their code, alter it, add new features, improve it, re-design it to use modern PHP practices, convert it to React, etc? Hey! You forked it! Congratulations! Slap a copyright addition to it, crediting the originals, and we’ll host your code!

    But no, it’s easier to take someone’s work and claim it’s your own, and when you do that, I hate you. You stole their work. You lied about it being your original work.

    Fix It and Improve It

    Anyway, Plugins agrees “You’re right, we cannot host copied code” but we did not reject the plugin since there are ways around that (see above). We also pointed out they had to fix the security issue.

    ok thanks, I don’t intend to put my plugin available for download in this shit library.

    […]

    fuck man, you need to learn a lot to get along with people and even learn to read. That’s not to mention talking, which is something you don’t really do.

    Okay, let’s try to explain– Wait, another email?

    I didn’t steal anyone’s code, I’m not a thief, if you consider yourself your personal problem. Learn to read and talk to people, you don’t know if you want to talk.

    I repeat, you are a disgrace to the wordpress community.

    Okay well lets– What? AGAIN!? In less than 60 seconds!?!

    About their code, you idiot I downloaded it now and took this screenshot to send to you. Dumb, don’t bother if you want to download the plugin itself before saying false things and accusing people of what they don’t know.

    Fuck you man you are very dumb and again we are ashamed to have you representing the community.

    There was no screenshot. But if there was, it would have pointed to the original, which was escaped. Badly, but it was escaped (they used esc_attr instead of esc_url, which was a different matter).

    But at that point, three emails in under 2 minutes, he’s lost his blob. So the reply was “We wish you the best of luck, but we will not host your code.” and then into the auto-bin, but not before he got in one more:

    Fuck your ass, I’m not asking you to host my codes. You idiot, human garbage. Learn to talk to people you fucking nerd

    You first.

    How to Fork Like an Adult

    If you see a WordPress plugin you like that’s been abandoned (or just went in a stupid direction you hate), I strongly urge you to fork it. And the steps are really simple.

    1. Copy the version of the plugin you like
    2. Rename it and add your name as an author (add!)
    3. Make technical changes to the code – this can be a whole refactor to Namespaces and React, or adding in a feature that you cannot do in another way (caveat: If you can make an add-on plugin that does the feature, you’re better off doing that)
    4. Build a check so that your new version and the original being active at the same time won’t crash a site
    5. Update the readme to explain you have forked it from the original and list all the changes
    6. Update the copyright and add yourself on to it

    That’s really it. People often miss step 4, but they only really fight about steps 3 and 5.

    The other thing, if you’re called out on making a copy of a plugin, just fess up. There’s nearly always a way through that, but it has to start with you being honest.

    And yeah, I know how much someone hates hearing that their 100% copy of someone else’s work is theft, but I have never found another way that sufficiently slammed the idea into their heads about how much damage they’re causing and how much they’re hurting someone else.

    Taking someone’s work without credit hurts them. It devalues their work and elevates yours unfairly. It also takes away their recognition which will only hurt them if they later use their work to try and get a job.

    This is one of the huge risks with AI, since it wasn’t built to credit (I would find it so cool if it did).

    So please, be honest when you copy code.

  • Plugins: How Not To Report

    Plugins: How Not To Report

    One day, we got a weird email from Dexter (not his real name).

    Am I allowed to release my POC in an hour? It was reported and my report was given n/a. No one is taking any notice to it so I assume it is safe to share and help others.

    That was, literally, the first email we got.

    We replied and asked “What PoC?” (PoC means “Proof of Concept” in this case, and it’s expected that if you report an issue, you explain how you found it and how to reproduce it as … proof … of the concept of the issue). We stressed that we had not received any other emails from him, so could he please explain.

    We also mentioned that asking for a reply in an hour is not acceptable for anyone, especially when you don’t know what time-zone people are in. The rest of the email was the boilerplate “Here’s how you file a security report for WP and here’s how you do it for a plugin.”

    My Bad, I was Helping

    Dexter…

    You see my actions as wrong. Sorry. I was trying to help. Has been a few weeks. Not making excuses but now you explained I understand, on the other side of the fence things are not as clear as that. I also have a thing where if I do not write things down I will eventually forget them. This is extra tough as I try not to keep information of vulnerabilities. However, it is my intent to do right.

    Believe it or not but, you are one of the only people who actually try to help educate me. Even though you did not have to.

    I was trying to get a CVE but I do not know the relevance of the issue. I originally thought it was WordPress then was told about plugins. The website owner is unresponsive. Trust me, I submit about 500 reports a day. They always unresponsive.

    I am not sure if you still want me to communicate with you or if you prefer me to leave you alone.

    Thank you for reducing my ignorance, either way.

    While I’m sure he submits a lot of reports, this was (again) the first time he’d ever emailed Plugins. And notice that he still isn’t saying anything about this report?

    So we asked again, what freakin PoC?!?! (nicely) and he replied in four emails with screenshots and this was the PoC:

    It is for this
    https://developer.wordpress.org/plugins/javascript/ajax/

    https://codex.wordpress.org/AJAX_in_Plugins

    It was not on wordpress.org.

    Since the issue is down to the php code, I am not sure who is responsible for it.

    None of that is a PoC, for the record.

    That email looks like a comment about a security issue with WordPress, right? But via the screenshot of the webpage (not a link, he sent a fucking screenshot!), I was able to figure out this was from a CVE about the Ajax Load More plugin and looking at the CVE … it was already closed.

    Per [URL], the issue is resolved.

    This means there’s nothing for you to report, unless you’ve found something else. And if you have, you need to unpack what’s in your head and tell us what you found.

    If you’re just telling us that the vuldb site reported on an issue, then please make sure their site is NOT saying the issue was resolved. We don’t need to know about those, as they’ve already been handled.

    Oh and there was no issue with the codex, it was just documentation.

    Dexter replied “One of the targets I tested on says they are using version 5.1.9.” and frankly that sucks but it’s not our responsibility. The plugin was fixed, the fix was released, and if some dingleberries didn’t update, that’s on them.

    He then claimed the fix wasn’t in the 5.3.1 version. You know, the version known to be vulnerable? Yeah, it didn’t have the fix. The next version has the fix. As documented.

    If a PoC Falls in the Forest…

    Next, Dexter sent a report and here’s what his PoC looked like:

    7B227073704964223A2239373943394538343346343131343044463144313834343232393232313734313034353044314339464446394437384337313531303944334643463542433731222C2276657273696F6E223A312C22637265617465644F6E223A313536363233343735303036312C227369676E6174757265223A2233303830303630393261383634383836663730643031303730326130383033303830303230313031333130663330306430363039363038363438303136353033303430323031303530303330383030363039326138363438383666373064303130373031303030306130383033303832303365333330383230333838613030333032303130323032303834633330343134393531396435343336333030613036303832613836343863653364303430333032333037613331326533303263303630333535303430333063323534313730373036633635323034313730373036633639363336313734363936663665323034393665373436353637373236313734363936663665323034333431323032643230343733333331323633303234303630333535303430623063316434313730373036633635323034

    Not a joke.

    The text file was just that.

    We asked if he sent the wrong file or it was encrypted, and he claimed we were idiots for not understanding that. Again, we asked him to give us an actual proof of concept, where he walked through how he found the bug and identified it. Instead, he linked to more and more sites that had been hacked, as if that proved anything.

    Since he’d linked to sites with the parameters used to ‘hack,’ I was able to track down the actual plugin with the issue and … drum roll … it was already fixed!

    Two years ago.

    So Dexter decided to ‘prove’ it was a problem by finding people with the old versions of the plugins (bear in mind, every single plugin he reported had already been fixed) and attacking their sites and crashing them.

    That’s how someone sues your ass, by the way. NEVER ever try to test a hack on someone else’s site! Besides being bad-form, if you break the wrong site you can find yourself at the bad end of a legal mess.

    Proof of Concept Means You PROVE how it works

    We tried to explain again:

    The issue is you handed us an incomplete PoC without the explanations and expected US to do the hours of work to try and guess what you meant.

    Just by looking at that URL: example.com/wp-admin/admin-ajax.php?action=formcraft3_get&URL=http://127.0.0.1:8080

    We see how it says formcraft3_get — That means a specific plugin is required to even make this possible.

    That issue has already been resolved and was confirmed here: https://wpscan.com/vulnerability/b5303e63-d640-4178-9237-d0f524b13d47

    If you’re not testing the latest versions of WP (which you already mentioned) and the plugin, then it is an invalid report. If you are not updating WP and the plugins, of course you have a high risk of vulnerabilities, but it’s incorrect to claim these are ‘new’ (other people have already reported), and since they have all been fixed then you just have to update your site.

    Since literally every single report you claim to be an issue has been fixed, we have nothing to do here.

    He replied ‘okay’ but then kept attacking sites to prove it.

    After he replied this:

    I don’t know what you have to do but I am convinced something needs to be done. I am genuinely trying to help you. You just have to accept that you may be wrong here and need to do something about it.

    There are a vast amount of people looking to use the exploit. You have not advised your customers from any of the links you showed. No offence but, your work around sucks too. It is like you do not assume an attack will do any recon.

    I gave up, and flagged him as ‘quarantined’ which is where we put people who are well meaning, but cannot be helped.

    He’s right in that people are looking to attack sites, but if the fix is available and people don’t use it, the only think the plugins team might be able to do would be force an upgrade. We only do those under exceptional circumstances, which none of these were.

    Dexter’s still running around, being a serial ‘hacker,’ and I’ve no doubt one day he’ll really get himself into trouble.

  • Plugins: WordPress Owns The World

    Plugins: WordPress Owns The World

    A self-proclaimed security expert came to Slack one day to complain about plugin security.

    The summary of Kareen’s complaint (not her real name) was she firmly believes that WordPress and WordPress.org are responsible for preventing brute force attacks on users.

    Now, I’ve said this a lot. Brute force attacks are best protected a layer above your website, with a firewall. Preferably the firewall is something the host does. But Kareen also claimed she had proof about issues with specific plugins, hence my involvement.

    She came to Slack because she’d posted in the forums about security issues and was asked to please come to Slack and talk instead. That’s the norm. Like a great number of people, she took umbrage at that and ranted about the FBI and Dark Ops and Mitinick (remember him!?) and … well. Yeah.

    Why NOT In Forums?

    Why don’t we want people to talk about security in the forums?

    The answer is simple: They’re public.

    If you post about a security issue, in public, instead of privately contacting the people involved, you are increasing the risk. Hackers (or rather, kiddie scripters) scan the WordPress.org forums for evidence of security issues and use that to blast everyone and try to hack sites for lulz. And they will get on the hacks before the plugin (or whatever) devs can get a fix out.

    So, to be responsible and reasonable, you privately contact the developers, give them some reasonable time to fix things, and everyone wins.

    There are some notable shitheads who refuse to do that. As my buddy Jan says, “We’ll keep shooting the employees until moral improves.”

    The Right Place and Time

    I redirected Kareen to where to report security issues for Core and Plugins. I foolishly assumed that would be enough.

    Kareen emailed Plugins with a couple word docs, one of which was a complaint about the forum moderators (which was ignored) and the other was about how brute force attacks happened on websites, and people were hunting for plugins she didn’t even have on her site.

    I call that ‘Tuesday.’

    My sites are hit like that every day of the year. They look for plugins and themes I don’t use. It’s a carpet bomb in the hopes of finding someone vulnerable.

    But still, I try to always give people the benefit of the doubt, so I read her other document in full and found her ‘proof’ of hacking.

    123.456.78.90 - - [DAY/MON/YEAR:00:46:22 -0500] "GET /wp-content/plugins/easy-wp-smtp/ HTTP/1.1" 404 118611 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

    And how is that proof? She said it was because she didn’t have easy-wp-smtp installed.

    The reality? That proves nothing. Script Kiddies regularly attempt attacks on your site without checking if you have a plugin (or theme) first, because it’s easier to just try the attack. If it works, they’re in! If it doesn’t, they move on. If they checked first, our myriad tools would spot them sooner, which they don’t want.

    Now, some of those calls were interesting and were doing GET /index.php?token=5db0b95680eb8fd776410fe5a37135a5 which made me curious. They were aiming for specific tokens, but there are thousands of plugins that use that param.

    Oh and I liked this one too:

    [DAY MON 01 17:29:07.773011 2020][client 123.456.78.90:65409] [client 123.456.78.90] Access denied with code 403 [hostname "www.[redacted].com"] [uri "/register/{{=+data.profileurl+}}"] [unique_id "X@Znsw5Azi2b-mCnSbIgDAAAAAc"], referer: https://www.[redacted].com/register/%7B%7B=+data.profileurl+%7D%7D

    Again, we’re clearly seeing a blanket attack on plugins and themes the site didn’t have.

    The Calls Are Coming From Inside The House

    I scrubbed the IPs in this post, but I did go and check the real ones. They were all Digital Ocean and Amazon Cloud stuff. Those services are regularly used by assholes who build scripts and use the services to hunt down sites with vulnerable code.

    Sucks, but it’s normal.

    Kareen didn’t like that but she also didn’t belabor the point and left us alone after we explained it wasn’t something Plugins could help with because she couldn’t give us the name of a single plugin except easy-wp-smtp, which had actually fixed a vulnerability a couple months prior.

    Kareen went on to rage about how she was going to talk to the FBI (again) and made a couple legal claims. A number of people tried to calm her down, but in the end we told her that her account was suspended because we really really couldn’t help her, and she was screaming into the void.

    There really is a limit before you have to cut people off. It’s a waste of time.

    And Then …

    Later on, though, she filed a complaint:

    My account was suspended without proper or professional communication,
    and while defaming me as “trashing a plugin,” AFTER the network of the
    same location as the hosted plugin was running brute force login
    attacks 24/7 on my network.

    Wanna guess that network? Digital Ocean. 

    Yeah. That’s like saying “Someone in NYC peed on my leg, therefore ALL PEOPLE FROM NYC ARE LEG PEE-ERS!”

    What someone does on their own hosting is, in no way, WordPress.org’s fault. If the code to brute force was found in a plugin hosted on .org, then yeah, we can do something, but it won’t stop the attacks.

    Needless to say, we didn’t reply. There was no point.

  • Plugins: Not Your Circus, Not Your Gold Mine

    Plugins: Not Your Circus, Not Your Gold Mine

    My friend Andrea M. once told me “Not my circus, not my monkeys” about a problem that was outside her purview, and I liked it so much, I kept using it. I’m sure someone else came up with it, but that’s where I learned it.

    Perry (not his real name) had a big problem understanding when something wasn’t his business, as well as when to accept the L.

    Authors and Managers and Committers

    Perry had an interesting history. He started out by emailing Plugins to complain about the language used on WordPress.org plugin pages. Specifically, he didn’t like that the pages say “Plugin Author” and thought it should be “Plugin Manager” and his reason?

    Being authorized to commit code and release versions does not make a committer an author.

    Now, the plugin team didn’t agree. As Otto would say “If you’re not capable of writing the code, then you should not have access to change it for the users.”

    Perry …

    […]

    Moreover, the authorship claim that you are forcing on your benefactors kills inspiration. You are not allowed to impose your own rules on people committed to make WordPress usable. We’re not your slaves, not your servants, not your employees. We’re forced to contribute because WordPress is the only game in town, and most people are likely to not want to publish otherwise.

    I’m asking you nothing but to be consistent: […]

    In response you sent me lies. And added insult over injury.

    […]

    There was a bit of a laugh held over ‘slaves’ and Plugins sent back that (a) we’re not going to change it and (b) if you really want to die on that mountain, here’s a link to META TRAC where you can open a ticket.

    Perry sent back links to academic discourse about authorship and concluded:

    After reading these articles, you’ll be able to understand that a maintenance programmer is not an author.

    As it happens, performing maintenance programming on code, where authorship is conferred by … wait for it … writing code means the person is, in fact, an author. This was something mentioned in those links.

    All plugins said was basically “Thanks but no, here’s Meta trac, knock yourself out.” Perry replied with some legal brouhaha, and pity was taken asking “Dude, do you want to file a legal complaint or a request to edit?” He apparently missed the links to meta in the previous two emails, but then said Meta was broken. Turned out his browser was so out of date, it was banned by WordPress.org to prevent bots.

    But that seemed to mollify him.

    On to the Circus!

    Two years later…

    Oh wait, no, there were a couple more weird moments. In one, he was upset someone used his real name on the forums. That was totally fair and we did clean it up for him, but pointed out that you have to give the forum moderators time. We’re all volunteers, after all.

    Finally we get to the story. It began with him asking us to merge accounts. In general, that gets you a finger waggle and a talking to about why multiple accounts are stupid with you’re one person, but this one went off the deep end real fast.

    He realized that having two accounts that shared code might make him run afoul of taking code without credit (i.e. copyright violations). I was happy for that level of self-awareness and honesty! And he was right! That is a part of why two accounts is stupid. But … Perry went on to explain that he used to be a part of a plugin (fake name “Gold Mining”, I’m watching Gold Rush right now) and left that project due to ‘ethical reasons.’

    Sure, I get that. I’ve done the same. I rage quit using a plugin when I learned the creator was angry WordPress had an ‘all female’ release (nb: That should have been an under-represented persons release, and they corrected the name in the second one, but that first one had a bad name).

    Perry’s email was mammoth and included layers and layers of quotes.

    Here’s what you need to know:

    1. Perry happened to be a support rep (not a developer) on “Gold Mining.”
    2. He emailed the people who actually owned the code to complain about how they ran things, and said he was going to work on other projects neener neener.
    3. The owner of the “Gold Mining” plugin accepted the resignation with a no-take-backies addition of “And if you aren’t quitting, you’re fired.”
    4. Perry accepted this, with a bit of vitriol .
    5. Perry emailed plugins to explain he was both AlsoPerry AND Perry, and his plugin was a legit fork and had code he write, he wasn’t stealing, but he was still helping out in the “Gold Mining” forum.
    6. Obviously his fork was closed because of confusion of above.

    If you’re wondering about the surprise of “his plugin was closed,” so was I. I looked into it and a reply was sent:

    1. Plugins literally does not give a shit about that interpersonal drama that happens in a group outside to WordPress.org (we do care if it’s people following others home to harass, but this was clearly not the case).
    2. Plugins has now documented he was both people, though, for his and our protection.
    3. If he really was fired/quit/left the “Gold Mining” project, walk the fuck away from their forums.
    4. His plugin was closed because he broke his email on his alt account and it bounced, which he actually knew!

    He replied with “Oh, I thought I was banned because of (all the reasons above) and not what you said.” And it went on for a long time … Okay? Who gives a shit. He could just say “That explains it, I’ll fix my email.” But no, no, it’s gotta be Dickensian.

    1200+ words.

    Plugins closed that rant email without reply. But you’re getting the idea here right? Every. Single. Email is this long.

    Important note: See how plugins said to stop helping the plugin? Yeah, remember that. It’s important later.

    Oh and he never fixed his email so his plugin remained closed.

    Stop Poking the Bear

    Another 18 months or so have passed. I’d forgotten about this whole mess because, after all, I was processing hundreds of tickets a day, and anything that wasn’t active within a week fell out of my head. But also I kind of assumed he’d properly realized “I owe Gold Mining nothing!” and moved on.

    Oh. I can delude myself sometimes. Otto calls me an optimist.

    Perry emails and asks if we can transfer his version of the plugin from AlsoPerry to Perry and reopen. And I started to think “Sure, why not” and read the rest of his long email, which explained he was still helping out in the original “Gold Mining” forum and answering PRs on their GitHub!

    I wish I’d never taken psychedelics, I’d never drunk coffee and cocoa, I’d made no mistakes, and I’d always got at least one verse of the Bible each day.

    I would be very sad if I never had cocoa or coffee again, but to each their own.

    Plugins Team checked out the plugin, saw it was a 100% copy (not a fork) and explained that no, Perry, you cannot have it back unless you make it a real fork. Perry explained he didn’t have the technical chops to do that but we should let him have his own version anyway.

    The answer was no.

    So then he asked if he could have the original “Gold Mining” plugin, which the original authors (who were not him!) had closed on their own a few months before. Oh and he felt like a failure because it was closed.

    Our reply?

    1. No, you cannot have someone else’s plugin without their permission. Sometimes we’ll hand it over, but in this case it was patently clear the original owners didn’t want Perry to have it.
    2. The plugin was closed by the owner, we always respect that.
    3. “Gold Mining” was not Perry’s plugin. It never was. He never committed code, he never wrote a single fucking line. It was. Not. His.
    4. There was nothing Perry had done that was a ‘fail’ (except continuing to help in a place he knew he wasn’t wanted, and that was really only a ‘fail’ because he was hurting himself).

    Three days of emails followed.

    There was a weird claim that the original owners were asking Perry to support, and we asked if that was really the case. If so, we would go hit them with a fish on Perry’s behalf, because that’s abusive. But it transpired that no, no one had asked Perry to do anything at all, he just felt obligated.

    See I was stressing that we wanted to protect Perry. Right now, though, we had to protect him from himself, and he really kept hitting himself. The Catholic Guilt on this guy was massive and I couldn’t figure out how to get him to understand that the plugin was not his, and he needed to walk away for his own sanity.

    Perry replied with a Catholic Guilt ridden EPIC length email with quotes from emails years past which boils down to:

    • The Original Owner was doing this from revenge (‘this’ being leaving Perry’s access as a support rep – I removed him to settle that matter).
    • People still used the plugin (… yes? That happens).
    • Perry was obligated to help those people (FFS NO, how many times do we have to tell him this?).
    • Perry didn’t even know he was still a support rep until we told him in December when we had removed him.
    • Plugin closures can be reversed (yes, but not by someone who quit/was fired, buddy).
    • “So everything I do for [Gold Mining] now is both a sacrifice and a punishment.” (… God is in the tub).

    Plugins repeated “Walk. The fuck. Away.”

    It’s Monkeys All The Way Down

    A lot more emails followed.

    Like a lot, a lot.

    Perry kept arguing he had commit access and, in fact, I found out he did have access … five years ago. His access had been removed at least three years ago (we didn’t track plugin access being removed at the time).

    He also argued his removal was a mistake. Since all the devs were removed a day before the plugin was closed (by the owner, remember), we told him no, it was not. Clearly the owner knew what he was doing.

    Perry sent a lot more bible quotes.

    Finally he got an ultimatum.

    1. Perry was not permitted to host any plugin even remotely related to “Gold Mining”
    2. Perry was not permitted to post in the original “Gold Mining” plugin forums

    If he attempted either of the two, he would be banned.

    And that, my friends, is when it ended. He didn’t reply to that ultimatum, but at least he stopped emailing us daily.

  • Plugins: Offsite Help (vulgar)

    Plugins: Offsite Help (vulgar)

    Warning: This post includes vulgarities and sexual threats to my family. They’re all talk and nothing more, but it’s gross.

    There’s a forum guideline that a lot of people don’t like. At its heart, it’s simple: if you’re going to use the forums, use the forums and help people in the forums, don’t send them off to your private site.

    The reason being, people will likely find their question in Google Search and come to WordPress.org. Logically their answer should be there. It’s not an uncommon guideline, and in fact I’m pretty sure StackExchange also has that. Keeping the answer local ensures the data remains available and people don’t get all DenverCoder9 on the world.

    Our buddy, Henry (you know the drill, not his real name), ran afoul of this around the same time he submitted his first plugin. Henry was replying to people with directions to ask via his LinkedIn account. The forum mods warned him, a couple times, and then flagged his account. A flagged account can still submit a plugin, and I noticed the flag when he submitted.

    Naturally I went to see what was going on.

    Unclear on the Concept

    Henry admitted to using LinkedIn as a way to solicit for work on .org, with the ultimate goal of getting support for his plugin (yeah) via that. Why? Because he needed a way for his users for his newly submitted plugin to get in touch with him. And as it unfurled, he had no clue WordPress gave you free forums for your plugins.

    Now, that we can also move past. People can’t know what they don’t know. But before the Password Reset team gave him the all clear, they wanted to be sure he understood what was wrong, and they asked “Hey, do you get WHY telling people to go to your linked in for help is bad?”

    The Reset Team knew that you have to ask people that, otherwise you get replies like Henry’s which was “I know what you’re saying and I agree with you.” The thing is, that is not a real confirmation so they asked it a little differently.

    Can you please tell us “Yes I understand that X is not allowed here.” changing X for what actually is the heart of the issue?

    While that certainly is annoying to get in an email, it also gives Henry the chance to say “I understand linking to LinkedIn isn’t allowed here” and they could then elaborate “Can you confirm you understand that linking to any off-site location for support isn’t permitted?” Then you have their word and can use it against them when they screw up again.

    Again With My Mom…

    Instead of that, or some kind of annoyed “Bitch I understand!” reply, Henry showed his own ass.

    Can you please send me your contact that I can personally talk to you?

    Then I will let you know better. If you have guts then please do it.

    And listen if you want to enable my account then do it otherwise keep it in your asshole.

    And I am here with your mom in my bed. So I am very busy with her. If you want to help then my child you can.

    I saw that, blinked, rejected the plugin and banned his account with a ‘blah blah your behavior ain’t welcome.’

    Then he followed up:

    Even your father can’t stop me son of a bitch. Just try your best and I will fuck your asshole my entire life my dick. Just ask your mom how much see enjoy it. Your whole family will enjoy it.

    I will fuck your plugin team as well. Just suck my dick motherfucker. You and your team is a loser. Motherfucker.

    Asshole your mom’s pussy is very juicy and she loves my cum into ger mouth. Call her and ask that who am I. She is definitely tell you my illegal son.

    And you my boy can’t stop me. I will fuck your ass daily now.

    And finally this gem:

    Come my little boy take your daddy’s dick into your mouth. Suck it nicely and take it to your throat.

    So you can see why the ban stands.

    Annoying But Necessary

    I want to stress, I absolutely understand how annoying it is to be asked “Do you really get it?” but any time you’re asked that? You 100% need to step back and think.

    Why is someone asking you in that way?

    Why are they pushing you about something?

    The answer is because you are behaving in a way that makes them doubt you do, in fact, understand the issue. And when that happens, you should reply with what you actually understand.

    “Sorry, yes, I understand that linking to an off-.org site for support isn’t permitted, and I get a forum of my own for my plugin, for free.”

    If Henry had replied with that? All would be well. But he instead took the repeat ask as an offense instead of a request for clearer information. When you’re not clear to the people asking you something, they 100% will ask again in different ways, to try and make sure.

    Why do we do that?

    So you don’t make the same mistake.

    Henry, though, well, you can’t help that.