Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: stories

  • Plugins: When it Restarted

    Plugins: When it Restarted

    The first post in this series talked about the time when it all changed.

    The perfect post to start the year off with is when it happened a second time.

    The Return

    One day, IRC pinged the support/forum mod email list to tell folks there was a new booking plugin (ReBooker Inc.) that would reinstall once removed.

    While looking into that, the wp-forums folk noticed that all but ONE review was made by one of two IPs. One IP was the owner’s, the other was used by multiple accounts, the same age, with only the one post. Then #wordpress-sfd, who was also poking at this, noticed “Hey, this plugin makes an admin account!” It was yanked from the repository and the author emailed.

    This is when it gets weird.

    All of that previous stuff was reported to the plugin review team, which is normal. But then one of the forums people helping me clean up pointed out that Rebooker looked an awful lot like Bookings Inc’s plugin.

    I remembered that plugin, and I remembered good ol’ Liam! Liam had broken his contract, taken premium code, and gave it away for free on .Org. He was permabanned for that, especially since he did a shit show with fake emails.

    Blame It On The Devs

    It didn’t take a huge amount of time to figure out that ReBooker was Booking Perfection. Altered, yes, but you can’t change code that much. Still, before we banned we properly suspended ReBooker for the following reasons:

    1. Auto creating an admin account
    2. Reinstalling once removed (done via a backdoor they’d leave in MU plugins)

    Of course while we were sorting out if the two plugins were the same, ReBooker came back and said “Oh we’re so sorry, we hired a 3rd party to do this for us and they were evil! We fixed it!”

    That is a plausible story. And in fact it’s one that’s happened many times. Some people need to vet their devs better. At this time there was a rash of “consultants” who stole code (around this time a rather well known company had admitted to ‘stolen code’ and blamed an unchecked dev).

    In fact … just the week prior, Plugins had heard that exact excuse from someone else. It happens, but not that often. Most large companies are smart enough to have a QA system and encourage honesty. If you’re not, get started on that.

    But even if you believed the claim of a rogue dev, the claim of “we fixed it” is easily provable. Or in this case, disprovable. Not a single commit to SVN.

    Never Interrupt Your Enemy …

    … When they’re making a mistake.

    Besides not updating SVN at all, they’d taken to hate-reviewing their competition. But their massive problem here was in their IP addresses. Or should I say, Liam’s IP address.

    One person made a bunch of fake accounts to negatively review all other Booking plugins. The same person who had made all their commits. The same IP address. And no, it was not a VPN address.

    First, we gave Liam a small opportunity to come around, by providing clear directions while we double checked he was, in fact, Liam.

    You have not corrected any of the issues. Your plugin still creates an admin account when installed, and you have now begun “reporting” other competitors plugins by giving them disparaging comments in the forum.

    If there is an issue with a plugin, email plugins[@]wordpress.org and provide explicit code or plugin guideline examples. We ask you not waste our time with frivolous or petty arguments with others.

    Until your own code issues are corrected and checked in to our repository, we will not reopen your plugin. This is not negotiable. Fix the code. Make it safe and secure. Stop spamming the forums. That’s all you have to do.

    You’d think this was simple, right? Just update and fix your damn code. Nope. Two days later, Liam emailed back to complain that he’d made changes and why didn’t we reopen, but again nothing was being pushed out.

    Now it’s more clear today, but even back then we clearly told people “if your plugin is closed, pushed code won’t get deployed to your users.” We tell people that so they understand they can push code to SVN freely without fear of upgrading anyone before we’re all ready.

    Take a Chance

    At this point SVN still was not fully updated. They’d updated the readme, and a couple lines of code, but the plugin still auto-created an admin, and we were still doing the leg work to connect the ReBooker and Booking Perfection websites.

    Since there was no need to re-review, Liam was emailed:

    Understand that due to the severity of the issues with your plugin, it may be a few days before we have reviewed your plugin completely and replied. We ask that you be patient, and especially that you don’t email us every day asking for an update. We’re volunteers here, and we do this in our free time. If we determine we need to get a security expert to double check, this can take longer.

    Keep in mind, Liam had been emailing multiple times a day asking the exact same thing – why wasn’t the plugin updated? Answer: Because Liam hadn’t updated!

    I was starting to wonder if the story was true, that ReBooker had maybe hired Liam, and he was just doing all this shit on his own. But finally we had lined up enough code proof that ReBooker was totally a copy of Booking Perfection. We had to acquire the new version of Booking Perfection, but they were a line to line match in multiple places.

    Here’s where I’m the asshole. I never told Liam I knew it was him. Instead, I emailed that it was something a little less.

    We are not comfortable with the established of your behavior on WordPress.org. There is enough similarity with both code and behavior to lead us to believe that your plugin is one that was written by someone who already had their code removed from the repository due to breach of contract. As you claim to have hired a third party to write this, it’s entirely possible they did this, however as it stands, we cannot re-open this plugin.

    You are free to continue running your site and making the plugin available on that site or elsewhere. All we can control is what plugins we allow in the plugins directory, and we won’t be allowing yours […]

    See? I intentionally misled him to think the only issue was “the consultant you hired” and how it made the plugin unable to be hosted on WordPress.org.

    The Poison Tree

    Liam took that lump and was quiet for three more days. Then he asked if there was any way he could come back. Going with the ruse, I replied that they could never submit another booking related plugin because there would always be the risk of them using Booking Perfection code, which was a GPL violation. For the protection of the directory, no.

    So he tried to appeal to empathy.

    If you find anything which is not good or which is causing problems, i would say we are very happy to change that, but directly putting us out of business is not good.

    Signed?

    Liam.

    Note: We only closed their plugin on .org. They’re free to run their own shitty business if they want to, and while it was harder to self host and deploy back then, it was totally possible. Today the email actually gives practical advice on doing that, just so people get that we’re not trying to ruin their business, but we cannot host them.

    I emailed back no, and Liam replied.

    It will cause a deep loss to us and all of the hard work is drained. I would request you to please give us a chance to prove ourselves. We have done nothing wrong or morally offensive which cause any problems to anybody.

    Sock puppetry, forced admin accounts, bad code, and lying? They offended me. There were six more pleading emails, one a day, until collectively the Plugins team told him he was banned.

    Mistakes Were Made

    The reason Liam was banned (again) was only in small part because of multiple emails. It was more the content of them. At no point did Liam even remotely comprehend that the code was the issue. We were trying hard to push that aspect since I believe telling someone “you’re the dipshit we banned last year” only encourages people to be bigger assholes.

    He made a new submission in the Plugin Repo, was rejected and told “Dude, we can tell it’s you. Stop.” Of course, while waiting for approval, he made more false allegations to other plugins (and yes, each one was checked just in case), used another forum account for more sock puppetry and fake reviews, and then was blocked.

    Then he made another plugin and tried a third time.

    The best part about all this is he keept emailing plugins, asking to restore his plugin.

    So let’s recap. So far he has:

    1. Submitted someone else’s plugin and had it removed by use
    2. Resubmitted the plugin, making it different enough we didn’t notice right away, with a different domain and IP, but with a massive security hole (which is how we realized he was the guy from 1) and had THAT removed
    3. Spammed the forums with fake reviews of his own plugins via sockpuppet accounts
    4. Spammed the forums with fake reviews of OTHER plugins, mainly competitors, citing them spuriously for errors that don’t exist (including, but not limited to, claims of using their own jquery – Like we can’t QUICKLY check for that!)
    5. Made even more sock puppet accounts to submit the plugin
    6. Continually emailing plugins, asking us to reconsider because they’re not doing anything wrong, and by gum, those other plugins are breaking rules too (not)
    7. Complained we’re ‘hurting his reputation and business’

    Two days later they came back and upped his game to attempting to impersonate me (not plugins!) by sending emails ‘from’ the plugins team.

    This Shit Again?

    That was the final proof we needed to identify Liam was … Liam.

    Subject: Offline Message from Mika Epstein: We have found both your plugins

    http://wo…

    From: Zopim

    To: xxx-removed

    Date: Mon, 22 Apr XXXX 07:22:26 -0000

    Message-ID:

    Reply-To: Mika Epstein

    From: Mika Epstein

    URL: http://redaced.com/

    We have found both your plugins

    http://wordpress.org/extend/plugins/redacted-1/ and

    http://wordpress.org/extend/plugins/redacted-2/

    to be same and you are using multiple a/c’s to handle it yourself over

    our domain. Unfortunately, we wil be banning you now from WordPress.

    —-

    Zopim http://www.zopim.com

    Most of the emails were sent at 1am my time.

    Zopim, now owned by ZenDesk, was never the service we used to send emails. And that sounds nothing like our emails. Also? I never put my name in the subject lines.

    But Liam, being an idiot, didn’t realize that his actual email address was in the email headers. I laughed a lot.

    Liam was banned again, and we spent another week just rejecting and blocking and banning before we finally slapped an IP ban on him for a month. That seemed to either wake him up, or he wasn’t capable of bypassing it and gave up.

  • Plugins: Just Sexism

    Plugins: Just Sexism

    This is the last one for the year and it’s a couple people who are just plain idiots about the world.

    I wanted to find the one where the guy went into a massive transphobic rant about ‘real women’ but since I can’t remember the exact term he used, I’m struggling to find it. If I do, that’ll get added.

    To Sir, With Love

    A lot of people default to ‘dear sir’ in emails to Plugins. I, being not a sir, have a pre-defined reply I used to remind them the Internet has women and women code, moving on.

    FYI, you shouldn’t assume the people reading your email are only male. You often won’t know someone’s gender in email. It considered more universally polite to address a group (or an individual) by name or team name.

    That’s not terrible, right?

    Once in a while people are asshats and tell me not to be so touchy and I make a note of that in their account (it usually comes back to haunt them). More often, though, they apologize and explain they’d not been taught that, and we all learn from this experience.

    Similarly I tell people not to call a reviewer ‘My dear’ because that implies a relationship we do not have. That’s easy to mess up when you’re ESL, and the reply actually explains that you would say “Dear Reviewer” instead. This is, generally, well received. I’ve only caught a couple complaints and one was a guy from Texas, who got livid I suggested his English wasn’t too good.

    It really wasn’t.

    Daily Life of Women Online

    Starting off simple with some nameless people. All of these are comments or weird replies I got in the process of plugins.

    First up, we have this cheerful fellow who, after being corrected about calling me ‘sir’ for a couple DAYS, finally replied with this:

    Btw I saw ur talk on wordpress.tv yesterday, and realized that you’re a lady (a gorgeous one!).

    Then we have this weird Slack Message from someone I never talked to before:

    Thank you Mika you made my day love you.

    And also this one, later that day from someone else.

    Just love you for what you did to me today 🙂

    Shortly before WCUS (the second or third one):

    Hi.. good to see u on wcus speakers.. getting my tickets to fly US from PK for the show
    Best of Luck

    This one came via my contact form, after a plugin was rejected (because he never finished fixing it). My mother would argue that I am, in no way, ‘too’ feminine. My wife would say I’m perfectly feminine. Me? I’m happy with who I am.

    P.S. Yeah… I understand you have no obligation to reply… or to do NOTHING. With that sentence you proves very feminine, perhaps TOO feminine…

    And of course, Mr. Hugs.

    Corrections made, is attached the new version.

    hugs

    In case you gents were wondering what it’s like to be a woman online, it’s that.

    If You Have to Ask…

    Mid review, there was this one:

    p.s.
    Before contacting, I looked you up on the net, and when I realized that
    you’re girl and having this much passionate for coding, my respect
    grew²
    (hope this didn’t sound sexist)

    It did. And I replied to him, telling him it was sexist. He did not take that well.

    Gender Is a Construct Anyway

    This fellow started by going off about his plugin being ‘rejected.’ It was pended (and he’s why the email tries to be SUPER clear about that now), but he didn’t read. I suppose I should’t have been shocked when he replied to the ‘Sir’ reminder like this:

    FYI: When you correspond with people, you should give your name so they don’t have to guess whether you are male, female, shemale, or a fourth gender.

    ‘shemale’ was a term that was used to call transwomen back in the 80s/90s, but we’ve come a long way since then. Also it was wrong then, and it’s wrong now. This guy may later get his own post, because he made a petition to get me ‘fired’ for telling him to sanitize his shit.

    It’s a Cycle

    First up, we have Bumper for anyone who likes Pitch Perfect.

    I sincerely apologize for unconsciousness caused by my address. I am just 27 this month and have never been lucky enough to see any female programmer. Maybe their menstrual cycle affect their ability to pay high level of concentration in this field. But I really appreciate the ones who break the ice.

    Bumper

    In the end, I rejected the plugin because everything was filled with that kind of tone after. Seriously, he stuck to his guns that women couldn’t dev, and went on to posit I was menopausal. Or rather … past my prime. Yes, he actually suggested I was able to succeed as a plugin reviewer because I must not have to deal with my period anymore.

    Boop Beep Robots

    Buggy (also not his real name) had trouble with his account. He emailed asking for help, and started with “Dear Sir”

    He got the normal reply, followed by directions to actually help him.

    Foolishness has many levels, yours is very polished, thus shiny!! Who cares who read the email, i just needed an answer. If you feel the email was meant for a male reader, you could hv put aside the email until a passing male reply that!! However I appreciate you CAREfree attitude to reply me. Thank you human/robot!!

    Not really sure how it’s foolish to remind folks that people of all genders work on WordPress, but off you go to the block bin, Buggy.

    Don’t Default To Sir

    The last thing WordPress needs are people that misogynistic, and dumb, dealing with people in the community.

    If you can’t accept that some people in WordPress aren’t men, you need a new hobby.

  • Plugins: D.M.C.A

    Plugins: D.M.C.A

    This is really more of a cautionary tale about how not to be an asshat to yourself.

    Go make the popcorn, I’ll wait.

    Welcome back! Here’s our story.

    A developer got banned from WordPress.org (temporarily) because they slapped themselves with a DMCA.

    No, really. Evan (not his real name) filed a DMCA that went to the data team, who handed it to Plugins and asked “Uh, what the hell?” I looked into it, read it a few times, and confirmed.

    1. It was a legit DMCA
    2. Evan was the plugin owner
    3. He had authorized a company to act on his behalf for DMCAs
    4. The company claimed Evan’s plugin on WordPress.org was in violation

    Yeah, you read that right. Take down these illegal copies of Evan’s own plugins… Except the plugins were Evan’s and were clearly not illegal copies. We read that a few times and decided it was one of these:

    1. They’re weird and don’t know it’s their own plugins
    2. Evan wasn’t thinking and just approved everything from the company
    3. It was a false claim

    On Monday I emailed the DMCA company and Evan to ask that. Neither of them replied. I checked with the legal folks and they agreed, we had to close the plugins and notify Evan of the situation. Since the DMCA said it should be passed on to him, I shrugged and did just that.

    Three days later, Evan shows up freaking the fuck out for pretty obvious reasons. He explained he’d used a computer program/service to send out the DMCAs and no one checked before sending.

    Playing middle-man, the plugin team passed on the details and explained that things were … not going to be quick. They got directions on how to formally retract the DMCA notice, and advice about that. The only other option we had was to file a counter-notice, but that would take weeks.

    It took about a week after that to untangle the fuckery.

    The kicker was it happened a second time, but Evan caught that super fast and fixed it before we had to take action. I suggested he just not try that shit again anyway, since his code was GPL to begin with.

    Coda

    There is an interesting though here, though.

    Is a DMCA valid for Open Source code? The Digital Millennium Copyright Act is intended to protect copyright (it’s right there in the name). It exists to prevent people from taking a copyright protected item (say … a copy of an episode of The Simpsons) and posting it up on your own website. You don’t own the show, you don’t own the intellectual property, you’re just a fan.

    But Open Source code is meant to be shared, right? That’s one of the first rules (… open …). The right to take the code, tear it down to the bones, and build something else from it. The entire existence of WordPress literally lives on that (remember WP is a fork of B2).

    Could B2’s creator turn around and sue Automattic (or the WordPress Foundation) for copyright abuse?

    Thankfully, no. WordPress properly keeps the copyright in place. If you’ve ever heard me snark about copyright and how it’s additive, the easiest way to understand is this. If you take an existing plugin and refactor the code to make it even better, you would add your copyright notice on to the existing one.

    @copyright Person A, 2022 becomes @copyright Person A, 2022 ; Person B 2023

    Though I recommend you do it nicer and neater.

    Anyway. There are two main kinds of DMCA attacks against Open Source. The first is “That code is my copyright, stop using it!” and the second is “That code is circumventing a technical protection measure.” If the second one confuses you, don’t feel bad. I am very familiar with the first item (I’ve hosted fansites for 25 years and had my fair share of DMCA claims) but the first time I ran into the second was when YouTube forced GitHub to remove a library.

    In the end, GitHub restored the code (and explained why). Anticircumvention claims pretty much boil down to “This code is used to get around my protections” and is why people who make those DVD ripper tools are often in trouble (and in fact they’re why the DMCA happened in the first place). None of that matters in this fellow’s case though.

    The question is … Does Evan have a valid DMCA claim?

    Honestly, I don’t think so. Taking someone’s code and reselling it as your own is likely illegal for other reasons, and there may be some merit to any images or proprietary work used. But at the same time, the code was released under a license that literally allows its use as such. Now the GPL also has some requirements (like maintaining copyright, as well as not claiming it’s yours) but re-hosting code on your own site? Yeah, you can do it.

    Still, that’s a question for a lawyer, and not me. For me, what I stand by is that if ain’t your code, and the developer(s) ask you to stop selling, or giving it away, you should do what they asked. Don’t be a dick. Be cooperative together.

  • Plugins: What a B*tch

    Plugins: What a B*tch

    The old tagline on this site was “Half Elf, Full B.I.T.C.H.”

    I removed it ages ago because, while I got the joke, it didn’t always translate well. The tagline was actually from Tabatha Coffey, who was a contestant on a Bravo reality show Sheer Genius, trying to find the best haircutter. The show was awful, Tabatha was not. She had her own show for a while, Tabatha’s Salon Takover, and she was basically the Gordon Ramsey of haircuts.

    At some point, she ‘took back’ the word “bitch” and said it stood for Brave, Intelligent, Tenacious, Creative, and Honest.

    I like to think I’m that.

    Anyway. This is short and our subject won’t even get a name. That’s how annoying he is.

    User submits a big plugin. On review, which doesn’t take long, it’s found to be a rebranded copy Elementor. It wasn’t even a well done copy, it barely changed name and there was no new code. The plugin was rejected with the normal note of “hey, this looks like you meant to upload a plugin to your site. We’ve rejected it. Please don’t do that.”

    The email is actually pretty kind and explains what the plugin submission form was for and all, and how to properly upload to your own site. While it’s weird to me, that issue happens all the time, and it’s part of why we have code that checks the name and auto-prevents you from uploading things with the same name (even if it has a different slug).

    The reply?

    you bitch.

    I thought that was a little extreme and suspended the account, emailing the standard boilerplate to explain why (tl;dr – jumping to that is just not something a mature human should do).

    Our edge lord du jour snaps back:

    you call that extreme? you asked for it because you’ve rejected my plugin!

    Okay, kid. Have a nice life.

    He was never heard from again.

  • Plugins: Sex and Gutenberg

    Plugins: Sex and Gutenberg

    Look, I get that a mess of people hate Gutenberg. I like it, but that’s my opinion and that’s okay. I’m fine if you hate something I like, it doesn’t hurt me at all. What I don’t like are people being jerks to Gutenberg devs. In fact, I truly dislike people who are just mean to anyone, Dev or not. One of my weirder jobs as the Plugin Rep was balancing protecting users and protecting developers.

    It gets really weird when the developer is the user.

    I Hate Gutenberg

    That’s how we’ll start this one. Alan (not his real name) hated Gutenberg and posted a ‘review’ that was basically offering to bribe Automattic to stop making it. The forum mods very nicely said “hey man, this isn’t a real review, could you do that instead?”

    Alan…

    I was under the impression that ultimately Automattic is in control of the WordPress Core. If not them, then someone is, the buck stops somewhere. The drive to make this core is most likely coming from wordpress.com, an Automattic asset that uses themes that do not include a page builder.

    Alan on the WordPress.org Forums (post redacted)

    He went on to try and argue about usability etc. Now, to his credit, this was in the early days when it absolutely had some accessibility issues. It was also at the era that it was en vogue to bash Gutenberg … I’m not sure that era has ended yet. But basically Alan, no. WordPress.org is not going to stop developing Gutenberg. And no, Automattic doesn’t rule the world.

    The thing that was a little interesting is that Alan had left a few other turds of reviews (the eloquent “Don’t waste your time.” and using reviews for support). Five months prior, he’d got shirty about a review being moderated and not approved in a ‘timely’ (i.e. 5 minutes) fashion. Seriously. Five goddamn minutes.

    Kickbacks?

    The weekend rolls around. Most people are off enjoying the world and not WordPressing. That’s when Alan uses his second account to leave another review. His second account was, interestingly, the one he used to own his plugins. You can see how this landed in my lap.

    His other account was the one I was familiar with since he’d had a weird complaint that WooCommerce wasn’t accepting new plugins on their site a couple years ago, and he tried to buy someone’s plugin so he could be there. Alan also left a bunch of crappy reviews as that account, including a rant that someone charged people for their service (admittedly that plugin did do an asshat move by switching from free to pay, but still, the review was “They charge!” and not “The plugin sucks because …!” which is different).

    So on the weekend, Alan runs into another post by someone who mentions a plugin they’re using is conflicting with something. This was not Alan’s plugin. But Alan decided he’d fix it. He replied three times within 30 minutes that he was going to fix it, had ideas about fixing it, and had a fix. The robots (aka Akismet) flagged him as spam for the rapid posting and content since it had links.

    This happens, but it rarely requires anyone to ask this:

    Can a moderator please approve my posts above? I have posted a fix.

    Yes, I know this plugin is bad for your askimet kickbacks, but we want this, not askimet.

    Alan in the Forums on a Sunday

    Kickbacks? Akismet? I guess he realized he was caught as spam.

    And what does Alan do? He gets his other account, the non-plugin-dev one, and repeats his posts with this added on:

    Wow, speak your mind around here, and get the silent treatment. Core needs a fork soon. Ever since Gutenberg actually. Clearly (sexual?) favors are being exchanged, why else would automattic include changes that almost nobody wants, and actively hates? 

    Alan in the forums on a Sunday via his alt account

    … What?

    You Read That Right

    Yes, Alan said sexual favours were exchanged for … Gutenberg? Which had nothing to do with this plugin nor its conflict. And he wasn’t being given the silent treatment, it was a goddamn weekend, and I’ve spent over a decade telling the volunteers of WordPress to take a fucking weekend off!

    Forums reported him to Plugins and I read it on Monday. In the intervening hours, there were more complaints, from both accounts, and more rants that had nothing to do with the plugin that Alan was fixing. Given that he had already been warned the year before about making everything about his Gutenhate …

    A gif of Jan Brady saying "Marcia, Marcia, Marcia!"

    Alan clearly was incapable of (or unwilling to) restrain himself from ad hominem attacks and making everything about Gutenberg. In fact, if we go to tape, the year prior he claimed someone in Switzerland controlled all emails. The thing was, he just … posted that on .Org.

    Not as a reply, not as a comment about a plugin or theme.

    Not as related to a WordCamp.

    The post was really just “This website [WordPress.org] controls all email and are using their power to destroy my business.”

    It was clear to me what had to happen.

    Besides the fact that you were posting on a weekend and we are a 100% volunteer run service, accusing people of sexual favors in this manner is an egregiously unwelcome way in which to behave in public. It is aggressively offensive, rude, and in violation of multiple forum and plugin guidelines.

    Using a second account with which to make those comments shows you did this absolutely with malicious intent. You didn’t even wait an hour between asking your post to be approved and leaving such a comment. This behavior is an escalation to your aggressive, and incorrect, attack on Automattic regarding Gutenberg last year.

    We feel your actions demonstrate you simply are not willing to be a productive member of this community and as such we are invoking our right to remove hosting of your plugins at any time.

    Me via email to Alan

    There’s a lot more boilerplate, but more or less it tells you “Don’t make another account, and stop wasting everyone’s time here.” If you can’t play well with others, then open source isn’t going to be the place for you.

    In My Defence…

    Alan began his reply by saying he never intended that part of his reply to be public. So he … made it on a public forum, in the hopes his alternate account wasn’t blocked? Even though he knew about Slack and regularly used it to complain about being moderated.

    He went on to complain that the forum mods had a vendetta and clearly knew him from work. I have to admit, I blinked a lot there. His excuse was people clearly hated him from work and it spilled over? Why would they hate you at work, Alan? Why would someone from your job hate you so much as to make up shit about you here? He blamed the PC ‘woke’ world, and demanded to know who said such things because he had never seen any complaints. The same complaints that carried over from his work.

    Then he went on to say it was clearly a vendetta of the plugins team against non-Automattic owned ‘security’ apps. His was used by, I think, 500 or so people. Not what I consider a ‘well used’ plugin, more of a niche thing. This isn’t a judgement call! I have plugins used by fewer than that. It’s just like saying Lindys sells more cheesecake than strudel.

    That was a Guys & Dolls joke.

    But on topic, let’s see. The takeaways from Alan’s email are:

    1. Intent to be abusive? Check.
    2. Not understanding that multiple people are admins and can read posts? Check.
    3. Demanding explanation for non-related topics? Check.
    4. Claims he was never warned even though he replied to those warnings? Check.
    5. Claims we’re sensitive after accusing people of sexual impropriety? Check.
    6. Hiding behind claims of ‘woke’ abuse? Check
    7. Incorrectly assuming it’s about plugin in question? Check.

    Conclusion? Angry person who thinks he can mistreat anyone. And just for a bonus:

    Further, based on this overreaction, I can only conclude that I am correct. Gutenburg’s authors are providing sex, money and drugs to high ranking decision makers at Automattic.

    Alan via email to Plugins

    I still don’t (never have) work for Automattic. I’ve been to a lot of WordCamps and I’ve never been offered money or drugs or sex for favours doing plugin reviews. Was I always talking to the wrong people? Was there a secret orgy I was excluded from!? Now I want to know!

    Not really. None of that has any place in my WordPress life. Sorry folks, my sex life is not related to plugins or WordPress, and very much not your business.

    And for Alan, I just shrugged and moved on.

  • Plugins: My Way Or Nothing

    Plugins: My Way Or Nothing

    Back when I started explaining why I dislike security plugins, I mentioned hating people who thought they knew everything.

    Noah (not his real name) is a good example of that kind of drama.

    Not Safe Enough

    Very rarely do plugins get an email that starts out with claims we’re too dumb to understand security.

    In this case, Noah submitted a search plugin. Not a security plugin. And on a quick look, it had the following serious issues:

    • direct access to files with POST calls outside of functions
    • calling wp-config.php directly to get DB access
    • non-prefixed functions, defines, and classes
    • non-sanitized data being processed and non-escaped data being output

    Pretty normal in so far as poorly written plugins go, and Noah got an email with the usual details on what’s wrong and what to fix.

    Noah did not take it well and claimed our rules were arbitrary and made to protect people. Yes? I mean, of course the rules are there to protect people! And one can argue any rule is ‘arbitrary,’ but that’s how they work. Noah went on to say that was okay, but rules had disadvantages too. To that end, sure, he’s got a point. The rules do limit innovation to an extent but usually that’s got a reason.

    The email went on for 1500 words about the problems people face (resource usage, mostly, and caching), and Noah included this gem:

    You are not able to solve these problems since you waste all of your time defining rules, handling security problems and bothering people who are offering their assistance to you for free.

    Noah via email to Plugins

    We wouldn’t have to make all those guidelines and handle security issues if people actually fixed them, but I felt that was besides the point.

    Let’s be honest here, Noah’s email was a lot of drama and words, signifying nothing at all. Making WordPress faster and having it use fewer resources is a great idea. But sir, this is an Arby’s. Or rather, Noah my man, this is a search plugin that has obvious security issues (sanitizing/escaping), makes dangerous calls that won’t always work (calling wp-config.php which can be moved), and crap for prefixes.

    Not Smart Enough

    I did pick out the line “you can’t understand what I do” and rolled my eyes. Generally speaking, if someone tells you that, they’re the fool, not you. It’s like people who jump to tell you “I have a decade experience in WordPress!” They want their perceived standing in the community to excuse behaviour. That may happen, but I never cared if it was Matt himself submitting a plugin. Security is security. Hell, I once closed my own plugin for a security issue I’d missed 5 years prior (hilariously I only realized it was mine when I was about to hit send — there was a lot of laughing).

    And I absolutely am smart enough to take one look at Noah’s code and recognize that his entire point was to have a plugin search WordPress and intentionally not use the built in WordPress security features. Like nonces. Normally that is from a lack of education and I think of it as a no-harm/no-foul. I remember when I didn’t really understand nonces, after all!

    But in Noah’s case, he believed he was smarter than everyone else using WordPress and, instead of submitting patches to improve it for everyone, he was just going to circumvent WordPress’ security entirely. And that is a non-starter.

    I am also smart enough to see his plugin could be brought into compliance pretty easily, which was why I didn’t reject, I pended.

    Not Clever Enough

    I replied to Noah explaining his rant was pretty off topic not to mention very wrong in many places. The code was not safe to use, and we generally didn’t accept plugins that didn’t ‘use’ WordPress unless it was safe.

    Perhaps I should explain a little here… See, there are two issues with calling wp-load.php or wp-config.php. The first issue is that people can, and do, move both the config file and the wp-content folders, so there would have to be a lot of fallbacks to make sure it would work for everyone. The second is that calling those directly is how you obviate WordPress’ security.

    A sneaky third is that there’s no reason you should need to do that in the first place. If you call your plugin properly, with init and so on, then you get all the fun WordPress stuff without the drama. I know it’s a concept a lot of pure PHP devs struggle with, especially when they want to have ‘a url’ that people can use on their site (like a plugin wants your site to have example.com/myplugin), because that is a little tricky with WordPress.

    In the email to Noah I made it clear. If he wanted to be hosted on WordPress.org, he had to follow the guidelines and that included our security requirements.

    I mean, come on, here’s the part of the email where I tell him to sanitize, and he asks if that’s correct:

    > When you include POST/GET/REQUEST/FILE calls in your plugin, it’s important to sanitize, validate, and escape them.

    Did you ever think, if this is really correct?

    Noah via email to Plugins

    Yes. Yes I do think it’s correct to sanitize, escape, and validate.

    Also telling him “you must use the most appropriate function for sanitizing” (by which I mean ‘don’t sanitize a number as a text field, y’all’) he says:

    Who are you, that you think you are allowed to tell me what I “must use”? Are you thinking, you would be god?

    Noah via email to plugins

    A god?

    A screenshot that says "I am a generous god."

    Jokes aside, Noah made it clear he thought the rules were bullshit, and he had no intention of ‘helping’ anyone. I shrugged, rejected his plugin, suspended his account, sent his emails to the blocked bin, and moved on my way.

    One Year Later…

    A new search plugin showed up, and at first it didn’t trigger any memories for me. In fact, this version had corrected most of the things I’d flagged in the first one. A lot of people submit similar plugins, but at this point I was about 7ish years into reviews, so I was pretty good at spotting repeats.

    Just like people have writing styles, people have coding styles.

    Around halfway through the review, something clicked. I went and checked, and lo and behold it was Noah! He used a new domain, but DNS showed the same person owned both domains. Him. And he wasn’t really trying to hide it since, when I rejected the plugin, he replied from his first account’s email.

    He explained that in the last couple of weeks, we’d ‘twice’ gotten in trouble together. I thought I hadn’t heard from him in nearly a year, and now I was worried he had used multiple accounts. But before I got into that work, I read his email.

    I Didn’t Read His Email

    It’s true. I skimmed his 2500+ word email that was filled with … well … bullshit. He claimed that the use of saved replies meant I was ignorant and only doing that because it was easy… You know what, let me bullet point.

    1. He thinks Automattic owns the plugin review team.
    2. He believes he was 100% right and I was wrong, but he made the security changes anyway.
    3. I was selfish for not listening to him, but he’s not rude for not listening to me.
    4. He doesn’t believe telling me I’m stupid and paranoid was rude.
    5. He expected me to do the emotional labor of telling him how to behave.
    6. He claimed I rejected his plugin without a word (even though he replied to the email where I explained it was for abusive behaviour).
    7. He’s mad I rejected his resubmission, even though the original email said NOT to resubmit or make a new account (… I mean …).

    I did not reply since at the end he’d said this:

    This is my very last attempt to offer my software to you. If you don’t answer this email, I will delete the plug-in. But I believe you would serve WordPress better if you would give the software a chance.

    Noah via email to Plugins

    Alas, he tried twice more that year before (seemingly) giving up.

    Oh, and no, he didn’t have other accounts. He was sniffing some glue to come up with a claim that he and I had been in contact at all after that first rejection.