Wordpress Security Issue : Unknown Free Plugins can Harm your Website

Although WordPress considered to be a stable and safe CMS and blogging platform, still large number of themes and plugins are not safe. Think twice before installing an unknown plugins or themes. Although it TAC available to find the authenticity of a theme but it is not possible to get rid of security issues in case of so-called "Free Plugins"

We wanted to have floating sidebar as we have long posts and roundups, but as we are bit lazy like most of the bloggers out there, we decided to install a plugin namely Strx Magic Floating Sidebar Maker from WordPress repository. Everything was looking fine, it has 4.9 star rating out of 5 and 50 people gave it 5 stars and just 1 odd man gave it 1 star ( now it's 2 beacuse of me :p). First day was quite awesome CTR jumped to 1.75% , normally it is 0.5%. We were as our sales increased manifold just by a click of mouse.

But things went against us after a couple of days, CTR went right below 0.25%. We thought it is a normal but it wasn't. Yesterday while working on a college library system, i found there are some unknown ads and links on sidebar that were never installed on this website. By looking at source code we were quite sure that it was because of a "Bad Plugin".

After looking deeply in source code of each plugin (theme is custom build by ourself so left it for inspection), we found something really bad, Strx Magic Floating Sidebar Maker was forcefully inserting author's ads on our website. We quickly contacted the author, but he didn't reply. e are quite sure that he doesn't have any answer but we will wait for his reply.

So here is what we found in this plugin's source code

Starting with an Adsense ad banner
$rv.='<tr><td><div><script type="text/javascript"><!--
google_ad_client = "pub-8907793348376201";
/* 468x60, per plugin e widget wp */
google_ad_slot = "8331203622";
google_ad_width = 468;
google_ad_height = 60;
<script type="text/javascript"

Links to his website

Developer gave us a free plugin, now he want us to link his twitter account, feedburner account, email subscription and even "Make a Donation" page!!! It is ethical to give a download source link r even donate button but showing twitter handler without permission of admin is too much.
$rv.= '<tr><td><b>If you like this plugin</b> help me spread and improve it. How? Simple: '.
'<a target="_blank" href="http://wordpress.org/extend/plugins/strx-magic-floating-sidebar-maker/">rate it with 5 stars and say it works</a>, '.
'subscribe to my feed by <a target="_blank" href="http://feedburner.google.com/fb/a/mailverify?uri=StrxBlog">email</a> or <a href="http://feeds.feedburner.com/StrxBlog" target="blank">any other client</a>, '.
'<a target="_blank" href="http://twitter.com/fstraps">follow me on twitter</a>, '.
'<a target="_blank" href="http://www.strx.it/donate">make a donation</a>. Thank you.'.

It is not ending here

If you are thinking this is too much, wait a second. I found 18 more affiliate links
function strx_floating_sidebar_affiliates(){
 return array(
 //Elegant themes affiliate program http://www.elegantthemes.com/affiliates/
 '<a href="http://www.elegantthemes.com/affiliates/idevaffiliate.php?id=6321_0_1_7" target="_blank"><img border="0" src="http://www.elegantthemes.com/affiliates/banners/468x60.gif" width="468" height="60"></a>',
 '<a href="http://www.elegantthemes.com/affiliates/idevaffiliate.php?id=6321_0_1_7" target="_blank"><img border="0" src="http://www.elegantthemes.com/affiliates/banners/468x60.gif" width="468" height="60"></a>',
 //Envato refer program http://themeforest.net/wiki/referral/basics-referral/referral-program/
 //logos http://themeforest.net/wiki/referral/basics-referral/banners-and-logos/
 '<a href="http://themeforest.net?ref=straps" target="_blank"><img border="0" src="http://envato.s3.amazonaws.com/referrer_adverts/tf_468x60_v2.gif" width="468" height="60"></a>',
 '<a href="http://themeforest.net?ref=straps" target="_blank"><img border="0" src="http://envato.s3.amazonaws.com/referrer_adverts/tf_468x60_v1.gif" width="468" height="60"></a>',
 '<a href="http://videohive.net?ref=straps" target="_blank"><img border="0" src="http://envato.s3.amazonaws.com/referrer_adverts/vh_468x60_v4.gif" width="468" height="60"></a>',
 '<a href="http://graphicriver.net?ref=straps" target="_blank"><img border="0" src="http://envato.s3.amazonaws.com/referrer_adverts/gr_468x60_v1.gif" width="468" height="60"></a>',
 '<a href="http://activeden.net?ref=straps" target="_blank"><img border="0" src="http://envato.s3.amazonaws.com/referrer_adverts/ad_468x60_v4.gif" width="468" height="60"></a>',
 '<a href="http://audiojungle.net?ref=straps" target="_blank"><img border="0" src="http://envato.s3.amazonaws.com/referrer_adverts/aj_468x60_v3.gif" width="468" height="60"></a>',
 '<a href="http://3docean.net?ref=straps" target="_blank"><img border="0" src="http://envato.s3.amazonaws.com/referrer_adverts/3d_468x60_v3.gif" width="468" height="60"></a>',
 '<a href="http://codecanyon.net?ref=straps" target="_blank"><img border="0" src="http://envato.s3.amazonaws.com/referrer_adverts/cc_468x60_v3.gif" width="468" height="60"></a>',
 //'<a href="http://tutsplus.com?ref=straps" target="_blank"><img border="0" src="http://envato.s3.amazonaws.com/referrer_adverts/tutorials_468x60_v1.gif" width="468" height="60"></a>',
 '<a href="http://www.woothemes.com/amember/go.php?r=38627&i=b43" target="_blank"><img src="http://woothemes.com/ads/468x60b.jpg" border=0 alt="WooThemes - Quality Themes, Great Support" width=468 height=60></a>',
 '<a href="http://www.woothemes.com/amember/go.php?r=38627&i=b44" target="_blank"><img src="http://woothemes.com/ads/468x60c.jpg" border=0 alt="WooThemes - WordPress themes for everyone" width=468 height=60></a>',
 '<a href="http://www.woothemes.com/amember/go.php?r=38627&i=b43" target="_blank"><img src="http://woothemes.com/ads/468x60b.jpg" border=0 alt="WooThemes - Quality Themes, Great Support" width=468 height=60></a>',
 '<a href="http://www.woothemes.com/amember/go.php?r=38627&i=b44" target="_blank"><img src="http://woothemes.com/ads/468x60c.jpg" border=0 alt="WooThemes - WordPress themes for everyone" width=468 height=60></a>',
 '<a href="http://www.mojo-themes.com/?r=straps" target="_blank"><img src="http://www.mojo-themes.com/wp-content/uploads/2010/05/MOJO_THEMES_468_60_banner.jpg" border=0 alt="Mojo Themes" width=468 height=60></a>',
 '<a href="http://www.mojo-themes.com/?r=straps" target="_blank"><img src="http://www.mojo-themes.com/wp-content/uploads/2010/05/mojo-468x60.jpg" border=0 alt="Mojo Themes" width=468 height=60></a>'

This is clearly unethical as if author is knowingly doing that, without giving any option to change the links or banners it should not be expected from normal bloggers that he may go into the plugin source code and edit the source code. We all know that it takes time to develop themes and plugins, we also developed 5 blogger templates and gave them for free. We all do this for getting some attention in this ecosystem of internet users but some people like the developer of this plugin are trying to earn big cash that they don't deserve. I admit that blogger templates we have created are really difficult to sell, same is the case of this plugin. This developer knows that it is not possible to sell this plugin and he may not have that skill to make a premium plugin that can make him an elite seller on Envato. So i recommend beware of these kind of plugins and Developers !!!

If you still want to use this plugin because you have no way out, simply remove all of the above codes, hope you will be safe.

Here is developer's official blog www.strx.it . I have mailed him about the issue and post a review on wordpress plugin repository. We are waiting for his reply here.

Pencil drawing online course - Download here

Join 40,000+ readers and get free notes in your email


  1. Interesting post about Wordpress plugins.
    Luckily I'm not using the same ones, but I will have to check out the plugins I use and see if they are similar!

  2. You should double check every plugin as nowdays nothing is free, Plugin developer never replied my email, review on WordPress and even comment on this blog post, he is doing all this with bad intentions. Also most of the free Wordpress themes are harmful, Beware of them !!!

  3. Good post Ramandeep and thanks for making us aware of this problem

  4. Thank you, still the developer is not responding. No moderator is banning him as it is a popular plugin, thats not fair

  5. They'll get onto it at some stage.

  6. Waiting for that from last many weeks, even this plugin is featured on WPMU, that too strange

  7. I agree that including ads and affiliate links into a plugin like that is not nice. Good news with this particular plug-in (Strx Magic Floating Sidebar Maker) however, is that those affiliate links and ads are only shown on the backend -- on the settings page in the Wordpress admin. They are never shown on the frontend. If they were, it would have been outrageous.

  8. I think what Nick said is right. I'm currently using the plugin and from checking the code, it seems those ads only show up in the Settings page in Wordpress. I was suspicious after reading this review, so I used Firebug to inspect my ad elements in my sidebar. The ads had my publisher number from Adsense so everything fine there.

    However, I'm still suspicious because my CTR has decreased in the past few days. Given there has not been any new content in my site for quite a few days so this could be just a coincidence.

    If you guys find out more about this, please do tell.

  9. I wonder if the reason the CTR drops when this plug-in is used is because it maybe somewhat irritating to the vistitors. I had installed it onto my website also initially but then I replaced it with another similar plug-in that seemed better to me. The other plugin's advantage to me is that it keeps the sidebar "stuck" to the user's view area when he/she scrolls around. This is in contrast to letting the user scroll away and then visibly moving the sidebar back into his/her view. Take a look at the alternative here: http://partsinplace.com/product/

  10. @Nick, I think you are right, this would be a better option, thanks for advice

  11. You can find the link in the post, now I have planned to switch to this plugin
    By the way, your blog is fantastic.