YOP Poll WordPress Plugin And Base64
Today while running a speed test at tools.pingdom.com for one of the sites that I have been working on, something strange happened. There were many strange image files that were getting loaded. (Picture below)
So what is the problem?
Not only that, the name associated with the files was my biggest concern – “base64”, which is a well know malware that have been known on many WordPress sites.
Now, base64 by itself means something else, but any base64 that have been associated with WordPress that I have came across are nothing but trouble.
Now what to do?
So the first thing I did was heading to mySQL and search for “base64” and found bunch of posts that as expected were hacked. Within these posts, there were links created and linking to pictures that had nothing to do with the site. For example, take a look at the picture below.
After cleaning most of the data fields that contained base64, I came across to a file that belong to a plugin that was installed on February 13th, 2014, which happened to be little before those infected posts were created. “That seemed strange and what a co-incidence……” I thought….
So, what to do next?
Well, since there is a support forum for the plugin, I thought why not ask the guy who made it, then the following answer came back.
Hi digitalreadymarketing,
The file encodes in base64 some of the messages sent to the server.
Best wishes,
YOP Team
Not a satisfactory answer. Even if that is what the Java Script suppose to do, there are still so many elements that makes this very fishy. For example, the plugin Author has only created one plugin and despite the popularity, the author’s website has no content at all what so ever! In fact, there are just fake content to fill up the site.
As you might know, Expedia got in to a trouble by hiring a marketing firm that created a free WordPress theme that had a link back to Expedia’s site. (There was a very well written case study about this in case you are interested)
So, maybe someone is doing the same tactic with this plugin and generating all kinds of links?
What do you think? Is this what I think it is?
- How To Track Keyword Ranking? - April 27, 2020
- Is Updating Old Content For SEO Worth It? - March 30, 2020
- What Is Remote Desktop Access (a.k.a RDP Or VPS) For SEO? - March 27, 2020
Hi,
While we do understand your concerns, having these issues after you installed our plugin is only a coincidence.
We do use base64encode in our plugin but it has no connection with the base64 malware.
Allow us to explain exactly how it works: we use the jquerybase64encode.js library only when in the poll’s settings “Vote as WordPress User” is set to “Yes”.
When the user clicks on the Vote button, if he is not logged in WordPress we encode the poll’s data using base64encode and the user will see a pop up that asks him to log in first. After he logs in, we take that information, decode it and process the vote.
jQuery.base64, that we use to preserve data integrity is not a malware, but a class developed with that specific purpose – basically it’s a tool we use to transfer data regarding users’ votes.
If you look in its file (yop-poll-jquery.base64.min.js) you will find both the script and information about the developer of this tool.
In regards to our website and the fact that this is the first plugin we created, well…we had to start somewhere. The website came in second and it’s still under construction. In the past year we focused all of our efforts into developing this plugin and constantly improving it and the fact that we have tens of thousands of downloads and 5* reviews encourage us to continue our work.
Regards,
YOP Team