I received an email last month from a guy by the name of Saurabh Nagar. He was offering me a free WordPress SEO plugin that he claimed would help explode my blogs by creating loads of backlinks on other blogs for me, in return the other blogs would have links created on my blog.
Doesn’t that sound just like a link exchange program?
I may enjoy a bargain (or even better, a freebie) or two but I was not just going to install and run a free/paid plugin that was sent to me by email without first checking it out. If I was going to do that then I might as well send my bank account details to every email that comes into my junk folder requesting them.
I checked WordPress’ plugin section and found no mention of this free plugin, that was an alarm bell straight away to me as any free WordPress plugin worth it’s weight would be listed in there.
That is when I decided to type in the plugin name in Google.
The free plugin is called BlogPress SEO and within a few seconds of typing the name into Google I discovered that my initial doubts about this plugin were bang on the money.
First of all Google hates link exchanges like this (as the plugin boasts of clocking up hundreds of backlinks immediately), when they catch you (not ‘if’, but ‘when) they will remove you from their search engine which means no more traffic for you from them. I gain a hell of a lot of my traffic from them so it would kill my traffic and probably my blogs.
The second thing that was noticed was if you have a look in the files you will see this piece of code:
$sub="BlogPressSeo new installation.";
If you do not know what this bit of code does then let me tell you.
it sends your blog URL and your admin email address to the author of this plugin. And this is done without your consent which I believe is illegal in many countries (ask anyone who knows a thing or two about subscriptions).
But that is not the scary part.
There is a back-door built into the plugin that allows the author of the plugin (or anyone who has access to email@example.com) to log into your admin panel WITHOUT YOUR PASSWORD. That means they just have to enter the admin email, the one they have just sent their selves.
You worried now? Well you should be!
They also drop a hidden link to their site on your blog home page. This just makes it easier for Google to find every blog using this plugin and ban you all in one big sweep.
Just to put the cherry on it they are offering a paid version of the plugin for a ludicrous $97.00 a month (no backlinks on your blog) and a multi-licence version for $597.00 per month for use on 100 of your blogs.
If you have installed this free plugin then I suggest you do the following:
1 Uninstall and delete the plugin.
2 Change the admin email if you can (the author of the plugin now already has it)
3 Go into your database and delete any tables left by the plugin (the plugin does not have an uninstall method).
Let us try and warn as many people about this as possible. Please retweet this on Twitter, like it on Facebook, or promote it in any way you know. I don’t want to see this Saurabh Nagar hurting any more blogs then he has already.