Caution!  How a WordPress plugin turned over 60,000 blogs into an advertising slingshot overnight

Caution! How a WordPress plugin turned over 60,000 blogs into an advertising slingshot overnight

I’ve been using the “Really Simple Share” plugin for my WordPress projects for years, originally written by Giuliano Polverari. Simple customization options and quick integration of the sharing buttons into the page – so far without any problems. But now, with an overnight update, the plugin is turning into a nasty advertising slingshot. // by Tobias Gillen

I also integrated “Really Simple Share” (formerly: “Really simple Facebook Twitter share buttons”) on BASIC thinking and so far included the share buttons for Twitter, Facebook, Google+ and Flattr under the posts. Actually that wasn’t a problem either until I installed the latest update of the plugin this morning.

A little earlier, the implementation of ReadyGraph was added to the normal, rather modest range of functions. ReadyGraph is a service to supposedly increase the reach of the blog and also better monetize it with various tools. It’s just stupid when the blogger is forced to monetize it.

Infolinks: One of those typical adware ticks

After updating the plugin, the ReadyGraph monetization option was preset – with no option to disable it. As a result, a number of keywords on this blog were linked to links from Infolinks – a service that wants to monetize websites with “smart ad units”. The links look a little different than normal links we set and are double underlined. If you move the mouse over it, a small pop-up will open.

Infolinks is a treacherous service. A little Google research is enough to find out that the implementation, once done, cannot be undone so easily. Infolinks is one of those typical adware ticks that you can only get rid of with a lot of effort – ReadyGraph forces it on the blogger and practically blackmails him into registering, where you can supposedly disable monetization.

info links

Deactivate? Nothing there!

I can delete ReadyGraph via a small link on the plugin’s settings page – this in turn causes the page to become completely paralyzed. Alright, so I’ll just log in to disable monetization settings – I thought. Because after logging in, I find the appropriate settings and remove the checkmark from all three. But when you click on “Save Changes”, the check mark “Enable Related Tags” jumps back in.

In summary, this means: Not only that the plugin will present this ReadyGraph service to a blogger at some point. No, you are forced to log in there almost overnight with an update in the hope of finding the deactivation of the forced monetization there. And then you can’t even turn them off. That’s a bold thing.

Especially since a blogger is unlikely to realize that the Infolinks links that suddenly appear on the page come from a plugin for sharing buttons. A Google search will quickly reveal that you have to look for the Infolink script somewhere in the code – I’ll just say “needle in a haystack”. In the end, it was also a fairly time-consuming search for the cause for us.

Free LinkedIn Guide!

Sign up now for our weekly newsletter BT compact. As a thank you, we’ll give you ours LinkedIn guide.

Info links BT

Over 60,000 active installs

According to the WordPress directory, “Really Simple Share” has over 60,000 active installations, all of which fall into the advertising trap with the update to version 4.3. There are also a number of other plugins that work with ReadyGraph. One can therefore assume that this insidious scam has an enormous reach.

For us this means, without a doubt: delete the plugin and keep an eye out for ReadyGraph, Infolinks and Co. for future plugin installations. This example also shows wonderfully that even an initially harmless plugin can eventually turn 180 degrees. Blessed are those who read the information of each update carefully.

updated: ReadyGraph has now responded to our request (also in the comments below) and claims it was a mistake. The update was supposedly not supposed to go out and the error has now been fixed.

WordPress Blogs Blogging Previous post Three things people tend to forget when launching a WordPress site
Next post WordPress introduces Adsense alternative WordAds