Recently a client forwarded an email from their host that pointed out a possible security breach in the popular sharing plugin JetPack for WordPress.
The concern is with the email share function, spammers could use this function to send unsolicited bulk email via your website.
Looking into this issue raised the question of why do we even need an email sharing function? Does anyone actually use it? With all the popular sharing platforms available today like Facebook, Twitter & Google + do we really need email share? is the risk worth the reward? For those afraid to use the public sharing platforms I am confident they could simply copy & paste your URL into a regular email created via their local email program or online email like Gmail.
This possible security breach resulted in giving other social plugins a second look, if Jetpack, which was created by the great people at WordPress, is vulnerable, how safe are the others?
After consultation with a few clients we chose to disable the email share functions of other plugins, better safe than sorry.
A great plugin I have used and liked because of the way it handles sharing your website post title, images and properly links back to your site is Social Sharing Toolkit by Marijn Rongen. No problem, will just login the client’s site Admin and disable the email sharing function. We’ll, was I surprised, appears my go-to sharing plugin has been sold by the developer to another company. LinksAlpha. No big deal, their website claims they will continue development & updates as well as provide support moving forward.
So on the settings page I find a button for LinksAlpha and attempt to click and disable this feature… but nothing happens, the option is there but does not function. No big deal, let’s jump over to the WordPress to see what is going on.
Normally a calm & cool web developer I must say that what I found caused the blood pressure to rise dramatically. http://wordpress.org/support/topic/linksharereally
Seems the new owners chose to inject their own new function, basically a multi platform sharing option that includes their name and link. I can understand that they want to promote their business and other products but to just add their link button to everyone’s site without warning is wrong. Maybe an email or upgrade notice could have been tolerated but just injecting their button with no option to disable it is bad business.
I was lucky that this deceitful action did not break the layout on any of my client’s sites but still left me feeling I have let my clients down.
I have reviewed several fixes to make the shameless self promotion button disappear but unsure if I can continue to use any products from this company as the trust factor has been violated beyond repair.
For all of my client’s affected by this I will be reviewing new solutions and reaching out to offer a fix or replacement based on individual needs.