Important Questions Regarding WordPress Plugins Active Installs

  • Hi

    I have some questions regarding WordPress plugins or themes active installs and I hope to get my answers.

    1. Does WordPress counts locals as active installs? Because as you know plugins and themes can be installed and used in local development or testing sites and can send update requests to the WordPress, so does WordPress counts them in the active install numbers?

    2. Does WordPress pingback a site that checks for plugin or theme updates?
    As you know a developer can send fake requests as update requests to the server via a fake site address, so how WordPress detects that is a fake request? What information WordPress active install checks to ensure that is a real request?

    I see some stranges in wp.org/plugins and found some plugins that have fewer downloads but have large active installs when you check them with competitors.
    For example plugin A with about 12000 downloads has 3000 active installs and plugin B with about 40000 downloads has 3000 active installs.

    Also, please note that plugin A reached this active installs in a short period! with fewer features compared to others. and here I think that plugin A can send fake requests to wp.org to increase its active installs!

    It is a marketing strategy to increase active installs of a plugin and most of the companies can invest in it to increase it.

    Please clear me and all developers that have questions regarding it.

    Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    1. No. We exclude a lot of “temporary” sites, including localhost type installs.

    2. No. As for how we tell if it’s fake or not, I’m not going to tell you, for what should be obvious reasons.

    But yes, it’s totally possible to send a bunch of fake data to the system. It’s been done before. We would eventually find it, and your plugin or theme would get removed and banned for such, so.. kind of a bad idea?

    We check up on things when they look like they’re faked, but understand that your views on downloads aren’t evidence. We can examine the data directly and manually when needed, as well as have various scripts to examine it for us in such cases.

    However, note that downloads is a raw number. If I have 3000 active installs and I make 4 updates, that adds 12000 downloads to the count. So, there’s no real correlation between downloads and active installs.

    Active installs can even be higher than the total number of downloads, and this is often the case when a new theme enters the directory. Themes can get released by their authors separately, gain a following, and then get put into the directory later, after they already have a large number of users. Some plugins have done this in the past too. Also consider that plugins or themes may be made by hosting companies, who put them on their users sites automatically during installation, and then they might do their own in-house update process instead of having those sites download from www.remarpro.com.

    So, the reality is more complex than just download numbers vs active installs. Nevertheless, we do monitor it and notice when things go weird. ??

    Thread Starter cyrusos

    (@cyrusos)

    Hi @otto42

    Thank you for your explanation.

    I know that you are the developer of the WordPress Active Install check script and you are the right person that can help us regarding our concern.

    First I should say that yes I know that only plugins that use the wp.org for updates will count as an active install and I checked some of the plugins and found some of the plugins that are doubtful.

    Please let me know if someone writes such a fake generator request scripts then he can send requests as a normal request too, so it is not possible for you to check is it a normal or a fake request.

    1. If you do not check the IP of requests so it will be so easy to send fake requests to the server, like using a TOR IPs or residential IPs
    2. I don’t know is it possible to send a request with a real site IP but maybe a professional hacker can do it. Fakes a real site IP address and sends a request to the server by that site IP so it will be as a normal site!
    3. He can send these requests to a bunch of plugins and you could not detect it and delete his plugin too!
    4. He can use this script to send fake requests to a plugin and when you check that plugin you will delete that plugin accidentally.
    5. You don’t have any reporting system inside the plugins page so users can not report it. When someone reports it, first your scripts will check for fake active installs and then someone checks it again if it is suspicious.

    Please let me know your feedback.

    Thanks.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    Please let me know if someone writes such a fake generator request scripts then he can send requests as a normal request too, so it is not possible for you to check is it a normal or a fake request.

    Of course we can check whether requests are fake or not. It’s really obvious too. You’re just not seeing it. That’s okay, not everybody will. In any case, we can tell, and that’s all that matters.

    If you have any doubts about a specific plugin, then you can email [email protected] and they can have a look for themselves. But realistically, faking the numbers doesn’t happen here. It’s not worth it. These are free plugins on free hosting. Such shady marketing tactics don’t gain enough to be worth it.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Important Questions Regarding WordPress Plugins Active Installs’ is closed to new replies.