Plugin Violates Developer Guidelines

After you run the test, you get a spam email from info [at] mailmunch [dot] co with the following:

Hi there,

Welcome to WordPress Inspector!

WordPress is a great platform that powers over 25% of internet sites. But without taking the right precautions, you could end up with a sluggish site.

We have analyzed hundreds of thousands of WordPress sites and found that there are a few common causes of WordPress performance issues. We’ll help you test your WordPress site for speed, performance and security issues.

Perform a Full Inspection

If you have not performed a full inspection of your WordPress site yet, I strongly recommend you to install our free WordPress plugin and run a full inspection. Full inspection analyzes all your active plugins and theme for known issues.

How do you speed up WordPress?

1. Choose a good host
2. Start with a solid framework/theme
3. Use an effective caching plugin
4. Use a content delivery network (CDN)
5. Optimize images
6. Optimize your WordPress database
7. Disable hotlinking of your content

In the next few days, I’ll send you some more proven tips to improve your WordPress. Meanwhile, make sure to install our free WordPress plugin here: <URL removed>

Have a great day!

—
Regards,

John Davier,
WordPress Inspector

WordPress Inspector by MailMunch Inc.

Unsubscribe

Now, it should be noted, that while there is a vague mention of “Your WordPress URL, Theme and Plugins” being “sent” to wordpress [dot] inspector [dot] io, there is no mention of this in the admin. There is also no mention or request for consent for them collecting your email address. Most users would not consent if they knew.

After auditing the plugin, here is a full list of items that are sent to the plugin authors’ website:

1. WordPress Version
2. Theme, and all its details: Theme Name, Theme URI, Theme Description, Theme Author, Theme Author URI, Theme Version, Theme TestDomain
3. A list of all plugins, and the details of each plugin: Plugin Name, Plugin Slug, Plugin URI, Description, Plugin Author, Plugin Author URI, Plugin, Author Name, Plugin Title, Plugin Version
4. WordPress URL
5. The Admin Email Address – which immediately gets added to their email list, and they start the email spam. As noted above: “sending the admin’s email address back to your own servers without permission of the user is not allowed”

That’s a LOT of info. And while it goes to an https:// URL, it is not encrypted or encoded in any way. So all that data is sent in the CLEAR, and can potentially be intercepted. Not good.

*Looks*

This does not violate the plugin guidelines. It’s not phoning home as much as this is software as a service.

From the plugin page:

WordPress Inspector will inspect your site for speed, seo, security and performance. Your WordPress URL, Theme and Plugins are sent to https://wordpress.inspector.io where we run different benchmarks and tests on your WordPress and tell you how it performs.

Includes a complete security and exploit scanner which scans your WordPress for potentially broken plugins or themes. Removing broken plugins is a big win in maintaining a high performance WordPress site.

Their service is that you use this plugin, you send them your info via the plugin and they evaluate your site. That’s not phoning home, it’s what this plugin clearly states it does from the onset.

Edit: Yes, software as a service gives me headaches. But just like many other plugins, having a plugin that communicates with a service is permitted.

Hi Jan,

Thanks for taking a look.

What about the “sending the admin’s email address back to your own servers without permission of the user is not allowed” part. It sends the email to its server, and that is not mentioned anywhere in the docs, or on the plugin admin.

– Scott

That should be disclosed and that could be a violation. I’m not on the plugins team though I do spam them a lot. ??

Why not send your concerns to them directly? As you know, their D/L is [email protected] and if there’s a problem then they’ll get on that.

Looking at the plugin, it’s not really sending anything without permission. There’s a form. It has the theme names and the number of plugins, an input box with your URL, and an input box with your email address (from your user profile, not the admin email).

You have to press the Submit button on that form. That’s “permission”. They didn’t automatically collect anything, you clicked the “Start Inspection” button, and the description of the plugin is extremely clear about “are sent to https://wordpress.inspector.io&#8221;.

Not sure how anybody could be surprised by this. You click a button to submit a form with your email address in an input box, then yes, they will have your email address. That’s not a guideline violation, by any stretch.

@jan,

Thanks again. I did drop a not to the plugins team.

@samuel,

I’m not sure how you could come to that conclusion. The docs are vague at best, and there is no mention in the plugin’s admin that anything is being sent to their server.

The site URL and email in the admin just look like settings to an average user.

I’m a developer, and so are you, but look at it from a user perspective. Most people have no idea what it does. We were testing it out, and I audited the plugin code, as noted above.

The developer guidelines are pretty clear that any sending of the admin email to their server without explicit permission is a no-go.

Sure, if people read the code, like you and I do, they won’t be surprised, but most users don’t.

Anyway, I appreciate your looking into it.

I thought the plugin looked interesting. I just think that as-is, it doesn’t build a lot of trust, because it’s not exactly transparent about the data use.

The developer guidelines are pretty clear that any sending of the admin email to their server without explicit permission is a no-go.

I am well aware of that, because I wrote those guidelines.

It doesn’t send anything to anybody until you click the button to make it do such. Pretty straightforward there.

I am well aware of that, because I wrote those guidelines.

I know. ?? And it’s a good rule.

Well, all I can do is let you guys know. I have a slightly different view on that, since it doesn’t ever say that the admin email is being transmitted, but no worries. It’s ultimately your call as to what does or does not. I wrote the post based on my opinion of the matter. We get analytical and long-winded sometimes, but then that’s our job.

Thanks for giving a look. I hope the developer reads this, and at least improves the communication with the user.