A suspicious request has been circulating via email, soliciting WordPress.org plugin authors to give a third party write access to their repositories. The originator of these requests goes by the username bestweblayout on WordPress.org and operates the bestweblayout.com domain.

The issue was first reported by WordPress user FractalizeR, who posted the contents of the email:

“Hello Vladislav. My name is Grigoriy and I am a representative of BestWebLayout. Our team specializes in WordPress development services. We saw that your WP-SynHighlight plugin was updated more than 4 years ago. We would like to offer you our assistance and participation in further development and maintenance of this plugin. In other words, we would like to get your permission and access to plugin repository on wordpress.org. In such way we will become the plugin contributors along with you and will be able to control testing and development of this tool within the WordPress community. Our activity will include plugin updates, compatibility testing, support, etc. We have already talked to WordPress support team (they said that WordPress is open-source community and such contribution is welcome), who asked us to contact you with such a request. Please let me know if you are ready to accept our offer. Feel free to contact me with any questions. Thanks! Grigoriy”

FractalizeR’s initial reaction to the email was one of suspicion. “The offer itself is a little strange,” he said. “If I want to contribute, I donate code. I don’t ask write access to the repository.”

@Codix, another recipient of the email, decided to ask for contributions first. “I got the same offer and I suggested they should submit a patch to one issue before I can grant them access,” he said. “Still they insist they need to be listed as a contributor.”

A handful of other plugin developers reported on the same thread that they have received the same email, which they forwarded to plugins@wordpress.org. Mika Epstein, a member of the WordPress.org plugin review team, confirmed that they did not ask bestweblayout to get in touch with the authors.

In the meantime, bestweblayout posted on the thread in defense of the email solicitations:

We aren’t involved in any illegal affairs. Earlier on forum there was a question about the possibility of cooperation with the authors of neglected plugins. And it said that it is not a problem to cooperate with the authors. So we decided to help WordPress community with these plugins. We only collect information about plugins, which were simply neglected by authors and have not been updated with the latest changes of WordPress. Some of the authors refused, but some of them agreed. Sorry that it looks like spam.

Those who have reported having received the requests are uniformly suspicious of the technique that is being employed for gaining write access to their repositories. Epstein addressed bestweblayouts to explain why their requests are not being well-received. “It looks like spam because you’re sending this out to a LOT of people, and as of yet, haven’t done anything with the plugins,” she said. “Which is, sadly, a tactic of some spammers. They’ll take over legit plugins and turn them into guideline violation spam fests.”

WordPress plugin developer Jeff Sayre was another recipient of the email and he cites several issues with the approach that indicate it may be a potential threat. The fact that anyone is free to fork a plugin and develop their own version was the first indication. Developers can let the original author know, as a courtesy, but permission is not required.

Secondly, the “approval” implied in the email request is suspect. “The fact that the email makes it appear that they have “approval” from the WP repo team to contact me is another big, red flag,” Sayre said. “No one requires approval from anyone at WP to contact a plugin author. I receive emails all the time about updating my plugins.” Despite Epstein having made it clear that approval has not been given, the folks at bestweblayout continue to circulate the same email without modification.

A Warning to All WordPress.org Plugin Authors

Sayre has some sage words of warning to anyone who may receive this request or something similar. In case the offer of free updates to your plugin sounded like a dream come true to you, it’s a good idea to consider what is at stake. He cautions all concerned:

Providing such credentials to an unknown, therefore untrusted party, is never wise as it could be a significant security threat. Malicious code could be entered into your plugin and you, in effect, would be complicit in its insertion. If you do not know someone, it is never wise to team up with them without fully vetting their integrity and the quality of their work.

Obviously, you should be very wary of giving anyone write access to your plugin repositories. The motivation for the request could be harmless or it could be a ploy to gain access to WordPress.org plugins in order to unleash spamagaddon. When it comes to collaborating on code, it’s best to work only with developers you trust. If you’re not interested in collaborating, the safest route would be to suggest that they fork your work and credit you.