Let me begin with the end in mind, by stating the end at the beginning: The WordPress Plugin “One User Avatar” is the blessed door out of the Hellish plugin “WP User Avatar / Profile Press.”
Years ago, I installed the bad one, “WP User Avatar,” which at the time was very good. It allows users to upload their own images as their user avatars, the little icons which represents a given user. The plugin also allows the administrator (yours truly) to set some policies such as not allowing the intrusive and data-filching “Gravatar,” forcing resize of uploaded images to a standard size, and various other settings.
Doing some recent maintenance, I discovered that the formerly small and useful plugin had “grown” into an ugly conglomeration of social-media-tied horsepoop with an enormous range of new functions. I discovered this by diligently updating the perfect little plugin and what I got was an unwelcome melange of functions and warnings. The damned thing had even been “re-branded” as a new product called “Profile Press,” but this was no re-brand. This was an entirely new product substituted after the fact for the plugin which thousands of blog admins had selected.
Hundreds of one-star reviews tell the tale, snippets of which:
- I was using a user avatar plugin, then one day it suddenly became this paid membership plugin, which isn’t what I agreed to or wanted to install.
- This used to be a great plugin but someone took it over and tried to make it a swiss army knife and include all kinds of irrelevant features that should be in separate plugins.
- What used to be a simple plugin now becomes a bloatware of unrelated features. This is the scummiest exploitation of an existing user base to sell features we don’t need.
- WP User Avatar 2.2.16 still works with WordPress 6.1.1 currently, but there is a slightly newer but still seemingly unmaintained fork of that version somewhere on GH. At least a fork won’t prompt you to upgrade to something you almost certainly don’t want to upgrade to.Is it just me, or does anyone else find it shocking that WordPress mods seems to be going out of their way to remove all direct references to any forked versions, including the ones hosted here on WordPress (which have all since been deleted by WP BTW)? If they feel that way, why did they use the GPL in the first place?Anyway, it probably goes without saying, but I cannot recommend installing this plugin.
- terrible
bad code
the company, Proper Fraction LCC, buys established WordPress plugins and then re-hauls them to scam existing users via the update mechanism.
The last two begin to dig into the nature of the problem. Independent developers create successful plugins which become popular, widespread, with a large installed base. Then a company (in this case apparently “Proper Fraction, LLC”) offers them money for the plugin, and that company stuffs their own content into the next update of the plugin. When thousands of diligent blog administrators diligently update the plugin, they get the new product as if they had asked for it. This is a remarkable abuse of the “update” functionality.
This is the same way that ObamaCare was illegally originated in the Senate (it was required to originate in the House); by taking an unrelated House bill that had been passed to the Senate and literally scooping out all of the text from that bill and pasting in the ObamaCare text. Well, our corrupt government decided that this and other sketchy maneuvers (“deeming” passed and the ten-year baseline dodge) were all okay, so guess what, not illegal anymore.
Politics not your taste? This is also the same problem with software repositories when unscrupulous or malicious actors take over maintenance of widely-used libraries. Via this sort of “upstream attack,” all sorts of websites, servers, and desktops have been co-opted into mining bitcoin or similar for people elsewhere. This was not a product update — this plugin takeover by Proper Fraction should be considered an upstream attack.
Here’s more coverage:
As one user put it, “What the heck? Updated plugin and suddenly I have a full membership solution.”
“You had the plugin WP User Avatar that did one specific function — added an avatar to users like when they leave comments on the blog,” wrote another reviewer. “Now I go to update it, and BOOM, a 100% completely different plugin takes its place. “
ProfilePress, the premium plugin, launched in 2015. It is a known product with an existing userbase. I cannot imagine any scenario that makes sense where the company takes a separate plugin that it acquired and implants a lite version of its premium product inside.
Except to capitalize on the 400,000+ active installs for a quick and easy profit.
Back to our story, and the hero of the thing. I dug into the update history of the plugin (before I had found all of this coverage) and discovered that version 2.2.16 was the last version that just did what it said on the original tin. I downgraded to that version, which was perfect, but out of date, and therefore should be considered insecure in its own right. At the same time, I considered the surreptitiously-installed, sprawling and intrusive up-to-date “version” a greater threat than the merely outdated but desirable version.
I experimented with removing the plugin entirely, but it (destructively) ate some of the user avatars when it left, so I restored from a 15-minute old backup of the site. Hmm. I eventually stumbled upon the hero of this story, “One User avatar,” which describes itself beginning like this:
WordPress currently only allows you to use custom avatars that are uploaded through Gravatar. One User Avatar enables you to use any photo uploaded into your Media Library as an avatar. This means you use the same uploader and library as your posts. No extra folders or image editing functions are necessary. This plugin is a fork of WP User Avatar v2.2.16.
Well, say no more sir! You had me at “fork of WP User Avatar v2.2.16.”
I am happy to report that this plugin simply adopted all of the user avatars exactly as they sat in the existing install, and even told me “you must disable [the other one] for this one to start working.” Excellent! And indeed, as I incrementally, selectively crippled the other one, there was no disruption. Finally, I manually deleted the old plugin via the file manager (it would not go down willingly), and still no disruption.
Huzzah! The new and magnificent plugin is here: https://wordpress.org/plugins/one-user-avatar/
I don’t know anything about the guy who publishes it, but forking 2.2.16 was the right answer, and it simply took over the job formerly done by [the other one] 2.2.16. I greatly appreciate the little message about disabling the other one, which I was going to do anyway of course, but that little bit of reassurance was a great relief.
Shame on the scummy, scammy proprietor of Perfect Fraction, Collins Agbonghama, to be sure, but especially shame on WordPress powers-that-be for allowing this sort of blatant bait-and-switch money grab, where trusted free plugins are skin-suited by “freemium” upselling unrelated products.
This nonsense has me looking at the Fediverse once again. But that is… another story.
