I discovered something disturbing about several Facebook Like Plugins for WordPress.
Since Facebook announced the Open Graph API last week there have been two dozen facebook plugins that provide ways to put a “Like” button on a blog page or sidebar. One of them is mine. I’ve been fixing bugs and and adding features since the evening of April 24th. I have made four releases in the last week.
I just started installing plugins written by the competition. Some are sidebar widgets like mine, and some use short codes to insert the likes into pages. Some of them can’t possibly work, while others, I have to admit, are better than my own version. I’ve been going through them in order to steal get inspiration from their ideas and improve my own widget.
In several of the widgets, they never ask for an admin id. The admin id is the Facebook name or id of the person who is the page administrator. The Open Graph API looks in the meta tags of a page to find out who is the administrator.
When I checked the source HTML for the page I discovered that these plugins were inserting the id of someone other than the blog owner. Than means that if you use these plugins, you don’t own your own page and the plugin author can then spam the people who like your page.
Several other plugins let you leave the ID field blank and if you do, they slam in their own id. If you don’t fill out the form completely they own your page. There was one that let you put in your own ID, but then replaced it with theirs.
The majority of the Facebook Like plugins are well written and work the way they should.
This is a little scary, though. If you use a “like” plugin, just give it a quick check. Go to your blog and click on “View source”. Look for the fb:admins meta in the header. It should be your Facebook name or ID. If it is something else, or the plugin inserted a fb:app-id, then you don’t own your own page. Uninstall the plugin and try another.