I discovered something disturbing about several Facebook Like Plugins for WordPress.
Since Facebook announced the Open Graph API last week there have been two dozen facebook plugins that provide ways to put a “Like” button on a blog page or sidebar. One of them is mine. I’ve been fixing bugs and and adding features since the evening of April 24th. I have made four releases in the last week.
I just started installing plugins written by the competition. Some are sidebar widgets like mine, and some use short codes to insert the likes into pages. Some of them can’t possibly work, while others, I have to admit, are better than my own version. I’ve been going through them in order to steal get inspiration from their ideas and improve my own widget.
In several of the widgets, they never ask for an admin id. The admin id is the Facebook name or id of the person who is the page administrator. The Open Graph API looks in the meta tags of a page to find out who is the administrator.
When I checked the source HTML for the page I discovered that these plugins were inserting the id of someone other than the blog owner. Than means that if you use these plugins, you don’t own your own page and the plugin author can then spam the people who like your page.
Several other plugins let you leave the ID field blank and if you do, they slam in their own id. If you don’t fill out the form completely they own your page. There was one that let you put in your own ID, but then replaced it with theirs.
The majority of the Facebook Like plugins are well written and work the way they should.
This is a little scary, though. If you use a “like” plugin, just give it a quick check. Go to your blog and click on “View source”. Look for the fb:admins meta in the header. It should be your Facebook name or ID. If it is something else, or the plugin inserted a fb:app-id, then you don’t own your own page. Uninstall the plugin and try another.
Please let me know (via the e-mail address on this comment) if you find any that are in the WordPress plugin directory that are doing this. This seems deceptive, and we don’t want to host deceptive or dishonest plugins in our repository.
Thats quite a scary thought, I like the function of wordpress and facebook, i might look more into my code in the future and make sure my id’s are there where they should be.
Thank You
James
I should have made note of the plugins that did this. I could have been mistaken, too. When I have time I will test a few of the current crop and name names.
Keith
Hi Keith,
That’s pretty scary what you report here.
I maintain this plugin https://wordpress.org/extend/plugins/like (so I’m sure it doesn’t play any dirty tricks on users), but could you list the plugins that fool the users?
I think that would help the end users who don’t know how to look into the source code.
Thanks.