Honestly, there is really no reason to read the history on this as the past is the past. Go get the latest version of the plugin and if you really want to stick around here how about checking out something funny.
It pains me to report this, because the Secure and Accessible PHP Contact Form version 2 from Mike Cherim and Mike Jolley seems to be a nice contact form for WordPress, but the fact remains that this plug-in is dangerous and designed to secretly Spam blogs on which it is placed.
This stems from the fact there is an option that users believe will disable the display of credit links back to the author’s web sites; however, this option does not actually remove the links. It merely makes them invisible – and this is enough to cause Google to remove a site.
I installed the form as a potential upgrade to my current contact form and was initially pleased with the look and feel of it. However, upon inspection of the source code of my page I noticed the following line:
<p style="position:absolute; top: -9000px; left:-9000px;"><small>Secure and Accessible <abbr><span class="abbr" title="PHP Hypertext Preprocessor">PHP</span></abbr> Contact Form <span title="B20070303">v.2.0WP</span> by <a href="http://green-beast.com/" title="Green-Beast.com">Mike Cherim</a> & <a href="http://www.blue-anvil.com/" title="Blue-Anvil.com">Mike Jolley</a>.
This line appears in the source despite the fact that I clearly selected the option to disable it in the control panel.
This coding is quite deliberate in that the intention is to position links back to the author’s sites from far off the visible page so that neither blog owners nor visitors would know the links are present. This is called Spamdexing and it is so frowned upon by Google that the search engine could ban a site completely for just one instance.
After making this discovery I submitted the following message to Mike Cherim via contact form on 3/21 at 1:30am:
I wanted to just provide a couple of comments about this:
1.) I think there is an ethical issue at play here because your options language (Show form credits line?) leads people to believe that there is no credit line introduced into the code when in actuality it remains but is simply hidden.
In my opinion you need to be more clear about the fact that your links remain either way.
2.) By hiding the links – and not telling people – you may also be doing them harm in terms of Google PR punishment. These hidden links are clear examples of Spamdexing and are expressly forbidden by Google. (http://www.google.com/support/webmasters/bin/answer.py?answer=35769)
“Quality guidelines – specific guidelines
– Avoid hidden text or hidden links. “
I’m quite sure people would not install any plug-in or script if they felt it would potentially damage their PR, or if they felt they were being mislead. It is, after all, only a contact form.
I hope you will take these issues into serious consideration. I think the work you’ve done with this script is outstanding and I hate to see it overshadowed by what many could perceive as being sneaky.
In a couple of weeks I’ll check back to see if you’ve acted on this information, unless I hear from you before that. At that time I’ll make a decision whether or not to address this issue in the blogosphere.
Because your form is so nice I believe many people will still choose to leave the links in place, especially if they aren’t too prominent, but some people might need them removed for the sake of professionalism. Either way you are already going to benefit from traffic and exposure.
Mike very promptly responded to my message about an hour later. I’m including his message as a courtesy:
Thank you for your concern. If you feel you need to blog about it that is your prerogative, but I doubt I am going to act on the information. I think the terms are plenty clear already. Here’s what it says at the download link.
“[…] If you do use this form, it is requested that you keep the built in link-backs in place, though you can visually hide the formÃ¢â‚¬â„¢s displayed link-back by way of a setting on the Ã¢â‚¬Å“ConfigurationÃ¢â‚¬Â page. Doing so is fine, removing hidden links is not.”
The word visually is emphasized in the text. It clearly states the link may be removed visually but will remain hidden. Hiding them visually satisfies most developer’s professional needs. Some people have gladly paid for a commercial version with the links legally removed but nobody has ever expressed any ill feelings about it.
With roughly 10,000 users you’re the first to mention having a problem with this, talk to me about the ethics of the matter, or suggest they’d take the matter to the blogosphere. It’s a free form and I support it really well, surprisingly well from what I’ve been told, but nobody is forced to use it.
There are options out there.
Again, I thank you for your time and concern.
If you’re wondering why the authors would put hidden links back to their sites in the script you can read an article I wrote about Search Engine Optimization on HTMLHelp.com. But the short version is that this is an attempt to gain links to their sites in order to increase their prominence in Google and other search engines.
There is nothing wrong with seeking a link in return for a free add-on to WordPress, so long as the practice is not deceptive. In this case Mike and I clearly disagree. I believe users of this script are not aware of this hidden link, but more importantly I know for a fact that Google will punish the innocent as well as the guilty as soon as they notice these links.
Here is the specific page in which Google forbids “…hidden text or hidden links….”.
Since I was informed the authors of this script do not intend to remove the hidden links, it is up to the individual users to remedy the situation themselves. There are two good ways of doing so:
- Remove the plugin in lieu of another simpler, faster contact form plug-in.
- Remove the offending code that can cause your site to be banned.
If you do use this form, it is requested that you keep the built in link-backs in place, though you can visually hide the formÃ¢â‚¬â„¢s displayed link-back by way of a setting in the configuration file. Doing so is fine, removing hidden links is not.
- They clearly state that it is open source software, which by definition “permits users to study, change, and improve the software, and to redistribute it in modified or unmodified form”.
- They merely “request” that you do not remove the hidden, illegal links.
To fix the problem you’ll need to open the file wp-gbcf_form.php in a text editor and search for the following line (its near the very end of the script):
$forms.=(' <p style="position:absolute; top: -9000px; left:-9000px;"><small>Secure and Accessible <abbr><span class="abbr" title="PHP Hypertext Preprocessor">PHP</span></abbr> Contact Form <span title="'.$build.'">'.$form_version.'</span> by <a href="http://green-beast.com/" title="Green-Beast.com">Mike Cherim</a> & <a href="http://www.blue-anvil.com/" title="Blue-Anvil.com">Mike Jolley</a>.</small></p>'."\n");
Replace all of that with just the following:
Then save it and upload it right over the old version in your plugins directory. IMPORTANT: Backup the original in case you make a mistake. Then you can try again.
NOTE: Within a few hours of our discussion the code was partially changed for new downloads. You will need to follow the following instructions if you installed the script after March, 21 2007. (If it gets changed again later I can’t help you. Just see if you can figure it out yourself and possibly post the change in the comments below if you feel benevolent.)
Open the file gbcf_form.php in a text editor and search for the following (its near the very end of the script) and just delete it:
<p style="position:absolute; top: -9000px; left:-9000px;"><small>Secure and Accessible <abbr><span class="abbr" title="PHP Hypertext Preprocessor">PHP</span></abbr> Contact Form <span title="'.$build.'">'.$form_version.'</span> by <a href="http://green-beast.com/">Mike Cherim</a>.</small></p>
Then save it and upload it right over the old version.
You may notice that Mike Jolley’s link has now been removed. I don’t have any idea why, but it won’t matter if Google picks up on all the existing links out there that are not going to be corrected.
Please be warned that if you do not take action and Google decides to punish you by penalizing your site’s PageRank it can take months to recover even after removing the offending script. The loss of page rank will cost you countless visitors.
If Google decides to remove your site from the index you’ll have to go through the arduous process of petitioning to have it reinstated. Good luck with that…
To not act on this is to play Russian roulette with your Web site, and is it really worth it for a contact form?
Just out of curiosity I thought I’d Google to see if I could find a few sites using the form who had switched the author links off but who has still been spammed by Secure and Accessible PHP Contact Form. Here they are:
What I find sad is that I found these sites because they all actually listed their plugins on a page of the site. So they were already providing a link back to the authors unaware of this sneaky tactic. Do you think they’d be pissed if they knew?