Honestly, there is really no reason to read the history on this as the past is the past. Go get the latest version of the plugin and if you really want to stick around here how about checking out something funny.
It pains me to report this, because the Secure and Accessible PHP Contact Form version 2 from Mike Cherim and Mike Jolley seems to be a nice contact form for WordPress, but the fact remains that this plug-in is dangerous and designed to secretly Spam blogs on which it is placed.
This stems from the fact there is an option that users believe will disable the display of credit links back to the author’s web sites; however, this option does not actually remove the links. It merely makes them invisible – and this is enough to cause Google to remove a site.
Background
I installed the form as a potential upgrade to my current contact form and was initially pleased with the look and feel of it. However, upon inspection of the source code of my page I noticed the following line:
<p style="position:absolute; top: -9000px; left:-9000px;"><small>Secure and Accessible <abbr><span class="abbr" title="PHP Hypertext Preprocessor">PHP</span></abbr> Contact Form <span title="B20070303">v.2.0WP</span> by <a href="http://green-beast.com/" title="Green-Beast.com">Mike Cherim</a> & <a href="http://www.blue-anvil.com/" title="Blue-Anvil.com">Mike Jolley</a>.
This line appears in the source despite the fact that I clearly selected the option to disable it in the control panel.
This coding is quite deliberate in that the intention is to position links back to the author’s sites from far off the visible page so that neither blog owners nor visitors would know the links are present. This is called Spamdexing and it is so frowned upon by Google that the search engine could ban a site completely for just one instance.
After making this discovery I submitted the following message to Mike Cherim via contact form on 3/21 at 1:30am:
I noticed that your terms of use request that users “leave hidden links in place”. This prompted me to notice that even with the option to not show links, links do still indeed appear in the page.
I wanted to just provide a couple of comments about this:
1.) I think there is an ethical issue at play here because your options language (Show form credits line?) leads people to believe that there is no credit line introduced into the code when in actuality it remains but is simply hidden.
In my opinion you need to be more clear about the fact that your links remain either way.
2.) By hiding the links – and not telling people – you may also be doing them harm in terms of Google PR punishment. These hidden links are clear examples of Spamdexing and are expressly forbidden by Google. (http://www.google.com/support/webmasters/bin/answer.py?answer=35769)
“Quality guidelines – specific guidelines
– Avoid hidden text or hidden links. “I’m quite sure people would not install any plug-in or script if they felt it would potentially damage their PR, or if they felt they were being mislead. It is, after all, only a contact form.
I hope you will take these issues into serious consideration. I think the work you’ve done with this script is outstanding and I hate to see it overshadowed by what many could perceive as being sneaky.
In a couple of weeks I’ll check back to see if you’ve acted on this information, unless I hear from you before that. At that time I’ll make a decision whether or not to address this issue in the blogosphere.
Because your form is so nice I believe many people will still choose to leave the links in place, especially if they aren’t too prominent, but some people might need them removed for the sake of professionalism. Either way you are already going to benefit from traffic and exposure.
John
Mike very promptly responded to my message about an hour later. I’m including his message as a courtesy:
Thank you for your concern. If you feel you need to blog about it that is your prerogative, but I doubt I am going to act on the information. I think the terms are plenty clear already. Here’s what it says at the download link.
“[...] If you do use this form, it is requested that you keep the built in link-backs in place, though you can visually hide the form’s displayed link-back by way of a setting on the “Configuration†page. Doing so is fine, removing hidden links is not.”
The word visually is emphasized in the text. It clearly states the link may be removed visually but will remain hidden. Hiding them visually satisfies most developer’s professional needs. Some people have gladly paid for a commercial version with the links legally removed but nobody has ever expressed any ill feelings about it.
With roughly 10,000 users you’re the first to mention having a problem with this, talk to me about the ethics of the matter, or suggest they’d take the matter to the blogosphere. It’s a free form and I support it really well, surprisingly well from what I’ve been told, but nobody is forced to use it.
There are options out there.Again, I thank you for your time and concern.
Respectfully,
Mike Cherim
The Problem
If you’re wondering why the authors would put hidden links back to their sites in the script you can read an article I wrote about Search Engine Optimization on HTMLHelp.com. But the short version is that this is an attempt to gain links to their sites in order to increase their prominence in Google and other search engines.
There is nothing wrong with seeking a link in return for a free add-on to WordPress, so long as the practice is not deceptive. In this case Mike and I clearly disagree. I believe users of this script are not aware of this hidden link, but more importantly I know for a fact that Google will punish the innocent as well as the guilty as soon as they notice these links.
Here is the specific page in which Google forbids “…hidden text or hidden links….”.
Since I was informed the authors of this script do not intend to remove the hidden links, it is up to the individual users to remedy the situation themselves. There are two good ways of doing so:
- Remove the plugin in lieu of another simpler, faster contact form plug-in.
- Remove the offending code that can cause your site to be banned.
If you choose the latter you would be well within your rights to do so. The author’s terms of use read as follows:
Terms of Use: You are free to download and use this form but you may not redistribute it without written permission. Donations are gratefully accepted but no payment is required to use this open source script.
If you do use this form, it is requested that you keep the built in link-backs in place, though you can visually hide the form’s displayed link-back by way of a setting in the configuration file. Doing so is fine, removing hidden links is not.
- They clearly state that it is open source software, which by definition “permits users to study, change, and improve the software, and to redistribute it in modified or unmodified form”.
- They merely “request” that you do not remove the hidden, illegal links.
The Fix
To fix the problem you’ll need to open the file wp-gbcf_form.php in a text editor and search for the following line (its near the very end of the script):
$forms.=(' <p style="position:absolute; top: -9000px; left:-9000px;"><small>Secure and Accessible <abbr><span class="abbr" title="PHP Hypertext Preprocessor">PHP</span></abbr> Contact Form <span title="'.$build.'">'.$form_version.'</span> by <a href="http://green-beast.com/" title="Green-Beast.com">Mike Cherim</a> & <a href="http://www.blue-anvil.com/" title="Blue-Anvil.com">Mike Jolley</a>.</small></p>'."\n");
Replace all of that with just the following:
$forms.=("\n");
Then save it and upload it right over the old version in your plugins directory. IMPORTANT: Backup the original in case you make a mistake. Then you can try again.
NOTE: Within a few hours of our discussion the code was partially changed for new downloads. You will need to follow the following instructions if you installed the script after March, 21 2007. (If it gets changed again later I can’t help you. Just see if you can figure it out yourself and possibly post the change in the comments below if you feel benevolent.)
Open the file gbcf_form.php in a text editor and search for the following (its near the very end of the script) and just delete it:
<p style="position:absolute; top: -9000px; left:-9000px;"><small>Secure and Accessible <abbr><span class="abbr" title="PHP Hypertext Preprocessor">PHP</span></abbr> Contact Form <span title="'.$build.'">'.$form_version.'</span> by <a href="http://green-beast.com/">Mike Cherim</a>.</small></p>
Then save it and upload it right over the old version.
You may notice that Mike Jolley’s link has now been removed. I don’t have any idea why, but it won’t matter if Google picks up on all the existing links out there that are not going to be corrected.
Urgency
Please be warned that if you do not take action and Google decides to punish you by penalizing your site’s PageRank it can take months to recover even after removing the offending script. The loss of page rank will cost you countless visitors.
If Google decides to remove your site from the index you’ll have to go through the arduous process of petitioning to have it reinstated. Good luck with that…
To not act on this is to play Russian roulette with your Web site, and is it really worth it for a contact form?
EDIT: 3/23/2007
Just out of curiosity I thought I’d Google to see if I could find a few sites using the form who had switched the author links off but who has still been spammed by Secure and Accessible PHP Contact Form. Here they are:
What I find sad is that I found these sites because they all actually listed their plugins on a page of the site. So they were already providing a link back to the authors unaware of this sneaky tactic. Do you think they’d be pissed if they knew?
Thanks for the heads up. I’ve been checking out contact forms for WordPress lately and will be careful to check the code twice before using this one.
No problem Eric. I thought this was important enough to let people know about. I am worried however that not enough of the people that actually have it installed will learn about this.
Anyway, I’ve changed my personal contact form over from the WP-Contact to a modified version of it called WP Contact Form III.
You might also look at the Enhanced Contact Form, the Subrosa add on if you want encryption, and Intouch which offers the most customization.
If you find something else cool drop me a note and let me know!
Oh yeah, and if you needed two different forms to go to two different addresses keep in mind that you could just use a couple of these in combination. :-)
John
Incidentally, someone e-mailed me and told me that I sound like a broken record. :-)
There is an article archived at the W3C from over a decade ago in which I pointed out that Web browsers should have warning systems in them to notify when there is hidden text on a page.
http://lists.w3.org/Archives/Public/www-style/1997Jan/0077.html
Actually the form is not open source, it is protected by copyright law in the US and abroad. If anyone follows your tutorial and removes the visually hidden back-links they are in violation of the law and if caught will be asked to discontinue the use of the form for starters. You should remove that as you really have no right to do that and if people do this they are hampering their ability to perform darg-and-drop updates. In fact I am formally asking you to remove that.
If someone wants to, they can purchase a license to have those and all instances removed. This isn’t spamdexing and I think Google wouldn’t persecute anyone for using the form — they’re smart enough to know the difference. Moreover, the CSS display property “none” isn’t being used which is what a Googlebot would focus on.
We provide excellent support, the form is free, and it is a helluva lot of work keeping it up (we do lots of tweaks and improvements on a regular basis), and we’re really providing a secure and accessible (to the disabled) contact solution for a lot of people. I don’t why you’re busting my chops over this. There must be bigger fish to fry.
Mike,
I’m glad you stopped by, and I welcome your comments and opinions. You may feel free to write anything you like here and I’ll approve it, unaltered.
I’m confused by your assertion that the form is not open source. The exact words I see on your page are “…no payment is required to use this open source script…” Open Source software as defined by OpenSource.org does not have restrictions against modification, re-distribution, or even resale.
Perhaps you meant something else? But I can’t come up with any other words that could be accidentally confused with “open source”. I can only take your words at face value, and I’m confident that any court would do the same. If, and only if, my argument is correct, users would indeed be allowed by law to modify the script.
I cannot in good conscience remove the fix I provided for the following reasons:
What I will say however is that I strongly recommend removing the script per the author’s wishes as opposed to modifying the code. I would further assume that this applies to all of the code, so users cannot make any changes to it whatsoever.
With regard to your opinion about Google’s perception of the hidden link I’m afraid you are incorrect. You did not choose to believe my rational argument before you knew my identity and I’m actually surprised that now you know who I am you still fail to acknowledge my expertise in this matter. Nonetheless, Google’s language on this point is undeniable. They do not give exceptions such as “only if you use a ‘none’ display property”. On the reasons to ban a site page they simply state, “…writing text in such a way that it can be seen by search engines but not by users…”. Your hidden links do not in any way assist with usability issues, or have any positive benefit except to convey search benefits to your own site. If Larry or Sergey were here they would ask “what part of that did you not understand?”
The difference here is that you only “think Google wouldn’t persecute anyone”, whereas I know this is a real risk. And it only takes a single instance of a violation to cause this. I have seen it happen, more than once.
What bothers me so much about this particular issue:
All of this is very unfortunate. And I’m sad to have been the one to notice the problem. I don’t want to be in the middle of this. And what bothers me most is that you seem like a nice guy and I really appreciate the fact that you take pains to write accessible, valid code. I bet we have far more in common than either of us realize. But sadly Google doesn’t give credit for being a nice guy.
Finally, am I correct in assuming the reason you now care about my opinion is that Google lists this page immediately after yours in any search related to this form?
Sincerely,
John
PS – If you agree to permanently remove all hidden links from the plugin I’ll clearly edit the very top of this post to note that going forward from a certain date the issue has been resolved. I could also then advise people to update to the latest version rather than hacking the code.
Okay, you got me there, I never looked up the term, and I have removed “open source.” I have never had a problem if people wanted modify the form to suit their needs, and I’ve helped a lot of people do just that, without compensation.
The copyright’s terms of use restricts two activities by users: re-distribution without permission (for version control more than anything else) and link-back removal without a license. I reserve all other rights. Other than those two activities they are welcome to work with the script to improve it, modify it, change it, etc., and they can even submit it back for adoption and credit in some cases, but I do warn them they may be making it difficult to apply upgrades which I provide regularly. They can even use it on client sites they are getting paid for as long as they are charging for their time and not the script itself — I’ve been asked this several times.
I didn’t go for a strong copyleft GPL license since in my other business life, a mail order company founded in 1992, I’m used to applying for copyrights, but I am offering a GPL-compatible copyright very similar to some of the CC licences (the WordPress staff agrees with this since they have officially accepted it and they require GPL-compatible terms).
I ask two things. That’s it.
@TheMan,
Thanks for the heads up. Now to remove it from the several sites I had it on…
@Mike, the terms on your site were not and are not clear that clicking that option will not remove the link entirely. If you really wanted to be clear you would write exactly what it is that occurs when that option is used (e.g., not just that the “visible link” is removed, but EXPLICITLY state that a hidden link will remain), and honestly anything else is just trying to be sneaky but cover your ass at the same time.
Also the GPL does not allow you to require an attribution link remain in place for end users, only for redistributions, and adding any such requirement makes any license associated with it non-GPL compatible:
The GPL allows the end user to modify things any which way they want, so long as they are not repackaging and redistributing it. That’s kind of the whole point of the license.
I’ve used this form on a couple of sites recently, albeit modified fairly extensively (once as I wanted to add people to a database rather than sending email, once because I didn’t like the presentation). I wasn’t too happy when I discovered the hidden text either (though I have linked back separately in both cases).
However, it’s worth noting that one of the anti-spam features used by this form is a hidden text box, shunted off screen in a similar manner to the author link. If you believe there could be real problems with Google for “…writing text in such a way that it can be seen by search engines but not by users…” – and I’m no expert on this – then you should probably advise people to remove that too.
Thanks Andrew. I didn’t notice that, perhaps because I was so shocked by the other.
Hi Andrew, there will be no problem with that, the author link, or offset jump links and image replacement text for that matter. I have a whole paragraph of offset text for users that don’t support style sheets in my “How to Build a CSS Web Site” tutorial. This is an accessibility feature. Currently Google doesn’t flag off-screen positioned text. What Google does do if something abusive is reported is not to deal with it on a one-on-one basis (they don’t have the time), but rather to tweak their algorithms to deal with widespread use of such in future revisions of their search tool, and that’s if it’s deemed abusive. What’s considered abusive as a practice is determined by a real person prior to such revisions, not a robot. Google would have no problem with any of my practices. The whole thing here is being blown way out of proportion. What Mike and I did is not unethical (not our intention at all), nor does it put blog owners at risk. We didn’t have to add such a feature, but realized some people would have a hard time delving into the code to illegally remove the link when all they really want is to not show it on their contact page. (I don’t have it showing on my own contact page as it looked out of place.) Doing this satisfies our requirements and that of the user.
Thanks to this post, Mike and I have been discussing this between us, and with other people (the general consensus is that this is sort of melodramatic). What we’re thinking of doing as a result of this whole mess is removing the link removal feature altogether, clamping down harder on our terms, and making users purchase a license to get an credit-free version. We worked, and still work, damn hard on this form and feel we’re providing a decent service to people. Moreover, we provide exemplary support for our free script (better support than some commercial script providers offer actually). Thus, for all this work we want to get something out of it.
Andrew, I appreciate the fact that you’ve provide links anyway. Thank you very much. That’s why we do this (it certainly isn’t the money). I would advise you not to remove the position-hidden input as that one in particular is a highly effective anti-spam tool.