Honestly, there is really no reason to read the history on this as the past is the past. Go get the latest version of the plugin and if you really want to stick around here how about checking out something funny.
It pains me to report this, because the Secure and Accessible PHP Contact Form version 2 from Mike Cherim and Mike Jolley seems to be a nice contact form for WordPress, but the fact remains that this plug-in is dangerous and designed to secretly Spam blogs on which it is placed.
This stems from the fact there is an option that users believe will disable the display of credit links back to the author’s web sites; however, this option does not actually remove the links. It merely makes them invisible – and this is enough to cause Google to remove a site.
Background
I installed the form as a potential upgrade to my current contact form and was initially pleased with the look and feel of it. However, upon inspection of the source code of my page I noticed the following line:
<p style="position:absolute; top: -9000px; left:-9000px;"><small>Secure and Accessible <abbr><span class="abbr" title="PHP Hypertext Preprocessor">PHP</span></abbr> Contact Form <span title="B20070303">v.2.0WP</span> by <a href="http://green-beast.com/" title="Green-Beast.com">Mike Cherim</a> & <a href="http://www.blue-anvil.com/" title="Blue-Anvil.com">Mike Jolley</a>.
This line appears in the source despite the fact that I clearly selected the option to disable it in the control panel.
This coding is quite deliberate in that the intention is to position links back to the author’s sites from far off the visible page so that neither blog owners nor visitors would know the links are present. This is called Spamdexing and it is so frowned upon by Google that the search engine could ban a site completely for just one instance.
After making this discovery I submitted the following message to Mike Cherim via contact form on 3/21 at 1:30am:
I noticed that your terms of use request that users “leave hidden links in place”. This prompted me to notice that even with the option to not show links, links do still indeed appear in the page.
I wanted to just provide a couple of comments about this:
1.) I think there is an ethical issue at play here because your options language (Show form credits line?) leads people to believe that there is no credit line introduced into the code when in actuality it remains but is simply hidden.
In my opinion you need to be more clear about the fact that your links remain either way.
2.) By hiding the links – and not telling people – you may also be doing them harm in terms of Google PR punishment. These hidden links are clear examples of Spamdexing and are expressly forbidden by Google. (http://www.google.com/support/webmasters/bin/answer.py?answer=35769)
“Quality guidelines – specific guidelines
– Avoid hidden text or hidden links. “I’m quite sure people would not install any plug-in or script if they felt it would potentially damage their PR, or if they felt they were being mislead. It is, after all, only a contact form.
I hope you will take these issues into serious consideration. I think the work you’ve done with this script is outstanding and I hate to see it overshadowed by what many could perceive as being sneaky.
In a couple of weeks I’ll check back to see if you’ve acted on this information, unless I hear from you before that. At that time I’ll make a decision whether or not to address this issue in the blogosphere.
Because your form is so nice I believe many people will still choose to leave the links in place, especially if they aren’t too prominent, but some people might need them removed for the sake of professionalism. Either way you are already going to benefit from traffic and exposure.
John
Mike very promptly responded to my message about an hour later. I’m including his message as a courtesy:
Thank you for your concern. If you feel you need to blog about it that is your prerogative, but I doubt I am going to act on the information. I think the terms are plenty clear already. Here’s what it says at the download link.
“[…] If you do use this form, it is requested that you keep the built in link-backs in place, though you can visually hide the form’s displayed link-back by way of a setting on the “Configuration†page. Doing so is fine, removing hidden links is not.”
The word visually is emphasized in the text. It clearly states the link may be removed visually but will remain hidden. Hiding them visually satisfies most developer’s professional needs. Some people have gladly paid for a commercial version with the links legally removed but nobody has ever expressed any ill feelings about it.
With roughly 10,000 users you’re the first to mention having a problem with this, talk to me about the ethics of the matter, or suggest they’d take the matter to the blogosphere. It’s a free form and I support it really well, surprisingly well from what I’ve been told, but nobody is forced to use it.
There are options out there.Again, I thank you for your time and concern.
Respectfully,
Mike Cherim
The Problem
If you’re wondering why the authors would put hidden links back to their sites in the script you can read an article I wrote about Search Engine Optimization on HTMLHelp.com. But the short version is that this is an attempt to gain links to their sites in order to increase their prominence in Google and other search engines.
There is nothing wrong with seeking a link in return for a free add-on to WordPress, so long as the practice is not deceptive. In this case Mike and I clearly disagree. I believe users of this script are not aware of this hidden link, but more importantly I know for a fact that Google will punish the innocent as well as the guilty as soon as they notice these links.
Here is the specific page in which Google forbids “…hidden text or hidden links….”.
Since I was informed the authors of this script do not intend to remove the hidden links, it is up to the individual users to remedy the situation themselves. There are two good ways of doing so:
- Remove the plugin in lieu of another simpler, faster contact form plug-in.
- Remove the offending code that can cause your site to be banned.
If you choose the latter you would be well within your rights to do so. The author’s terms of use read as follows:
Terms of Use: You are free to download and use this form but you may not redistribute it without written permission. Donations are gratefully accepted but no payment is required to use this open source script.
If you do use this form, it is requested that you keep the built in link-backs in place, though you can visually hide the form’s displayed link-back by way of a setting in the configuration file. Doing so is fine, removing hidden links is not.
- They clearly state that it is open source software, which by definition “permits users to study, change, and improve the software, and to redistribute it in modified or unmodified form”.
- They merely “request” that you do not remove the hidden, illegal links.
The Fix
To fix the problem you’ll need to open the file wp-gbcf_form.php in a text editor and search for the following line (its near the very end of the script):
$forms.=(' <p style="position:absolute; top: -9000px; left:-9000px;"><small>Secure and Accessible <abbr><span class="abbr" title="PHP Hypertext Preprocessor">PHP</span></abbr> Contact Form <span title="'.$build.'">'.$form_version.'</span> by <a href="http://green-beast.com/" title="Green-Beast.com">Mike Cherim</a> & <a href="http://www.blue-anvil.com/" title="Blue-Anvil.com">Mike Jolley</a>.</small></p>'."\n");
Replace all of that with just the following:
$forms.=("\n");
Then save it and upload it right over the old version in your plugins directory. IMPORTANT: Backup the original in case you make a mistake. Then you can try again.
NOTE: Within a few hours of our discussion the code was partially changed for new downloads. You will need to follow the following instructions if you installed the script after March, 21 2007. (If it gets changed again later I can’t help you. Just see if you can figure it out yourself and possibly post the change in the comments below if you feel benevolent.)
Open the file gbcf_form.php in a text editor and search for the following (its near the very end of the script) and just delete it:
<p style="position:absolute; top: -9000px; left:-9000px;"><small>Secure and Accessible <abbr><span class="abbr" title="PHP Hypertext Preprocessor">PHP</span></abbr> Contact Form <span title="'.$build.'">'.$form_version.'</span> by <a href="http://green-beast.com/">Mike Cherim</a>.</small></p>
Then save it and upload it right over the old version.
You may notice that Mike Jolley’s link has now been removed. I don’t have any idea why, but it won’t matter if Google picks up on all the existing links out there that are not going to be corrected.
Urgency
Please be warned that if you do not take action and Google decides to punish you by penalizing your site’s PageRank it can take months to recover even after removing the offending script. The loss of page rank will cost you countless visitors.
If Google decides to remove your site from the index you’ll have to go through the arduous process of petitioning to have it reinstated. Good luck with that…
To not act on this is to play Russian roulette with your Web site, and is it really worth it for a contact form?
EDIT: 3/23/2007
Just out of curiosity I thought I’d Google to see if I could find a few sites using the form who had switched the author links off but who has still been spammed by Secure and Accessible PHP Contact Form. Here they are:
What I find sad is that I found these sites because they all actually listed their plugins on a page of the site. So they were already providing a link back to the authors unaware of this sneaky tactic. Do you think they’d be pissed if they knew?
Thanks for that, John. The whole thing that bothered me was that I hate spam and the miscreants that play the spam game, and I work hard against it, so to be accused of “spamdexing” didn’t sit well with me (and your original email to me had sort of a threatening tone). I felt as if I had my back to a wall and in front of me was a firing squad.
I never had any ill-intentions. I do like and really appreciate link-backs, but based on past experiences, I saw a lot of people removing link-backs on my themes and whatnot. The reason I felt is that they didn’t want to advertise me since a lot of users are web developers themselves — competition et. al., and I understand that. Thus, when I created this form I decided I’d make easy for people to remove the visible link without wiping it out entirely. I did think the terms were clear but apparently not everyone did. Moreover, I never considered that it would put anyone at risk because lots of accessibility practices utilize that type technique, what I call “offset” positioning, to cater to the needs of screen reader users and the like.
Re-reading my comments, my apologies to you for my seeming belligerence during this process of your simply trying to affect a change, and apologies to anyone who felt I had acted in a deceitful or underhanded way by setting this up the way I did. I swear that was never my intention.
I did see that post, and form, at HTMLHelp (thanks, I like the fact you’re using it). I noted it when I got the trackback. I don’t publish comments on my “pages,” but I do see them when they come in.
No hard feelings.
Mike
Mike,
I am extremely pleased (and actually surprised) by your decision.
I always assumed from day one that you must be a good guy given your attention to accessibility, standards compliance, and the free distribution of your work (not only this plugin). In fact, if I hadn’t assumed you were a nice guy this whole thing would have gone very, very differently. I regret that we both had to go through so much aggravation over this one issue. Clearly, the problem exists because of our different interpretations of it’s severity as well as differences in our perception of the language involved.
I appreciate the fact that you chose not only to remove the hidden links, but even to allow removal of the attribution altogether! I did not expect that, although I do honestly believe that in the end you will be benefited from this choice more than simply requiring the attribution.
As a peace offering, I have installed the plugin on the soon to launch HTMLHelp.blog. You will find the contact link at the very bottom of the page, and I also created an attribution page which you’ll find here. If this whole process has left you wishing I would not use the plugin I’ll understand and you can let me know publicly or privately and I’ll remove the form and we’ll go our separate ways.
Take care,
John
PS – In a few days I’ll close comments and trackbacks on this thread.
I give up — you win! I changed all the downloads (both WP and non-WP) and removed the hidden link-back, email link-backs, and the success result link-back. I also changed the WP documentation file to read that the link is “removed” instead of “hidden” and the terms of use have been changed to reflect this.
Please tell users to change line 1320 to this:
$forms.=(' <!--'.$build.'-->'."\n");This helps with support. Since I get about three support emails per day it’s very helpful to know what build number the user has.
For the record, my intention was never to dupe, spam, or trick anyone and I don’t appreciate your accusation. The terms and documentation said that the link would be “hidden” not removed. I thought I was being up-front about it, despite what you may think. I’ve always had high moral standards despite what your opinion of me may be.
What can I say? I have a family to feed so I have to think of *some* ROI. I spend a lot of time keeping up with this. I’ve run a business for a long time so I do see both sides to the free software debate. I’ve made three themes for WordPress and only one has a link-back requirement in its terms. The other two I just ask (and I ask that they keep the link to WP as well).
Regarding the form, it wasn’t even a WordPress plugin originally, it’s just build upon the original script that I’ve been working with for two years or so. The terms have always been the same.
Anyway, like I wrote, Mike and I have been discussing this and might change it with the next micro build, possibly move it to a small license-based program. I spend about 8-10 hours a week on form related stuff so I have to consider that. Donations are few and far between.
I already know you’re with HTMLhelp. It’s a good resource. I link to it from Accessites I think, and maybe my hosting site.
Mike,
For the record, because you initially labeled the software as Open Source, every download up to the point that you changed your license was made in good faith under those terms. So I think the use of the word “illegal” is not appropriate.
With regards to ethics, neither you, nor I, nor anyone else gets to judge whether our own actions are ethical. All we can do is lay out the facts that helped us arrive at a given action. With regards to these hidden back-links I believe you chose your wording and designed your plugin purposely to maintain back-links under all conditions. While I believe you did this thinking it would cause no harm I find it hard to believe you sought certainty on this subject before making your decision. Without exception, every search engine has always maintained that hidden text and links are unacceptable. I’m guessing it has been this way since before you were authoring for the Web. Therefore at best you are ethically neutral, and only if ignorance of this fact is working in your favor.
Your continuous talk of all your hard work warranting payback really bothers me. The people that developed WordPress have donated so much more time and energy than you will ever spend in 100 lifetimes without the need to extract a cost from every single user. At HTMLHelp.com we have spent 10’s of thousands of man hours voluntarily helping people, without ever asking anything in return. So, please stop bringing that up. It is rapidly changing my opinion of your charity and skewing my responses.
Moving on to the issue regarding the hidden links. What I cannot understand is why you unflinchingly cling to your views, and tell people there is no problem, despite the council of someone who runs a Web authoring reference site which literally tens of millions of authors rely on annually.
I mean, you wrote a CSS tutorial and you don’t even realize that I was one of the people who helped define CSS with Hakon Lie and others? Look it up. The WC3 also lists my reference in their “Hall of Fame“. In addition to that, I wrote the Web Authoring FAQ and helped with input on web standards from HTML 1.0 on up to what we use today. Furthermore, the Web accessibility you like to preach is partially based on work I did as a member of the Web Accessibility Initiative.
I’m further amazed that, although even people at Google used HTMLHelp.com to help build their site, you are willing to assert the certainty of your opinion on this matter over my own. That is awesome confidence.
You keep saying that your hidden links are “not a big deal”, and I keep telling you that they are worse than you understand. I have been exceedingly polite and provided you with every opportunity to do the right thing hoping that peer pressure alone would help you make your decision. And up until this point I have never mentioned my qualifications to critique this matter, instead attempting to rely on pure logical argument. Obviously that is not going to work. Clearly you and your friends have rationalized the fact that you are personally to blame for God only knows how many hidden links floating around the net.
So let me be clear. I do not care if you risk your own domains, but I care very much about unsuspecting WordPress authors who don’t know enough to understand the risk. The hidden links should be removed because they pose an unnecessary risk. For example, I’ll be in San Francisco meeting with Google in 12 days. Are you confident enough of your opinion that you would have me run it by them? In other words, are you willing to bet your domains on it? I wouldn’t be.
My free and expert advice to you is now, and has been since my first communique, simply to allow users the opportunity to disable and delete the back-links. I advise this because:
Finally, there is a huge movement right now in the WordPress community which you are probably not aware of regarding hidden and sponsored links in themes and plugins. It starts at the top. Matt M. wants to ban sponsored link themes from WordPress.org, and I and others are arguing merely for full disclosure. However, I am advocating an outright ban on all themes and plugins with hidden links – with a 0 tolerance policy.
John
PS- I will not dedicate another moment of my time to this issue. I do indeed have “bigger fish to fry.” It’s your software, it’s your decision, I believe I am absolved of my duty to provide any further guidance. Good luck.
Hi Andrew, there will be no problem with that, the author link, or offset jump links and image replacement text for that matter. I have a whole paragraph of offset text for users that don’t support style sheets in my “How to Build a CSS Web Site” tutorial. This is an accessibility feature. Currently Google doesn’t flag off-screen positioned text. What Google does do if something abusive is reported is not to deal with it on a one-on-one basis (they don’t have the time), but rather to tweak their algorithms to deal with widespread use of such in future revisions of their search tool, and that’s if it’s deemed abusive. What’s considered abusive as a practice is determined by a real person prior to such revisions, not a robot. Google would have no problem with any of my practices. The whole thing here is being blown way out of proportion. What Mike and I did is not unethical (not our intention at all), nor does it put blog owners at risk. We didn’t have to add such a feature, but realized some people would have a hard time delving into the code to illegally remove the link when all they really want is to not show it on their contact page. (I don’t have it showing on my own contact page as it looked out of place.) Doing this satisfies our requirements and that of the user.
Thanks to this post, Mike and I have been discussing this between us, and with other people (the general consensus is that this is sort of melodramatic). What we’re thinking of doing as a result of this whole mess is removing the link removal feature altogether, clamping down harder on our terms, and making users purchase a license to get an credit-free version. We worked, and still work, damn hard on this form and feel we’re providing a decent service to people. Moreover, we provide exemplary support for our free script (better support than some commercial script providers offer actually). Thus, for all this work we want to get something out of it.
Andrew, I appreciate the fact that you’ve provide links anyway. Thank you very much. That’s why we do this (it certainly isn’t the money). I would advise you not to remove the position-hidden input as that one in particular is a highly effective anti-spam tool.
Thanks Andrew. I didn’t notice that, perhaps because I was so shocked by the other.
I’ve used this form on a couple of sites recently, albeit modified fairly extensively (once as I wanted to add people to a database rather than sending email, once because I didn’t like the presentation). I wasn’t too happy when I discovered the hidden text either (though I have linked back separately in both cases).
However, it’s worth noting that one of the anti-spam features used by this form is a hidden text box, shunted off screen in a similar manner to the author link. If you believe there could be real problems with Google for “…writing text in such a way that it can be seen by search engines but not by users…” – and I’m no expert on this – then you should probably advise people to remove that too.
@TheMan,
Thanks for the heads up. Now to remove it from the several sites I had it on…
@Mike, the terms on your site were not and are not clear that clicking that option will not remove the link entirely. If you really wanted to be clear you would write exactly what it is that occurs when that option is used (e.g., not just that the “visible link” is removed, but EXPLICITLY state that a hidden link will remain), and honestly anything else is just trying to be sneaky but cover your ass at the same time.
Also the GPL does not allow you to require an attribution link remain in place for end users, only for redistributions, and adding any such requirement makes any license associated with it non-GPL compatible:
The GPL allows the end user to modify things any which way they want, so long as they are not repackaging and redistributing it. That’s kind of the whole point of the license.
Okay, you got me there, I never looked up the term, and I have removed “open source.” I have never had a problem if people wanted modify the form to suit their needs, and I’ve helped a lot of people do just that, without compensation.
The copyright’s terms of use restricts two activities by users: re-distribution without permission (for version control more than anything else) and link-back removal without a license. I reserve all other rights. Other than those two activities they are welcome to work with the script to improve it, modify it, change it, etc., and they can even submit it back for adoption and credit in some cases, but I do warn them they may be making it difficult to apply upgrades which I provide regularly. They can even use it on client sites they are getting paid for as long as they are charging for their time and not the script itself — I’ve been asked this several times.
I didn’t go for a strong copyleft GPL license since in my other business life, a mail order company founded in 1992, I’m used to applying for copyrights, but I am offering a GPL-compatible copyright very similar to some of the CC licences (the WordPress staff agrees with this since they have officially accepted it and they require GPL-compatible terms).
I ask two things. That’s it.
Mike,
I’m glad you stopped by, and I welcome your comments and opinions. You may feel free to write anything you like here and I’ll approve it, unaltered.
I’m confused by your assertion that the form is not open source. The exact words I see on your page are “…no payment is required to use this open source script…” Open Source software as defined by OpenSource.org does not have restrictions against modification, re-distribution, or even resale.
Perhaps you meant something else? But I can’t come up with any other words that could be accidentally confused with “open source”. I can only take your words at face value, and I’m confident that any court would do the same. If, and only if, my argument is correct, users would indeed be allowed by law to modify the script.
I cannot in good conscience remove the fix I provided for the following reasons:
What I will say however is that I strongly recommend removing the script per the author’s wishes as opposed to modifying the code. I would further assume that this applies to all of the code, so users cannot make any changes to it whatsoever.
With regard to your opinion about Google’s perception of the hidden link I’m afraid you are incorrect. You did not choose to believe my rational argument before you knew my identity and I’m actually surprised that now you know who I am you still fail to acknowledge my expertise in this matter. Nonetheless, Google’s language on this point is undeniable. They do not give exceptions such as “only if you use a ‘none’ display property”. On the reasons to ban a site page they simply state, “…writing text in such a way that it can be seen by search engines but not by users…”. Your hidden links do not in any way assist with usability issues, or have any positive benefit except to convey search benefits to your own site. If Larry or Sergey were here they would ask “what part of that did you not understand?”
The difference here is that you only “think Google wouldn’t persecute anyone”, whereas I know this is a real risk. And it only takes a single instance of a violation to cause this. I have seen it happen, more than once.
What bothers me so much about this particular issue:
All of this is very unfortunate. And I’m sad to have been the one to notice the problem. I don’t want to be in the middle of this. And what bothers me most is that you seem like a nice guy and I really appreciate the fact that you take pains to write accessible, valid code. I bet we have far more in common than either of us realize. But sadly Google doesn’t give credit for being a nice guy.
Finally, am I correct in assuming the reason you now care about my opinion is that Google lists this page immediately after yours in any search related to this form?
Sincerely,
John
PS – If you agree to permanently remove all hidden links from the plugin I’ll clearly edit the very top of this post to note that going forward from a certain date the issue has been resolved. I could also then advise people to update to the latest version rather than hacking the code.
Actually the form is not open source, it is protected by copyright law in the US and abroad. If anyone follows your tutorial and removes the visually hidden back-links they are in violation of the law and if caught will be asked to discontinue the use of the form for starters. You should remove that as you really have no right to do that and if people do this they are hampering their ability to perform darg-and-drop updates. In fact I am formally asking you to remove that.
If someone wants to, they can purchase a license to have those and all instances removed. This isn’t spamdexing and I think Google wouldn’t persecute anyone for using the form — they’re smart enough to know the difference. Moreover, the CSS display property “none” isn’t being used which is what a Googlebot would focus on.
We provide excellent support, the form is free, and it is a helluva lot of work keeping it up (we do lots of tweaks and improvements on a regular basis), and we’re really providing a secure and accessible (to the disabled) contact solution for a lot of people. I don’t why you’re busting my chops over this. There must be bigger fish to fry.
Incidentally, someone e-mailed me and told me that I sound like a broken record. :-)
There is an article archived at the W3C from over a decade ago in which I pointed out that Web browsers should have warning systems in them to notify when there is hidden text on a page.
http://lists.w3.org/Archives/Public/www-style/1997Jan/0077.html
No problem Eric. I thought this was important enough to let people know about. I am worried however that not enough of the people that actually have it installed will learn about this.
Anyway, I’ve changed my personal contact form over from the WP-Contact to a modified version of it called WP Contact Form III.
You might also look at the Enhanced Contact Form, the Subrosa add on if you want encryption, and Intouch which offers the most customization.
If you find something else cool drop me a note and let me know!
Oh yeah, and if you needed two different forms to go to two different addresses keep in mind that you could just use a couple of these in combination. :-)
John
Thanks for the heads up. I’ve been checking out contact forms for WordPress lately and will be careful to check the code twice before using this one.