Support » Plugin: Professional WordPress Plugin Development - WP App Studio » share your "immense" knowledge with us and give specifics so that they can fix i

  • Franz Josef Kaiser, “Reviewing a plugin with 1 star without having it in use or inspecting the code is worth nothing.” That’s what you did.

    You did not review the code it generated. Just looked at the dummy front end and labeled it malicious.

    First of all it is SaaS service and the plugin is a dummy front end. it is a collection of forms. Its only purpose is to send app data to the SaaS service which generates pure WP API code. It is not the only plugin functioning as SaaS frontend in the repository. We believe it is a game changer. It simplifies so many things.

    How do I know? Our company have been using it for 6 months for our clients. For your knowledge we also employ security experts who check every code we sent to our clients.

    Secondly, Wp App Studio is an open source plugin, if you like to improve the code, post your code and ask them to review it. But don’t write BS here with some knowledge you had.

    Have something to say, share your “immense” knowledge with us and give specifics so that they can fix in the next release.

    Long story short: It is open source, man. Being a hater helps no one.

Viewing 11 replies - 1 through 11 (of 11 total)
  • Long story short: Please just add a comment under my review. If there wouldn’t have been someone pointing me here, I wouldn’t even have seen anything from your review.

    Aside from that, three notes:

    1. I did review the code. That’s why I wrote the review.
      • I got no problem going back and adding a different review and rating, when the code and the system changes.
      • This plugin is not using the WP HTTP API, like you can see here. (It even ignores the fact that SVN repos need tagging, so the provided link is a moving target and won’t work when a new version is released.)
      • And it is as well ignoring every single of the most simplest security checks like the esc_*() functions, filter_var(), etc. This plugin simply is not, not, not secure in any way. And side from that, it can simply shoot your site as most errors are not checked -> white screen of death w/of WP_DEBUG.

    So, no: Not hater. Reviewer and honest. But that can be a problem with this code and this (highly obfuscated) approach.

    You second response looks like more constructive approach. I am sure their development team will take a look and see if there is anything for improvement.

    As I said, Wp App Studio is open source, the generated code is open source. Nothing is hidden. It is their first release and open to improvement.

    I also read some of your reviews for other people’s plugins. You frequently use words like “crap”, “don’t use”, “no use” etc. These kinds of words do not encourage people to come up with new ideas or simply maintain their plugins. We do not want that, don’t we?

    Plus, although Wp App Studio is backed by a company, most of the people use their spare time to contribute to the community. So “Respect” is the word which comes to my mind.

    In addition, if you are worried about the security, you do not have to install the plugin in your own server. Use their demo server (it is installed and fully functional) and generate your code there. Then you will be able to review the code, and see if it is safe enough for you. It is open source, modify, hack do whatever you want and make it useful for yourself and others.


    Sorry, but this is plain wrong in a lot of ways. Correct me if I’m wrong:

    1. You can’t review the code on their demo server. Just the result.
      • You can’t download the code from their demo server.
      • The product is not open source. Just their plugin, which is nothing aside from a proxy to their servers to deliver whatever they send you back.

    Yes, I use words like do not use. For a reason: As it stands, I would no one recommend to use this plugin as there’s exactly zero transparency what is delivered and everything in this plugin is just insecure by default.

    First of all, eMarket Design is a legitimate, reliable U.S based company. They employ many developers like yourself. They do not have any intention to mess up your box. They want you to be happy so that they can make money. So stop treating everybody as thieves, hackers as such

    You download plugins from this repository, correct? Does let you see the code before you download? They are in the business of making money out of the generated code. Why do you think they will let you see the code for free? It is basically a text file, as I said above, just review the code before you install it if you are paranoiac about it.

    The generated code is downloadable from Amazon S3. It is there for 6 months.

    The product: Wp App Studio is open source, The code generated is open source. The WAY the code is generated is NOT open source, duh!

    Lastly, there is something called etiquette. Pick your words correctly when you write something. That all what I am saying. Try to ask questions like you did above before jumping into conclusions. I do not personally care about your review. Stick to your 1 star or no star. It is your business. Based on their client base I do not think they care either.

    You download plugins from this repository, correct? Does let you see the code before you download?

    Yes. See the WP Super Cache repo for an example. Every single plugin (as well as WP core) has a separate repo that let you review the code before you download it. The link can be found on the last tab for every plugin. The code is reviewed and if plugin repos get hijacked, the team here on wp dot org even delivers hot fixes to remove malicious content.

    Good to know.

    Well, you can not get freebees in their part of the town. Nobody offers premium plugins let alone a plugin generated by WPAS. The zip file size itself is around 600k with full of functionality.

    I have been dealing with open source goodies for about 6 years. I have not seen anything like it in Drupal, Joomla, or WP world. You can create a full blown CRM system in an hour without any coding. And it costs $27 per entity. Who does development for $27?

    If you really want to see the code, stick to the complementary code in And try not to insult people treating them as hackers or a bunch of script kiddies. Adios amigo!

    I have not seen anything like it in Drupal, Joomla, or WP world. You can create a full blown CRM system in an hour without any coding. And it costs $27 per entity. Who does development for $27?

    There’re a couple of plugins who deliver that for less. In other words, for $0.00:

    The good thing with those plugins is (in opposite to this plugin here), that they fully integrate with the WP style guide – instead of taking jQuery UI to render pages. That makes them slimmer, faster and – most important – future proof as they will smoothly integrate with every WP style that comes in the future (like MP6) for example.

    And try not to insult people treating them as hackers or a bunch of script kiddies.

    There was no insult anywhere. But reviewing code and what it does is what this place is for. If you feel insulted by a review, then don’t add your plugin here. Or start by changing the code, make the process fully transparent and secure the gaps I mentioned – which would make better reviews possible.

    Do you homework read the documentation they provide first?

    The plugins you provide here do just a part of what this plugin does. Pods doing a little more than the other two. Nobody forces you to use Jquery UI (again do your homework). They just give you an option.

    Nobody says you do not review. It is good that you claim to find some security related deficiencies. It does not make a plugin a bad plugin. There are ton of very good plugins here in the rep not following the guidelines you pointed out. Considering the functionality this plugin provides, there could be some more bugs. That’s what the support pages are for.

    Again my problem with your review is your style of writing. You seem to shoot to kill. Call people’s hard worked code a piece of crap. Give people a break! Kindly point out the issues, then give them time so that they can fix. They said they will take a look and see if there are some improvements to make.

    If you have additional features you would like to see. Kindly ask them to consider. That’s how reviews should be. I don’t know how you and your german bodies view it in Europe, but here in U.S., when you imply that people might have an intention to send you bad code, that’s insulting. At least that’s how I view it.

    Gurumark, are you affiliated with the plugin?

    The issue is not quite the quality of the plugin: it is a very good idea, cool interface, etc.

    Can you tell what exactly is happening between our WP installation and this server?
    define('WPAS_SSL_URL', "");

    I don’t work for eMarket Design and am not authorized to speak on behalf of the company. My company is part of their premium tester program. We basically provide business requirements and testing services. We have been using the service for a long time (about 6 months). That’s why I am very familiar with the service and the functionality provided.

    The service is composed of 3 tier architecture based on HTTP REST API.

    Here is the conceptual picture:

    1- Client (plugin) : Wp App Studio provides app metadata and sends REST request through HTTPS connection to controller engine. It also gets Account balance, checks app design based on API rules, and provides app generation status (success/failure message, or plugin download link)

    2- Controller Engine : Gets the encrypted request, analyzes the app’s (plugin) complexity and checks the client’s account balance. Then sends XML response through HTTPS. It puts the request in the queue for code generation. If the code generation is a success then it sends plugin download link to Wp App Studio client through HTTPS connection.

    3- Code Generators : These are a cluster of servers written in Java. They produce WordPress Api based code, do additional quality checks, push the generated code to Amazon S3, and send Controller Engine the download link, development status etc.

    HTTPS connection does two things: 1- encrypt the connection 2- proves to the client(Wp App Studio) that the server it is talking to is I believe HTTPS itself mitigates the risk for man-in-the-attacks, code injection etc. Franz also provided some tips which I think will further harden the security. (I am not a security expert.)
    All the responses coming from the server goes through XML parser and in XML format. No other format is allowed.

    Does it answer your question?

    Despite the double entendre, this is not the correct “forum” for this discussion, so I’m closing this thread.

    @gurumark: If you’d like to respond to @franz Josef Kaiser’s review, by all means, post a comment on his review or take this discussion off of the forums. The plugin reviews system is not meant for taking other reviewers to task.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘share your "immense" knowledge with us and give specifics so that they can fix i’ is closed to new replies.