Title: Plugin Violates Developer Guidelines Last modified: August 31, 2016 --- # Plugin Violates Developer Guidelines * [redsand](https://wordpress.org/support/users/redsand/) * (@redsand) * [9 years, 10 months ago](https://wordpress.org/support/topic/plugin-violates-developer-guidelines/) * This plugin violates the WordPress Developer Guidelines: [https://wordpress.org/plugins/about/guidelines/](https://wordpress.org/plugins/about/guidelines/) * > Your WordPress URL, Theme and Plugins are sent to [https://wordpress.inspector.io](https://wordpress.inspector.io) > where we run different benchmarks and tests on your WordPress and tell you > how it performs. * You don’t give a clear list of EXACTLY what data is transmitted to your site. * Per the guidelines, rule 7: * > No “phoning home” without user’s informed consent. This seemingly simple rule > actually covers several different aspects: > No unauthorized collection of user data. For example, sending the admin’s email > address back to your own servers without permission of the user is not allowed; > but asking the user for an email address and collecting if they choose to submit > it is fine. All actions taken in this respect MUST be of the user’s doing, > not automatically done by the plugin. * **No functionality is actually performed in your plugin.** It is basically a form, that posts to your site. * This plugin could be interesting if it functioned solely in the user’s admin, but as it stands, this seems quite shady. I’m saying this from a user’s point of view. As a plugin developer, I will audit the code, and see exactly what is sent, but most user’s won’t be doing that, and it is not going to build trust. * [https://wordpress.org/plugins/inspector-wp/](https://wordpress.org/plugins/inspector-wp/) Viewing 8 replies - 1 through 8 (of 8 total) * Thread Starter [redsand](https://wordpress.org/support/users/redsand/) * (@redsand) * [9 years, 10 months ago](https://wordpress.org/support/topic/plugin-violates-developer-guidelines/#post-7426069) * After you run the test, you get a spam email from info [at] mailmunch [dot] co with the following: * > Hi there, > Welcome to WordPress Inspector! > WordPress is a great platform that powers over 25% of internet sites. But without > taking the right precautions, you could end up with a sluggish site. > We have analyzed hundreds of thousands of WordPress sites and found that there > are a few common causes of WordPress performance issues. We’ll help you test > your WordPress site for speed, performance and security issues. > Perform a Full Inspection > If you have not performed a full inspection of your WordPress site yet, I strongly > recommend you to install our free WordPress plugin and run a full inspection. > Full inspection analyzes all your active plugins and theme for known issues. > How do you speed up WordPress? > 1. Choose a good host > 2. Start with a solid framework/theme 3. Use an effective > caching plugin 4. Use a content delivery network (CDN) 5. Optimize images 6. > Optimize your WordPress database 7. Disable hotlinking of your content > In the next few days, I’ll send you some more proven tips to improve your WordPress. > Meanwhile, make sure to install our free WordPress plugin here: > > Have a great day! > — > Regards, > John Davier, > WordPress Inspector > WordPress Inspector by MailMunch Inc. > Unsubscribe * Now, it should be noted, that while there is a vague mention of “Your WordPress URL, Theme and Plugins” being “sent” to wordpress [dot] inspector [dot] io, there is no mention of this in the admin. There is also no mention or request for consent for them collecting your email address. Most users would not consent if they knew. * After auditing the plugin, here is a full list of items that are sent to the plugin authors’ website: 1. WordPress Version 2. Theme, and all its details: Theme Name, Theme URI, Theme Description, Theme Author, Theme Author URI, Theme Version, Theme TestDomain 3. A list of all plugins, and the details of each plugin: Plugin Name, Plugin Slug, Plugin URI, Description, Plugin Author, Plugin Author URI, Plugin, Author Name, Plugin Title, Plugin Version 4. WordPress URL 5. **The Admin Email Address** – which immediately gets added to their email list, and they start the email spam. **As noted above: “sending the admin’s email address back to your own servers without permission of the user is not allowed”** * That’s a LOT of info. And while it goes to an https:// URL, it is not encrypted or encoded in any way. So all that data is sent in the CLEAR, and can potentially be intercepted. **Not good.** * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [9 years, 10 months ago](https://wordpress.org/support/topic/plugin-violates-developer-guidelines/#post-7426121) * _*Looks*_ * This does not violate the plugin guidelines. It’s not phoning home as much as this is software as a service. * From [the plugin page](https://wordpress.org/plugins/inspector-wp/): * > WordPress Inspector will inspect your site for speed, seo, security and performance. > Your WordPress URL, Theme and Plugins are sent to [https://wordpress.inspector.io](https://wordpress.inspector.io) > where we run different benchmarks and tests on your WordPress and tell you > how it performs. > Includes a complete security and exploit scanner which scans your WordPress > for potentially broken plugins or themes. Removing broken plugins is a big > win in maintaining a high performance WordPress site. * Their service is that you use this plugin, you send them your info via the plugin and they evaluate your site. That’s not phoning home, it’s what this plugin clearly states it does from the onset. ** Edit: Yes, software as a service gives me headaches. But just like many other plugins, having a plugin that communicates with a service is permitted. * Thread Starter [redsand](https://wordpress.org/support/users/redsand/) * (@redsand) * [9 years, 10 months ago](https://wordpress.org/support/topic/plugin-violates-developer-guidelines/#post-7426124) * Hi Jan, * Thanks for taking a look. * What about the “sending the admin’s email address back to your own servers without permission of the user is not allowed” part. It sends the email to its server, and that is not mentioned anywhere in the docs, or on the plugin admin. * – Scott * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [9 years, 10 months ago](https://wordpress.org/support/topic/plugin-violates-developer-guidelines/#post-7426126) * That _should_ be disclosed and that could be a violation. I’m not on the plugins team though I do spam them a lot. 😉 * Why not send your concerns to them directly? As you know, their D/L is `plugins@wordpress. org` and if there’s a problem then they’ll get on that. * Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/) * (@otto42) * WordPress.org Admin * [9 years, 10 months ago](https://wordpress.org/support/topic/plugin-violates-developer-guidelines/#post-7426128) * Looking at the plugin, it’s not really sending anything without permission. There’s a form. It has the theme names and the number of plugins, an input box with your URL, and an input box with your email address (from your user profile, not the admin email). * You have to press the Submit button on that form. That’s “permission”. They didn’t automatically collect anything, you clicked the “Start Inspection” button, and the description of the plugin is extremely clear about “are sent to [https://wordpress.inspector.io”](https://wordpress.inspector.io”);. * Not sure how anybody could be surprised by this. You click a button to submit a form with your email address in an input box, then yes, they will have your email address. That’s not a guideline violation, by any stretch. * Thread Starter [redsand](https://wordpress.org/support/users/redsand/) * (@redsand) * [9 years, 10 months ago](https://wordpress.org/support/topic/plugin-violates-developer-guidelines/#post-7426130) * [@jan](https://wordpress.org/support/users/jan/), * Thanks again. I did drop a not to the plugins team. * [@samuel](https://wordpress.org/support/users/samuel/), * I’m not sure how you could come to that conclusion. The docs are vague at best, and there is no mention in the plugin’s admin that anything is being sent to their server. * The site URL and email in the admin just look like settings to an average user. * I’m a developer, and so are you, but _look at it from a user perspective_. Most people have no idea what it does. We were testing it out, and I audited the plugin code, as noted above. * The developer guidelines are pretty clear that any sending of the admin email to their server without explicit permission is a no-go. * Sure, if people read the code, like you and I do, they won’t be surprised, but most users don’t. * Anyway, I appreciate your looking into it. * I thought the plugin looked interesting. I just think that as-is, it doesn’t build a lot of trust, because it’s not exactly transparent about the data use. * Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/) * (@otto42) * WordPress.org Admin * [9 years, 10 months ago](https://wordpress.org/support/topic/plugin-violates-developer-guidelines/#post-7426165) * > The developer guidelines are pretty clear that any sending of the admin email > to their server without explicit permission is a no-go. * I am well aware of that, because I wrote those guidelines. * It doesn’t send anything to anybody until you click the button to make it do such. Pretty straightforward there. * Thread Starter [redsand](https://wordpress.org/support/users/redsand/) * (@redsand) * [9 years, 10 months ago](https://wordpress.org/support/topic/plugin-violates-developer-guidelines/#post-7426166) * > I am well aware of that, because I wrote those guidelines. * I know. 🙂 And it’s a good rule. * Well, all I can do is let you guys know. I have a slightly different view on that, since it doesn’t ever say that the admin email is being transmitted, but no worries. It’s ultimately your call as to what does or does not. I wrote the post based on my opinion of the matter. We get analytical and long-winded sometimes, but then that’s our job. * Thanks for giving a look. I hope the developer reads this, and at least improves the communication with the user. Viewing 8 replies - 1 through 8 (of 8 total) The topic ‘Plugin Violates Developer Guidelines’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/inspector-wp.svg) * [WordPress Inspector](https://wordpress.org/plugins/inspector-wp/) * [Frequently Asked Questions](https://wordpress.org/plugins/inspector-wp/#faq) * [Support Threads](https://wordpress.org/support/plugin/inspector-wp/) * [Active Topics](https://wordpress.org/support/plugin/inspector-wp/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/inspector-wp/unresolved/) * [Reviews](https://wordpress.org/support/plugin/inspector-wp/reviews/) * 8 replies * 3 participants * Last reply from: [redsand](https://wordpress.org/support/users/redsand/) * Last activity: [9 years, 10 months ago](https://wordpress.org/support/topic/plugin-violates-developer-guidelines/#post-7426166) * Status: not resolved