Sexy Bookmarks — An Update

Almost a year ago I wrote a blog post entitled, “Is Sexy Bookmarks Sending Data From Your Blog?” In that post I talked about a discovery that I had made regarding a third party service that Sexy Bookmarks was using to mine data from the people sharing your blog content. I now have an update to that post.

A few months after I wrote that post, Shareaholic, the owner of Sexy Bookmarks, removed the plugin from the WordPress directory. When you see something like that happen, your first thought is that WordPress booted them for a security problem. According to Shareaholic in their forum, there was nothing wrong; they were just updating the software and removed it from the directory.

Hmmm. I don’t know if I entirely believe that. Nevertheless, Sexy Bookmarks is back in the directory with the new version. We now see a new section in the plugin dashboard about this third party tracking. See the screenshot below:

Sexy Bookmarks Tracking

So it seems that to make the third party tracking more palatable, Sexy Bookmarks is making the data available to its users and not just the third parties that are paying them for it. At first glance, that looked good because you could hook up your Google Analytics to it.

Not So Fast…

But hang on a sec, your data is not only available to you and the third parties, but everyone on the Internet! What? I had my 3rd Party Services set to yes for about 3 weeks until I found this:

Shareaholic Stats

How about if I just post my Google Analytics login information so anyone could see it? I don’t think so! As you can see from the screenshot, I’m not even signed in.

On a Related Issue…

I was chatting with Regina Smola over at WPSecurityLock.com about this as she is my go-to person for WordPress security. She was amazed at this discovery as well. In addition she pointed out that many plugins don’t close the door to their plugin files, leaving them vulnerable to hackers. But she gave me the code to lock the door so I’m passing it on to you.

First you can check to see if you have an open door by typing in your browser address bar http://yourdomainname/wp-content/plugins/sexybookmarks/ or any other plugin you have. If you get a page like the following, then you know your door is open.

sexy-bookmarks-index

Here’s how you fix it…

In your .htaccess file add the following:

# Turn off index browsing so directories with no index files will not display the list of files
Options -Indexes

And while you’re at it, you might as well tell Google to stay away from your plugins folder altogether, so in your robots.txt file add the following:

User-agent: *
Disallow: /wp-content/plugins/

Bottom Line: I still like Sexy Bookmarks but I disable the 3rd Party Services and I’ve added Regina’s recommendations in my htaccess and robots.txt files. By the way, Regina has a great little free report 7 Plugins for WordPress Security that I recommend you read.

Christine Cobb

Christine Cobb

is a web technology consultant, a small business online marketing consultant and provides information for new bloggers and affiliate marketers.
Christine Cobb
Christine Cobb

Latest posts by Christine Cobb (see all)

Comments

  1. Great post Christine about the security of the Sexy Bookmarks plugin and how they’re sharing “our” site data. It was a bit fuzzy when we looked at it together, I could just imagine how confusing it must be for WordPress newbies that don’t read this post.

    “How about if I just post my Google Analytics login information so anyone could see it? I don’t think so! As you can see from the screenshot, I’m not even signed in.” < Couldn't of said it better myself Christine!!!!!

    P.S. I too am interested to know why SexyBookmarks was removed from the WordPress plugin repository, why there is the Shareholic plugin (last updated 1/13/12) too, and then it was relisted again (on 5/9/12).

    How sad that over 1.5 million users are listed on Google using this plugin and anyone can easily view their website profiles. Yikes!

  2. Ken Ashe says:

    Thanks for the tip. I don;t use sexy bookmarks, but I will use the code to keep search engines from indexing my plugins.

  3. Yikes, I found two places that shareaholic posts website analytics publicly.

    Thank Christine for posting this valuable information. Anyone using Sexybookmarks should read this post so they set it up securely.

  4. Thanks for this information! I’ve gone and changed my setting in Sexy Bookmarks and also in my .htaccess file (Gosh I hope I didn’t mess it up! You are supposed to put it before # END WordPress, correct?)

    The only problem I know of is that I couldn’t find my robots.txt file to close Google out. Should it be in the same area or am I to look elsewhere? Help, please!

    Also, to check to see if these worked, do I re-type the http: //yourdomainname/wp-content/plugins/sexybookmarks/ in my browser–and hopefully I won’t see the index page again? After I made the changes on Sexy Bookmarks, I was still seeing my index page. :/

    And finally, should I be typing the above url for all my plugins to check them as well?

    Thanks in advance for your help. I’m going to share this on FB so my friends can make the changes as well.

    • Christine Cobb says:

      Sheri – you may not have a robots.txt file already. Simply open up notepad, type in the information, save it as robot.txt and then upload it to the root folder of your server.

      Put the code in your htaccess file above or below the WordPress block — not within it.

  5. Thanks, Christine!

    I followed your advice and hope I uploaded it to the right place in cpanel. (I get so fearful when I go in there!) I also changed the code location to below the WordPress block. My site comes up regular–so I’m hoping all is well.

    I really appreciate the extra info! 🙂

  6. Hi Christine,
    I am still trying to figure all of this out. The page that you I shouldn’t see when typing in the link above (/yourdomainname/wp-content/plugins/sexybookmarks/) is still showing–for not only sexybookmarks, but almost all my plugins–and there are a couple fatal errors I got. Am I doing something wrong? Is there an .htaccess file for each plugin or just one that fixes them all. I am so confused–and am so afraid to mess things up in my cpanel.

    Thanks so much for your help!

  7. Sheri,

    Did you add this to your .htaccess file in the same directory as your wp-config.php?

    # Turn off index browsing so directories with no index files will not display the list of files
    Options -Indexes

    If that link is still showing up then try this:

    # Turn off index browsing so directories with no index files will not display the list of files
    Options All -Indexes

    Some hosts work with the word All and some don’t.

    Try that and if you get a 500 internal server error, then remove the word All again.

  8. Hi Regina,

    First of all, yesterday I guess I wasn’t paying attention to which directory I found my .htaccess file in but it had some wordpress info in it that I thankfully cut and pasted, before I made any changes.

    In searching around today, I have found an .htaccess file in my document root directory that has nothing in it.

    Earlier today (after looking at your 7 Plugins report) I was changing a backup plugin I was using to the one you recommended. When I activated it, it said it might be visible to the public and that I should move it from one place to another. I did that and found that the one I added to yesterday, is the one with the info I saw yesterday. So now I don’t know if I have it in the right place at all, let alone any of the suggestions you made above.

    My first area of confusion is which directory it (was in or) should be in, in the first place. Here are the choices:

    Home Directory
    Web Root
    Public FTP Root
    Document Root

    I’m trying my best to keep track of things after this fiasco–so that I can fix it. If nothing else, I have learned a valuable lesson here. Track everything you do, so you can change it back without a stomach and back ache! LOL

    (I apologize for any inconvenience I am causing you–and hope that others may learn from my mistake as well!)

    As soon as I get the file back to where it belongs, I will check the suggestions you made above to see if I can get it fixed.

  9. Hi Sheri,

    It should be your home directory. If you open the folder, you should see wp-admin, wp-content, and wp-includes folders and below that is your .htaccess file you need to add it too. You’ll see a bunch of files that start with wp-, like wp-activate.php, The .htaccess file will have your Begin and End WordPress code in it. That’s the one you want. It is the main .htaccess file for your WordPress installation.

  10. Hi Regina,

    My home directory has .attracta, .cpaddons, .cpanel, etc., no wp-admin, wp-content, etc. I have located those files and the .htaccess doc in my webroot and document root directories, but they are the blank ones.

    The .htaccess doc that has the WordPress code in it is here: public_html/wp-content/backup-db

    Should I go ahead and move it to the home directory even though I don’t see the same things there that you have said I should see?

  11. Hi Sheri,

    Sorry, try the root. You need to find out where your wordpress is installed. The .htaccess file that has our WordPress before and after code is in that location where the wp-config.php file is.

  12. Sheri,

    For more help, please contact me at http://wpsecuritylock.com/contact/.

  13. Hi,

    I feel the same about the social analytics being reported publicly…never expected that! Curious, how is it that your “referral data”, at shareaholic [dot] com/publishers/analytics/yoursite {dot} com, is no longer avaialable? I ask because even though I disabled 3rd party tracking via Shareaholic’s settings, such info remains on their site, whereas your site lists the default “This site has not implemented Shareaholic analytics.”

    Thanks!

    • Christine Cobb says:

      Alan — try going to the Functionality Settings and setting “Show Share Counters” to No.

  14. Hey Christine,

    Thanks but don’t think that’s the problem as I deleted Shareaholic from 1 of my sites & the analytics that were reported when the plugin was active are still viewable on their site! Was hoping that I would see “This site has not implemented Shareaholic analytics”, but nope! Go figure…

    I have emailed Shareaholic 3 times & posted 3 times in there forums w/ various questions & still no response. Very disappointed in their service. Maybe if they replied to my questions, some of my concerns would be quelled. Their marketing rep comments on blogs where Shareaholic is mentioned & they just sponsored Wordcamp Boston last month, where the marketing rep spoke, so I’m told. So they seem to be around in a marketing capacity, just not customer service. Their TOS, functionality of their plugin, & lack of service are cause for concern for me, yet Wordcamp is a reputable event, & they partook. Not sure what to make of them…

    Sexy Bookmarks has plenty of great features, looks great, validates, for the most part, & loads their script in the header or footer, where other sharing plugins incorrectly load script in the body of the page. So, as you can seem I have mixed feeling about Shareaholic…

    It’s good to come across someone else with at least some of the same concerns. Looks as if you have forgone any sharing plugin on your site.

    • Christine Cobb says:

      I’m a little baffled by SB right now. It is an active plugin but not showing up. I need to do some testing as to the conflict. That may be the reason for the stats disappearing on the Shareaholic site. It’s kind of a love/hate relationship with them 🙂

  15. Hey Christine,

    Just an FYI… been back & forth w/ Shareaholic for over a month & am still waiting for them to admit which tracking cookies remain, even after disabling tracking! That’s right, they admitted that not all tracking is disabled, even when 3rd party tracking is disabled! Of course I can simply check this myself, but I shouldn’t have to. Oh, and data is still present & running on their analytics site, even after the plugin is removed! However, the level of data that remains is not consistent on all sites.

    I will be investigating further. Thought you might care to as well.

    • Christine Cobb says:

      Thanks Alan for continuing the detective work. I’ll see what I can uncover as well. Looks like another update post will be in order soon.

Speak Your Mind

*