Red Sand Media Group Is developing Malware

WP Spamshield is a malicious plugin developed by Red Sand Media Group that is targeting other plugins on the WordPress plugin repository to disable them and cause harm to users sites. WP Spamshield has been removed from the WordPress plugin repository because of the malicious code it contained and Red Sand Media Group‘s attempts to bully the administrators of One of the plugins that is being targeted is Plugin Organizer. Scott Allen, who is the author of WP Spamshield, has moved WP Spamshield to Code Canyon and is now charging people to put his malicious code on their sites. If you are running this plugin you should immediately remove it to prevent it from modifying your database and causing harm to your site. It targets other plugins and even tries to remove files that the user has installed. Here are some discussions on the topic of why it was eventually removed from the WordPress repository.

Red Sand Media Group’s attempts to bully the wordpress community

In those 2 support threads I pointed out to Scott Allen (the developer of WP Spamshield and head of Red Sand Media Group) that he was re-indexing the $_POST array incorrectly. Changing the $_POST array in the first place is a hack that shouldn’t be done because it can cause instability. Which is exactly what happened. So I released a fix for Plugin Organizer that stopped his code from re-indexing the $_POST array and crashing users sites. He responded by releasing a version of WP Spamshield that disabled Plugin Organizer and deleted all files related to it. I then released a version of Plugin Organizer that deactivated WP Spamshield before it could do any of that. He in turn released a new version of WP Spamshield that deleted Plugin Organizer from within an MU plugin file that loaded before the PluginOrganizerMU.class.php.

Rather than continue to release countermeasures to Red Sand Media Group‘s malicious code contained in WP Spamshield I reported them to the WordPress admins and they told both of us to remove our code that disables the others. I was more than happy to do this since that’s all I wanted in the first place. So I released a version that removed all of my countermeasures. After 2 weeks Red Sand Media Group had still not released a clean version of WP Spamshield. That’s when the WordPress admins got tired of their bullying and waiting for them to remove their malicious code. So they removed WP Spamshield from the repository.

Red Sand Media Group using DMCA

The latest attempt to bully developers by Scott Allen and Red Sand Media Group is to file DMCA requests to have sites critical of their malicious code removed from Google. They have filed hundreds of erroneous requests including requests to get my site taken down. Unfortunately for them they had no grounds for these removal requests so I just had to request a review and Google restored all of my pages. This is just another example of how dishonest Scott Allen and Red Sand Media Group are and the lengths they are willing to go in order to silence people who point out the malware they are releasing disguised as anti-spam software.

Red Sand Media Group’s malicious code

Since Red Sand Media Group has released their malicious code on Code Canyon I can’t look at their code to see what new hacks they have added. I have no doubt the new version is even more harmful to users since they don’t have to follow the guidelines laid out by In the last version available on the WordPress repository (located here) the code targets several other plugins from within the MU plugin file to delete files before the site has started to load standard plugins. It also targets database tables and options for other plugins in the so called “compatibility” classes contained within the standard plugin files in an attempt to break those other plugins. These actions have crashed users sites and left them vulnerable to hackers.

There are 2 functions that target Plugin Organizer. The first is located in includes/class.compatibility.php at line 306 of version 1.9.21 of WP Spamshield. It completely disables Plugin Organizer by turning off selective plugin loading. Then it modifies the saved plugin load order which has the potential to crash a site if the user had changed the load order to fix a conflict.

The second function is located in includes/ at line 828 of version 1.9.21 of WP Spamshield. It re-indexes variables in the post array without taking into account that the variables could be multidimensional associative arrays. Which is the case with Plugin Organizer. It turns those associative arrays into indexed arrays and creates instability in the platform.

The class.compatibility.php file is filled with functions that hobble other plugins. All of these things are done without the user’s knowledge. WP Spamshield is malicious code masquerading as a security plugin. I’m surprised it wasn’t removed from sooner. A vulnerability scan done by a third party turned up some less than reputable activity that WP Spamshield does in the background without the users knowledge. You can see the results of this scan by clicking the link below. You can also see an example of Scott Allen‘s inability to see any problems with anything he does in the comments on this scan.
Scan results

To prevent WP Spamshield from disabling Plugin Organizer I have released a version with new option names that aren’t being targeted. This was only a temporary fix and I’m not sure if it is even working anymore since Red Sand Media Group has released their code somewhere else and I’m sure has changed their plugin to completely delete mine.

Red Sand Media Group’s false accusations

Red Sand Media Group (the developers of WP Spamshield) have made a blog post full of false accusations that is available on their site. In the blog post they are saying people should google Jeff Sterup and Plugin Organizer to see the “pattern of security issues and vulnerabilities” that Plugin Organizer has. The google search they recommend is here. All this google search turns up is vulnerabilities related to another plugin that was falsely attributed to Plugin Organizer because it has a similar name. For instance CVE-2012-6511 and CVE-2012-6512. If you look at the CVE for either of these by clicking the link you will see that they are related to a different plugin called Organizer that was abandoned several years ago. A plugin that is in no way related to me. You can view the page for that plugin at

As far as I know Plugin Organizer has never suffered from any “security issues and vulnerabilities”. I’ve worked as a software developer for 20 years and have had a lot of experience working with securing very high profile and visible sites and applications. In my professional career I have worked with PCI compliance and have been brought in to secure numerous applications that were built by inexperienced developers (like the ones employed at Red Sand Media Group) that cause conflicts and security vulnerabilities. I welcome anyone to scan Plugin Organizer and point out security vulnerabilities so they can be fixed. None have been brought to my attention yet.

The blog post at the Red Sand Media Group‘s site is full of things that are easily proven wrong by looking at the commits to our plugins in the WordPress SVN repository and reading the support threads. Scott Allen is a very dishonest person with a questionable grasp of security principles who tries to lecture everyone that questions him about how knowledgeable he is and Red Sand Media Group has a history of causing harm to their customers sites. I would suggest everyone remove Red Sand Media Group‘s code from their sites and stay far away from anything they’re involved in.