Print my Blog Plugin Transparency Report – April 2019

9 minute read

This is the first of monthly transparency reports about development of the plugin Print My Blog. I want to:

  • Share my experience developing a WordPress plugin so others can learn from it
  • Remember what actually happened for my own records
  • Inform users and potential sponsors of the open collective how donations are being used and where things are headed
  • Create more awareness about the plugin itself (as I understand it that’s one potential benefit of transparency reports: you give away a bunch of interesting information, normally kept secret, and in exchange you get noticed more)
  • Get feedback on my sometimes outlandish ideas!

(Previously I did a weekly post on my blog, and on open collective.)

What Happened in April 2019

Open Collective Stats

  • Hours:
    • 13 (+2.5) support
    • 15.5 (+4.5) copy writing
    • 44.5 (+10) development
    • 6.5 (+1) management
  • Expenses: $2839.21 (+$661.50 )
  • Donations: $20 (+$0)

Plugin Stats

  • Downloads: 3,549 (+1,200)
  • Active Installs: 300 (+100)
  • Languages: 2 (+0)
  • Five Star Reviews: 10 (+3)
  • Releases: 22 (+5)

Overview of What’s New

The Details

French Translation

I tried my hand at translating the plugin into French, but it still needs a WordPress French Translations Editor to approve the translations… If you are, or know, an editor please help out with the French translation of Print My Blog.

The plugin doesn’t have a ton of text, but still it took about 3 hours to translate it all. It was probably a good exercise because:

  • It may open up the plugin to discovery and use by a whole new segment of users
  • It gave me a better appreciation for how much effort it takes to translate a plugin
  • I noticed several typos along the way! 😆

The Plugin’s First Security Issue: SSRF

I got contacted late last week by a penetration tester named
Magnus K. Stubman, via my blog’s contact form, saying:

Hi, I’ve found a security issue in one of your plugins. Reach back to me at xxxxx if you’re interested in the details. If I don’t hear back from you within 5 days, I’ll assume it’s OK with you that I publicly disclose the issue.

😱😱

I was a little worried it was a phishing attempt, but the sender seemed legitimate.

So I replied and he pointed to an “unauthenticated SSRF that can be turned into XSS.” …I had to ask DuckDuckGo what that meant…

SSRF stands for “Server Side Request Forgery“, meaning a hacker can make the server send a request to something the hacker normally can’t. The quintessential example of this is getting the server to send a request to get something normally hidden on the server (like WordPress’ passwords in wp-config.php) and then return them to the hacker.

In the case of Print My Blog, in order for it to print a different WordPress blog like on deadeasyfamilyhistory.org, users could input a site to print. When they did that, we’d send a request to that site to check it was a real WordPress site. And that’s where there was an SSRF vulnerability.

The fix was to just disable that feature, because most users of Print My Blog just want to print their own site, not be a service for printing other sites like Dead Easy.

After giving me time to fix the issue, Magnus disclosed the issue on his blog, and reported it to the vulnerabilities database cve.mitre.org.

Magnus’s blog, he’s a penetration tester, gentleman, and ASCII artist

In this specific case, I’m still not too sure how a hacker could exploit it. They can make older versions of Print My Blog send an HTTP GET request to any URL as the site owner, but they can’t see the result of that request. I think they would also need to find some site (behind the same firewall as the server running Print My Blog) where just receiving a request would change something normally prohibited (like creating a new blog post or user.) So, it’s clear the security bug had potential to be a definite concern, but it would take a bit more know-how than what I have to exploit it.

Oh and in a side note, the discovery of this security issue led me to invest a little more time in looking for other security problems. I signed up for coderisk.com. It automatically checks your plugin’s code for security issues. It was quite a good experience so far, and it did find another security issue which got patched in 1.6.8.

WP Engine and Print My Blog

Also interestingly, Anthony from WP Engine also contacted me about the security issue (this was actually kinda cool, it means they took notice of my hobby project!) He also used my blog’s contact form (glad I have it! It allows anyone to reach me privately without giving out my email address publicly). He said WP Engine have site owners using Print My Blog, but they’d be encouraging them to update .

I said thanks for that, and brazenly suggested they sponsor the plugin too.

Thanks Anthony! No questions. Except “Would WPEngine like to sponsor the plugin?” 😉 It’ll get your logo in front of about 300 site owners (many of whom are closing their site’s down, hence why they’re printing their site, and possibly looking for new hosting) for $25/month. See https://opencollective.com/print-my-blog#about

Either way, thanks for reaching out!

Anthony said he’d pass the info on to their Affiliate team. (It’s a long shot, but if I don’t ask the answer will definitely be “no”.)

Improved JSON Parsing

Also this month the plugin got its first non-5-star review ☹️.   Print My Blog wasn’t working on the user’s server, and they thought it was because the site was in Greek.

I investigated the issue and saw a Javascript error relating to Google Recaptcha originating in some Contact Form 7 code, but it turned out to be a red herring (because even if there’s a fatal error in Javascript, code from other Javascript other threads will continue to work fine… so in this case, a fatal Javascript error isn’t so fatal afterall!)

Finally, I noticed the error was from the CataBlog plugin sometimes dumping some script tags into WP REST API JSON responses, like so:

<!-- CataBlog 1.6.7 LightBox JavaScript | http://catablog.illproductions.com/ -->
var js_i18n=new Object; js_i18n.prev_tip="You may also press "P" or the left arrow on your keyboard"; js_i18n.next_tip="You may also press "N" or the right arrow on your keyboard"; js_i18n.close_tip='Close LightBox Now'; js_i18n.prev_label='PREV'; js_i18n.next_label='NEXT'; js_i18n.close_label='CLOSE'; jQuery(document).ready(function(){ jQuery('.catablog-image').catablogLightbox(); });
<!-- End CataBlog LightBox JavaScript -->

<!-- CataBlog 1.6.7 LightBox JavaScript | http://catablog.illproductions.com/ -->
var js_i18n=new Object; js_i18n.prev_tip="You may also press "P" or the left arrow on your keyboard"; js_i18n.next_tip="You may also press "N" or the right arrow on your keyboard"; js_i18n.close_tip='Close LightBox Now'; js_i18n.prev_label='PREV'; js_i18n.next_label='NEXT'; js_i18n.close_label='CLOSE'; jQuery(document).ready(function(){ jQuery('.catablog-image').catablogLightbox(); });
<!-- End CataBlog LightBox JavaScript -->

https://www.mnimes.org/wp-includes/js/jquery/jquery.js?ver=1.12.4{}

which meant the Print My Blog Javascript wouldn’t know how to handle/parse it.

I was previously handling polluted JSON similar to this, but this was trickier because that initial “pollution” contained a {character, which could mean the start of JSON.

So I modified the code to recursively search for valid JSON substrings. I updated my blog post on how to do that, so you can look over there if you’re interested in the solution.

Most readers are probably just interested to know: even if other plugins are interfering with proper WP REST API JSON responses, Print My Blog should now continue to work fine.

So problem solved (which problem turned out to actually be from another plugin). But alas, the reviewer has yet to update their star rating. That’s a little upsetting, but life. I’m happy to have joined the “plugins where someone left a (seemingly) unfair review” club.

Also, while debugging the previously-mentioned issue, I realized the print page wasn’t rendering the WordPress footer. That’s where many Javascript scripts are rendered, so adding it may fix some plugin compatibility issues. One obvious change is that if your logged in, the logged-in navigation bar now appears.

So, another benefit from being attentive to users’ needs (even if it hasn’t gotten the 3-star review changes to a 5 yet!)

Thinking Out Loud

I got some feedback on my idea to sponsor development entirely via donations from a few people.

Mateo Duò commented

The sponsorship/donation models could be a neat way not only to generating some steady revenue, but also a solid way to build relationships with other companies and brands. That’s where sponsorships get more interesting in my mind.

From that, I understand he suspects donations from users will probably be less rewarding financially than sponsorships from other companies and brands looking to get noticed and build a positive reputation.

If I were able to attend more WordCamps it would probably help greatly in building connections that could lead to sponsorships. But alas, with 3 kids under 6 at home, my priority and timers still quite focused at home. But I can still do my best from home.

Also, I think companies and brands will be more interested in sponsoring as they see Print My Blog becoming a bigger deal.

Mario Peshev and I started a short discussion on Twitter (btw, the conversation started because I had a question about his book, and somehow the conversation turned to this side hustle of mine.) He said

Profitability in the WordPress ecosystem is one of the hardest endeavors I’ve ever encountered.

We all know about the “race to the bottom” but technically, it’s race to the freedom. The mentality for giving back is missing.

For the most part, it’s about “commercial value” and “audience”.

The default WordPress user isn’t going to generate recurring profits from their website. Consider all applications of WordPress – link building satellite websites, blog spinoffs, students’ school projects, yada yada. A small chunk of them are actually designed to make a real profit (or at least have the potential to).

The way forward is focusing on paying audiences and a product business that can 1) scale, 2) has a large enough potential market cap, and 3) notably reports a positive ROI

My 2 cents at least. In your case, the general user who wants to print their blog is likely looking to shut it down or the like. Now, publishing firms may be a different target, which is where a SaaS licensed option may work better than sponsorships, but you get the point I guess.

Nevertheless, I’d love to see the experiment evolving for a few more months.

So most WordPress users aren’t actually making money using it, so likely won’t be willing to spend much on it either. Much less donate to it.

If I want to make an income, I need to focus on meeting the needs of companies and agencies, especially publishing firms. Using a more typical licensing model would be more likely to be profitable than seeking for sponsorships.

One trouble with that, for me, is that I don’t know what publishing agencies needs look like at all. So I’d like to continue to try this experiment of financing it via just sponsorships, because it has a lot of theoretical upsides. But I’m aware I might never find a way to make it sustainable.

Priorities

What’s up next?

Loading Dynamic Javascript From the WP REST API

An ongoing issue with the plugin is integration with plugins that require dynamically-added Javascript in order to be displayed properly. An example is Foo Gallery.

I have an experimental version that adds the currently enqueued scripts to the WP REST API JSON response, and then dumps them into the page, and then they get executed. The trouble is it loads the Javascript in a different order than normal web requests, which sometimes doesn’t work, depending on the code. Anyways, that’s my main priority with the code currently. Please let me know in the comments if you’d like to suggest something else!

Getting Sponsors

Right now I’m just working on this plugin in my “spare time”. But I can work anytime from anywhere, and when I’m not working it’s actually probably best for me to spend some time with family. So it’s helpful if I could be compensated for my time working on this side project.

While the active installs have been growing steadily, donations have totally stopped. I don’t expect everyone to become a sponsor, but some percentage like 5% would really help this become sustainable.

I’ve been tempted to want to blame others that hasn’t gone too well. E.g., “Users just don’t ever want to give back!” But I’m realizing I need to take more ownership of it. Instead of blaming others, I need to focus on what I can change to improve it.

So that will also be a focus in the coming month.

Thoughts?

I’ve basically resolved to not work on anything unless a user specifically requests it, so if you see anything that can be improved, please speak up! And thanks to all those who have already spoken up in the support forums and on my blog posts.

3 thoughts on “Print my Blog Plugin Transparency Report – April 2019

  1. Hi, Love this plug-in. I used it to get at least half of my 6,500 post printed. But. Something happened mid-way through. When I fixed the issue though, print my blog started again at the beginning. I need a way to set a starting point where it stopped. By date. Or by url. Or something else.

    1. Hi Charles thanks for the feedback. Ya a few people have requested filtering posts by date, so I’ll need to find time to add that.
      Also, is it still stopping halfway? If not, did you figure out what the problem was?

Leave a Reply