I am fucking flabbergasted.
As you well know, good reader, Papers & Pencils was recently hacked. I had to tear the whole site down before I could start to fix it. Obviously I made backups before I deleted everything.
Because the default wordpress backup system does not save images my primary backup method was an addon called “All in One WP Migration.” With over a million installs, a 4.8-out-of-5 satisfaction rating, and a frequently updated version history covering many years, it seemed a safe option. My data was backed up smoothly, and I’ve currently got a 2.55gb backup file sitting on my desktop.
After the backup was completed I deleted the database on my server, as well as all the site files, and installed a fresh wordpress on PapersPencils.com. Among the first thing I did with this fresh install was add the All in One WP Migration plugin, and attempted to import that file. An error message popped up informing me that importing from a file would require me to install a separate “importer” addon. This already struck me as skeevy. If such a thing was necessary, why wasn’t it mentioned in any of the documentation I read? Why did the base addon include an “Import” option if that option did not exist?
Clicking the provided link leads to this page.
It will cost me $69 USD to import a file larger than 512mb.
Again: the Papers & Pencils backup file is 2.55gb in size. It is a file the All In One WP Migration addon was able to create easily. A file which is currently stored on MY hard drive, which I would like to upload using MY bandwidth, onto MY server. At no point would any of the addon creator’s resources be used, aside from the code itself which was provided on the explicit understanding that it would perform its job free of charge. No strain would be placed on them for a 2.55gb website that would be greater than the strain for a 20mb website.
Nowhere on the download page is this mentioned. Looking everywhere that a person might be reasonably expected to look while making their backup, I cannot find any reference to this fee.
Essentially, my website is being held hostage.
Reading through some of the addon’s reviews, this seems to be a recent change. Perhaps within the last few months, which would explain how they’ve managed to garner such a positive reputation. The funny thing is that if they’d simply been up front with me, if they’d told m
I sincerely doubt that this is legal. I further doubt that it’s acceptable within WordPress’ own ToS for plugin authors. I don’t see an easy option available for reporting malicious plugins to WordPress, but I’ve gotten in touch with them via twitter to ask how best to report.
Fortunately for me, I’m paranoid enough to create multiple backups in multiple formats. In addition to this scammy plugin, I also used WordPress’ native backup tool (which does not back up any media), as well as doing a full scrape of my site (which did back up media, but cannot be automatically imported back into WordPress). So everything of value has been saved, but it will all require manual adjustment to make it properly presentable.
My current plan is to work on manually adjusting the last 2 years of posts before I relaunch the website. That will cover most of the work that is commonly linked to. Then, while the website is online, I can pick away at fixing the less popular and more numerous posts of the 5 earlier years of the site. Whee.
I’m not too worried about myself in all of this, to be honest. I’ll be fine. But the word should be spread far and wide that this “All in One WP Migration” plugin is not trustworthy.
UPDATE: This morning I checked back to see if there was any reply to my review on wordpress.com calling this addon a scam. There is not, but there are two 5 star reviews there to bury my review, and another similar review made shortly after mine.
Both 5 star reviews were left by accounts with boarderline nonsense names, which appear to have been created for the sole purpose of leaving these reviews. Obviously they are fake.