1. No. We exclude a lot of “temporary” sites, including localhost type installs.
2. No. As for how we tell if it’s fake or not, I’m not going to tell you, for what should be obvious reasons.
But yes, it’s totally possible to send a bunch of fake data to the system. It’s been done before. We would eventually find it, and your plugin or theme would get removed and banned for such, so.. kind of a bad idea?
We check up on things when they look like they’re faked, but understand that your views on downloads aren’t evidence. We can examine the data directly and manually when needed, as well as have various scripts to examine it for us in such cases.
However, note that downloads is a raw number. If I have 3000 active installs and I make 4 updates, that adds 12000 downloads to the count. So, there’s no real correlation between downloads and active installs.
Active installs can even be higher than the total number of downloads, and this is often the case when a new theme enters the directory. Themes can get released by their authors separately, gain a following, and then get put into the directory later, after they already have a large number of users. Some plugins have done this in the past too. Also consider that plugins or themes may be made by hosting companies, who put them on their users sites automatically during installation, and then they might do their own in-house update process instead of having those sites download from ww.wp.xz.cn.
So, the reality is more complex than just download numbers vs active installs. Nevertheless, we do monitor it and notice when things go weird. 🙂
Hi @otto42
Thank you for your explanation.
I know that you are the developer of the WordPress Active Install check script and you are the right person that can help us regarding our concern.
First I should say that yes I know that only plugins that use the wp.org for updates will count as an active install and I checked some of the plugins and found some of the plugins that are doubtful.
Please let me know if someone writes such a fake generator request scripts then he can send requests as a normal request too, so it is not possible for you to check is it a normal or a fake request.
1. If you do not check the IP of requests so it will be so easy to send fake requests to the server, like using a TOR IPs or residential IPs
2. I don’t know is it possible to send a request with a real site IP but maybe a professional hacker can do it. Fakes a real site IP address and sends a request to the server by that site IP so it will be as a normal site!
3. He can send these requests to a bunch of plugins and you could not detect it and delete his plugin too!
4. He can use this script to send fake requests to a plugin and when you check that plugin you will delete that plugin accidentally.
5. You don’t have any reporting system inside the plugins page so users can not report it. When someone reports it, first your scripts will check for fake active installs and then someone checks it again if it is suspicious.
Please let me know your feedback.
Thanks.
Please let me know if someone writes such a fake generator request scripts then he can send requests as a normal request too, so it is not possible for you to check is it a normal or a fake request.
Of course we can check whether requests are fake or not. It’s really obvious too. You’re just not seeing it. That’s okay, not everybody will. In any case, we can tell, and that’s all that matters.
If you have any doubts about a specific plugin, then you can email [email protected] and they can have a look for themselves. But realistically, faking the numbers doesn’t happen here. It’s not worth it. These are free plugins on free hosting. Such shady marketing tactics don’t gain enough to be worth it.
