Firstly apologies to anyone who had visited this site in the past few months and experienced pop-up advertising of various nature. I’d been very busy on projects and hadn’t had time to check the site and all this had gone under the radar. Google’s search indexing now hates me for it.
What had happened was my site has a plugin to check that people filling out the contact form are actually genuine people and not scripts or programs spamming me. I’d installed one of the commonly available (and recommended) plugins from the WordPress plugin library called Sweetcaptcha about a year ago.
It looks like someone has since bought out or obtained the Sweetcaptcha business, and has then updated the plugin to include some scripts for this pop up advertising presumably so that they can start getting some revenue from their business acquisition. Its usually best-practise to update your plugins whenever WordPress updates, on a wordpress update I’d then clicked to update plugins, and this is when the Sweetcaptcha plugin updated and in this version had javascript file includes which pulled in the advertising.
Whats even worse was that these javascript files took incredibly long to load. Google’s site performance tool was the first thing that I noticed, it started alerting to me about response times. I initially thought perhaps a problem with my hosting, then the ads came, it took literally hours for me to find that it was actually the Sweetcaptcha plugin that was injecting these Javascript files. As soon as I removed it the response times went from minutes to seconds and the problem went away.
Other users have had the same problem:
https://wordpress.org/support/topic/sweetcaptcha-injecting-pop-up-ads-on-purpose
https://blog.sucuri.net/2015/06/sweetcaptcha-service-used-to-distribute-adware.html
I guess this highlights the dangers of using open source or free software, and frankly I’m quite embarrassed that this has happened. I will remind myself that software that is free, usually has the cost recovered somewhere. There is no such thing as true altruism! Facebook sells your data to marketing companies, Google tracks your emails and search results and does the same, I went to sign up to Plev.tv the other day then found that my IP, movie metadata and all kinds of information gets sent back. In the case above these Sweetcaptcha guys rope you in with a nice free plugin and then down the track fill the thing with ads effectively wrecking your site.