After noticing suspicious review activity for the AccessiBe plugin, accessibility consultant Joe Dolson reported the fake reviews to WordPress.org’s plugin team. The reviews were removed in under 48 hours, thanks to Dolson’s detailed research.

At the time of reporting, Dolson found 31 five-star reviews, 2 four-star reviews, and 2 one-star reviews. After putting these into a spreadsheet, he found certain correlations among the first 11 five-star reviews:

  1. All eleven user accounts I viewed had a common pattern of registration and use: between zero and 3 support topics raised and 4-7 reviews over the last 18 months.
  2. Every one of these eleven accounts had at least one point of overlap with another user in that group. That is, for each plug-in or theme interacted with by one of the accounts, at least one of the other accounts also interacted with that plug-in or theme.
  3. Multiple accounts had submitted one-star reviews on another plug-in, and in a quick assessment of other one-star reviews on that plug-in, I quickly found another account that had also submitted a five-star review on AccessiBe.

Approximately 33 reviews were removed from the AccessiBe plugin’s page after the report. Plugin team member Mika Epstein said that the team “passes the reports to a volunteer who is amazing at hunting down VPNs and IPs for that.” She also recognized Dolson’s legwork and reporting as being instrumental in this particular case.

Dolson allowed me to view his spreadsheet, where he logged URLs for each suspected fake review, along with dates and reviews left on other plugins. These were not saved to the Internet Archive, but Dolson said they were all “pretty generic,” and that each one was a one-sentence review. The user profiles still appear to be there but do not have any activity listed.

“As a WordPress plugin author myself, I find the investment in falsifying positive reviews irritating,” Dolson said. “What some of us work for, they are simply buying – the appearance of a good product without the labor of winning customer opinion.

“I found the evidence of a hatchet job conducted systematically against another plugin chilling, however.”

The AccessiBe plugin is active on approximately 3,000 sites. Accessibility advocates have long held a certain amount of animosity towards the way its creators market the plugin as a quick fix solution, claiming it helps “mitigate the risk of lawsuits.” AccessiBe also has a well-documented history of paying for positive press. Dolson and others deeply involved in WordPress accessibility keep tabs on the plugin, which is how he came across the suspicious activity.

Soliciting paid or fake reviews is not a new infraction, and it has been explicitly forbidden in the directory’s guidelines for years. This falls under guideline #9: Developers and their plugins must not do anything illegal, dishonest, or morally offensive, which includes “Creating accounts to generate fake reviews or support tickets (i.e. sockpuppeting).”

Fake and paid reviews are a blight on any marketplace, and pop up now and then on the theme and plugin directories due to the power of WordPress.org as a distributions channel for freemium products. It makes it more difficult for the consumer to get an accurate understanding of the quality of the the product, but it’s not always easy to identify who commissioned the fake reviews.

Any user can help ensure the plugin directory has fair and honest reviews by flagging those that look suspicious. In the sidebar of individual review posts, logged-in users can flag a post for consideration. WordPress.org doesn’t often announce when it takes action to remove reviews but should confirm having received the report. In a rare case like this, Dolson’s writeup gives the wider community a glimpse into what it takes to track down fake reviews and get them cleaned up.