Posted on

404 to 301 Plugin Detected by WordFence – Here is What Actually Happened

Explanationq

Hello WordPress users, hope you are doing good!

Here is what I have learned today:

There are people, making money from other’s mistakes, instead of correcting them.

 

This evening, when I opened my email inbox, I was shocked to see that there were 20+  email notifications from WordPress.org. All of these were NEGATIVE reviews about my most popular plugin, 404 to 301 which is being actively used by 70k WordPress users. I immediately went through few of them and found that the source was one WordFence article stating that 404 to 301 Plugin Considered Harmful

I was shocked again! What? My plugin? How? I quickly went through each review and found that most of them were on the same topic. From the WordFence article, I understood that it was the usage tracking feature being the culprit, hence making a negative impact on my profile. It was injecting third party ads and links to the page when the user’s website was being crawled by Search engine bots. It was not visible to normal users.

Reading WordFence’s scary article, which could create panic among users, they started pelting stones at me by flooding negative reviews even if they are not using/used the plugin. I have immediately found and removed the tracking feature completely and updated the plugin. But unfortunately, WordFence made a huge negative impact and that has made users hate me. I started replying to all of their comments, reviews and emails. But still, negative reviews and comments kept coming in.

Now I realise that it is my responsibility to explain what happened with my plugin. So I thought of writing this blog post and let the 70k+ users know that the plugin is safe to use and what was happening before.

So here is what happened:

A few months back, I made an agreement for a partnership with anther WordPress plugin developer. He needed few usage statistics (it was only visitors User Agent and IP address) of the plugin for his business. For me, it was fine as far is did not violate WP.org guidelines and did not break into the plugin users’ privacy. He did not want to add his own wp.org account as a committer for the plugin. Instead, we used same account (my account) to commit both his code and mine. Upon installation, the plugin was asking users to agree or not agree to track their anonymous data and place small third party texts (which was used to add credits). He said it will be adding only a small text and when I did test it, everything was perfect and working. Till yesterday, it was working and no-one ever reported this issue before.

Yesterday, someone noticed that this plugin is injecting third party ads and links to the front end when search engine crawlers were visiting their website. These links were detected by spam filters. So 404 to 301 became fraud; so am I, the developer. I found that the links and ads are being shown at the top of the page content instead of showing small credit text at the very bottom, for crawlers. So, he made changes in his server to send ads & links as the response. Yes, I clearly understand that this is cheating and someone who does this should be called as a spammer. But in this case, I was honestly not aware of this. I take the blame for that. Changes were not a result of the plugin code but from his server.

I made 3 mistakes:

  1. Used same account for all commits.
  2. Misunderstood the WP guidelines about remote content loading.
  3. Did not properly verify the remote server response, frequently.

I believe that the WordPress community will accept the fact that people make mistakes. I spent a lot of my hours to develop, maintain and support this plugin FREE of cost. So a small security issue which was unknowingly available in my code should not be treated like this. At least, I have fixed the issues right after the email notifications. The tracking feature is not at all available in our plugin right now.

The saddest thing was that even people who never used this plugin were simply posted negative reviews and those were more than 30 in number. People were started attacking me through Facebook, Twitter and through email. Someone sent me an email stating that “We will destroy your business”.

WP.org response:

Mika from WP.org team then contacted me and discussed the issue. I explained what actually happened to them. They understood the situation and they were gentle enough to accept the mistake and value the efforts. They explained WHY it was a bad thing.

They said,

First, we had NO idea WordFence was going to post. They didn’t warn us, and we informed them that proper behaviour is to talk to YOU first, then if you don’t reply (or they can’t find you), they could contact us and WE will talk to you.

Then they said,

Second, why is this wrong? Well as far as I can sort out, the “Enable UAN” feature is what does the tracking and 3rd party ads. Now, 3rd party ads at all MUST be optional and they cannot track users. We’re in the middle of re-writing our guidelines for clarity.

I respect the WP.org team.

If services like WordFence really care about the security and value the developer’s efforts, they should have contacted me instead of making a huge customer base from that security vulnerability. Or even if they were not interested in talking to me, they could have contacted the WP.org team before making this a public show. They even deleted my explanation comment at once and waited for people to comment bad things. Then, they published my second comment. If you go through the comments of WordFence article, you can see that they gained few new customers from their Super Hero action and my hours of hard work for the community and reputation went down.

This statement from WP.org team gained a lot of respect for them.

I’m very disappointed in how WordFence decided to bring people’s attention to this and said as much to them. It sounds like you made a mistake. This happens. We don’t expect anyone to be perfect 🙂

Update: WordFence just published another article explaining why did they publish the article without informing the plugin author(that’s me). After reading this explanation, I support their act, even when it is completely against me. Mark from WordFence said, he made no attempt to notify me, assuming that I already knew this spam. As I have mentioned in this article, I knew this plugin was showing credit text, but never knew it was showing these spam ads and adult content. I didn’t know it was cloaking. I misunderstood the guidelines and thought to show credit text/links are not illegal and I saw this same message in ToS.

I apologise,

  • For making a BIG mistake that I could have avoided easily.
  • For making a lot of users to look for alternative plugins.
  • For not detecting this issue by myself.
  • To the website owners, if you are affected by this incident.

I promise,

  • I will never share plugin commit access to others without having my control over it.
  • My plugins will never break any WordPress plugin guidelines.
  • My plugins will not break into users privacy.
  • My plugins will be up to the coding standard that WordPress suggests.

And I thank,

  • WP.org moderators for understanding the situation and dealing with false reviews from people who never used this plugin.
  • WordFence for reporting this.
  • Alexandar Gounder for the advice and encouragement he gave.

So, I really request you to accept this explanation of what happened and I promise that I will not let something as such happen in the future.

Feel free to add your concerns and comments below. Thanks!

77 comments 404 to 301 Plugin Detected by WordFence – Here is What Actually Happened

  1. I came here because of the WordFence article, even though I don’t use your plugin. I do use WordFence, and I have to agree that they were in the wrong in how they handled this. They should contact the developer first. I am very happy to know that you responded quickly, and resolved the issue. I hope their article does not do too much damage. Many people won’t dig this deep to get both sides of the story.

  2. Since I could not comment on the WordFence site, here is what I wrote to them in your defense:

    Hi. I just read your article about the 404 to 301 plugin. Afterward I did a search to find out more about the plugin, just out of curiosity, since I don’t use it. I found an article written by the author that explains what happened, and that he has already fixed it. He was not even aware that it was happening. Your article made it sound like it was deliberate and intentional on his part. You may not have said as much, but that is what people are going to assume. It was an innocent mistake.

    I think you owe him an apology because according to him you did not even contact him first, but instead just posted an article which may have damaged his reputation as a plugin developer.

    I went to your article to comment and saw that you’ve disabled comments. So the only ones that remain are ones with people bad-mouthing the developer and the plugin. Seems very one-sided if you ask me.

    I appreciate your plugin, and the protection it provides my sites, but I hope you will reconsider how you approach these security articles in the future.

    Kenny Ray

    1. Hi Kenny,

      Thank you so much for the support you are giving. I respect you for taking time to understand both sides. I respect you for trying to help me by contacting WordFence. People like you, are really an inspiration for me.

  3. I don’t believe you.

    It was right in the terms of use that your plugin would do this. Are you saying you weren’t a part of making up the terms of use for your own plugin?

    If someone supposedly did this evil thing without you knowing about it, then why would he or she even care to add the following words to the terms of service: “Third party text networks supply text for display in 404 to 301. These networks may collect your visitors’ IP addresses, in native or hashed forms, for purposes of controlling the distribution of text links. 404 to 301 collects anonymous aggregated usage statistics.

    By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it.”

    And why would you think Wordfence should have contacted you first before warning their users about your malicious plugin? Are you serious? It’s their job to warn people about this kind of stuff. They are doing a great service by letting people know about this. And here you are trying to make them look like the bad guy for doing their job.

    You can say you didn’t know about it. But I find that very hard to believe. It would have been more believable if the terms of use did not contain any information about it. But because that information was there, I don’t believe you didn’t know what was going on.

    1. Hi Unknown(Respecting your privacy),

      Thank you for your comment. As I have mentioned in this article, I WAS AWARE about the TOS, but it was not for placing advertisements like this. It was asking permission to place a small credit text link at the bottom(and that too were WRONG, which I misunderstood before). But he changed the server side code and pushed advertisement spam into user’s websites later.

      Now only I realised that it was even wrong to place any link in users website. But the issue here was not that.

    2. Sorry But as a Developer I agree with Hard to Believe. It was in your ToS. So you knew and if you didn’t know you have a lot to learn. I thank WordFence for putting the security of our websites before anything else.

  4. This is a good post about a bad situation. I appreciate that you were willing to explain how the mistake got made. I hope other plugin authors will read this and be more wary of some of the offers we get from time to time like the one you got, which lead to this. That is after all, the point of discussing security issues — after they are patched — so others can learn from the mistake.

    Irresponsible disclosure of unpatched & unreported security issuesdon’t, on the other hand, do not help anyone.

    1. Hi Josh,

      Thank you for you valuable support. Yes, I learned from my mistake.

      Btw, one of my friends suggested me your Caldera Forms plugin last week. It is awesome man. Plenty of options 🙂 Also, I have just read your interview with Freemius. Keep up the good work, Josh.

  5. A winner is not someone that never falls. A winner is someone that falls, wipes the sh*t out of his face, stands up, takes responsibility for what happened and continues to advance.

    And you, Joel James, are a winner!

    That is not the first (or last ?) time we see this kind of propaganda from WordFence. That is pretty sad and dishonest.

  6. Thanks for the detail response. I still don’t understand why on earth you would let other developer (who is not your partner or team-mate, I I understood correctly) customize your code, and commit that yourself and don’t even review properly. But good part is you removed that feature right away. Also in very basic thinking the idea you agreed upon from that developer is very wrong, weather its top of the page, or bottom. This is direct violation of Google Best Practice. And please look it positively, person like me, who had no idea about your plugin is now going to test and possibly use it. See, there is bring side of everything. WordFence is going nuts these days. and I think you could successfully convert this negative marketing into useful marketing! Lol!

    1. Hi Asif,

      Yes. I made that mistake Asif. But it was not the big issue here. Issue was, when he pushed advertisements from the remote server to users website instead of credit text link(now I understood even showing credit link was wrong), without my knowledge. Anyway I removed the mess completely.

      Thank you for your positive comments and advice Asif 🙂

  7. Hi Joel,

    Thanks for the very clear write-up and explanation. It’s a relief to know that you didn’t intentionally put sneaky ads in your plugin and that it was a colleague.

    One thing still mystifies me: Why did you agree to have a 3rd party insert tracking code in the first place? Was there any financial renumeration?

    You’re under no obligation to reply of course. However if you are coming clean about the whole affair, it would be informative to know whether or not greed played any part in this debacle. I too develop free services, with combined membership of over 480,000 people. The temptation to sneak something in (e.g. at the bottom of a TOC) for financial gain is tempting — but the responsibility of being a free software author is to resist that temptation.

    1. Hi Canton,

      Thank you for your comment.

      There were no direct financial remuneration but, being frank, Yes, there were benefits. I don’t think greed played any part here. But I should concentrate on being a free software developer like you said. Thanks for your advice Canton.

      1. And thanks for giving such an honest reply to a very direct question., Joel. i am a big fan of your Plug-in.
        And I agree with the gentleman who described you as a winner. and for the reasons he gave.
        I wanted to post this comment to WordFence article. (now I will follow Mr Kenny’s example and email them instead ). : I believe the reasons given. by the plugin developer. I have had dealings with Mr Joel James due to problems with understanding redirects on the website. He has always been courteous, prompt and helpful with support. I should also add generous with his time. In addition, we decided to entrust him temporarily with the password for the dashboard and found him to be a person of integrity’ completely above reproach. This was, I believe an unfortunate and possibly foolish mistake but I think you should have contacted him first before going public with that post.

  8. Joel,
    Being a developer I can certainly understand how something like this could happen. Although I would never give another developer in essence “keys to the kingdom”. I also learned my lesson the hard way.

    I thought your response and explanation was very thorough and professional. Even though I do not use your plugin, (my redirects are built into my membership plugins), I would not hesitate using it in the future if it became necessary for me to have one.

    Wordfence could have, and I believe, should have contacted you before posting what they did. But I see both sides and their job is to protect their users which I’m sure prompted them to post first and ask questions later. They could not have possibly known the situation as you explained above and I’m sure most people would think that the plugin developer was responsible for the hidden links. I would like to see them edit the post and add a link to this page and let people decide for themselves if they would like to continue using your plugin after getting the whole story.

    Thanks for the explanation, and your obvious concern for your users. Don’t worry too much about this, you made a mistake, fixed it as soon as you possibly could, and explained what happened, how you fixed it, and why it will never happen again. There’s nothing else you can do. Having been in a very similar situation I know how you’re feeling, just know it will pass quicker than you think.

    Hang in there and keep writing quality plugins!

    Kind regards,
    Ken

    1. Hi Ken,

      Thank you. Thank you so much for the great comments.

      I have contacted WordFence to ask if it is possible for them to update the post and explain the situation, or at-least add a link to this article. But they never respond. Anyway I will take this incident as a BIG lesson and like you said, will keep writing quality code (y).

  9. I think that this is a very comprehensive reply. I can understand people been really upset and rightfully so, me included as I also use the plugin. I think you scored a very reckless own goal but you have also taken responsibility which is to be respected. Nobody realises the embarrassment of an own goal more than the person who scored it. There is a lot of lessons to be learned from this not least trusting a plugin because of its popularity or its ratings. I think Wordfence were right to report the plugin and also to report it quickly. I also think that an effort in contacting the plugin developer would also be the correct procedure and also allow a right of reply regardless of publication timings. The WP.org moderators carry weight with me and I respect their opinions and with that I will continue to use the plugin as a result of their input. I think Wordfence is a great asset to the WordPress community and so too are the thousands of developers like you who develop free plugins. Maybe Wordfence could see it possible to publish your explanation on their site also. It is not an excuse but it is an explanation! It would benefit all in the WordPress community to publish your notice and also teach us to be constantly vigilant. People mess up and sometimes thats ok too! Everybody can then make their decisions on how to proceed. The decision to use plugin or not will be the correct decision for them.

    1. Hi Edmund,

      Yes, the WP.org people were gentle enough and they reviewed the plugin. They also helped me to deal with the negative reviews flood, from people who never used this plugin. I have learned a lot lessons from this and will be more careful about the responsibility.

      Thank you so much for your comments.

  10. Hi.
    I havent used your plugin but came here also from wordfence announcement.
    First is your responsibility for making this mistake and giving part of your plugin in bad hand (as you say partner), you wasn’t serious and you disappointing many users!
    2. Wordfence disappointed me too (still congrats for finding this issue) with sharing this BIG news (for strengthen their costumer base) instead of contacting you first.
    3. If I was using your plugin I would continue using it as this problem is resolved and reviewed by WP team now, and im sure this wont happen anymore.

    So… everyone hope for few more bucks.. especially for people who provide great plugins for free.. but keep in mind that users security is the most important and you should find safe way to monetize your hard work.

  11. I never used your plugin, but just found out about the situation. The way Wordfence handled it was total BS and disrespectful to you and everyone else whom use your products. But most importantly, BRAVO to you for owning up to it, quickly removing the code, and apologizing to the community. We all make mistakes and nothing is more forgiving than handling it the way you did. Take care and best of luck going forward.

  12. Joel,

    I very much appreciate your post and explanation as to what occurred. I believe that rather than focusing on what was (in the past) we might be best to all agree to move forward and learn from any past mistakes, wrong assumptions, etc. and improve things as best you (and we) can. For those who choose not to trust you in the future, there’s nothing that can be done about that. For those that are able to give you another shot and move forward, then that’s the second option. Personally, I know that I’ve made mistakes in the past. And, I’ve also learned from them as well. Owning up to your mistake and taking ownership of it, is a bold move and to me, very much appreciated.

    I vote … to move forward and not tar and feather you for life. 🙂 (Well, at least not yet. LOL) I’ll be giving you another shot.

    Gary

  13. Hey Joel

    I read the Wordfence article and immediately removed the plugin from one of my sites. Then I read your comment in the article and noticed how it was just ignored. It seemed a little unfair. The I found this article and your explanation seem legit. Regardless, you have done the right thing and I will continue to use your plugin… because it works better then the others.

    It is never right to slander a person without contacting them first. This practice is all to common on the internet because people love a scandal. Trolls.

    You have handled this well so, Bravo. You have my support.

    Cheers,
    Steven

    1. Hi Steven,

      Sorry for breaking the trust you had. And thank you for still keeping the trust you had 🙂

      This incident thought me lessons, and I will move forward keep on improving the plugin.

      Thank you so much.
      – Joel

  14. Hey,

    I read the email blast from WordFence and I immediately noticed their grave mistakes from their very own announcement. I ignored it because I already knew what’s going to happen next, and I was correct in that this was an overblown and irresponsible reporting.

    If we are going to _Wordfence_ people, then one must know that with great power comes great responsiblity.

    Keep up the good work. A true champion is a person who can admit mistakes and refrains from destroying other people’s lives. You are that person, Joel.

  15. Hi Joel,

    Respect for owning the problem and rectifying. However, it would be helpful to add the date and version number of when the changes that lead to the injection were committed. We can then all assess whether this has contributed to any loss in ranking.

    M

    1. Hi Micky,

      Actually those changes were not from the plugin side. It was being pushed to the user’s website from the tracking server. I have asked him for the explanation and I will update this article then.

      The tracking feature was added from version 2.2.4 on 02/06/2016.

      Thank you so much for the comments Micky 🙂

  16. Thank you for your honest account of what happened. I hope you reported the other developer to WP.org moderators so they can take action if any.
    I’m a wordfence user and was a user of your plugin until this happened on all 18 of my sites that I admin.
    I will reinstall the plugin because it did a great job.
    Wordfence in my opinion did the correct thing they protected their users because you clearly had that notice in you tos that we clicked. even though you didn’t know they were spam links you did give out our IPs that’s why they didn’t contact you they believed you knew.
    that being said I will reinstall your plugin and watch it carefully.
    Mitch

    1. Thanks Mitch. Happy to know that you still keep trust 🙂

      Like I said, there was no WP.org account for that developer, for me to report to them. I will report, if I found this same thing on any other plugins.

  17. Hi, I do not use your plugin but I want to morally support you because from what I’ve read in both articles (Wordfence blog and yours) You had the courage to assume responsibility. Mistakes are made or not, we are all humans. On the other hand I’m not sure I can trust any plugins not even from wp repository. Why? Because even a security plugin can also be harmful and “flip the card” acting malicious after that asking for money to “clean” your website so yea… this world sucks.
    Thumb-up for your attitude and taking responsibility
    Thumb-up for Wordfence for detecting an issue (but handled it a little too rough)
    Good luck

  18. cant understand all the people saying YOU are a champion and a victim. I mean WTF. How many 1,000s of sites have had their rankings damaged by this?

  19. Hey Joel

    I´ve read this whole thing starting from wordfence point of view… but I know there a always another story to tell… and reading you I can see this was not an intentional situation… shame on the other developer… but you made al great mistake to share your account for commit code… Mistakes happen and they can greatly affect sites and business. I see that you corrected this and it was honorable from you to take time explaining all this messy situation…
    Many will hate you… others understand… but I think you learned the hard way not to share some things…
    Hope this mess will go away for you soon and keep providing us with great scripts….

    Don´t give up!

  20. Seriously dude? Your plugin has 70k installs (3 of them mine). Do you know what Google does to sites that use cloaked links? Let me inform you, Google basically kills those sites as far as being ranked and indexed. Do you know what happens then? Traffic (and the money they comes with it) goes away.

    So thanks for that….

    The fact that the wordpress guys left your plugin up after you screwed over thousands of people makes me rethink the whole WP infrastructure as a whole.

  21. Glad that you admitted your mistakes and have learned from them, but also glad that WordFence handled it the way they did. It was malicious activity deliberately built into the plugin. Users needed to be notified immediately. If you weren’t aware they were there, so be it, but you’ve also admitted you should not have shared access to your account, so the mistake is yours by your own admission.

  22. Hi,
    I found out about the incident on WordFences blog, but after reading both sides and learning about how it has turned out, I actually find your plugin really useful and I am going to install it on my site. An anonymous journalist once said “every report is an advertisement somewhere”.

  23. Joel, cut the babe in the woods act. You’re not fooling me. I don’t believe the WordPress plug-in repository did the right thing. It’s up to them to police things that are reported to them, however they are discovered and if anyone else finds something that’s violating a term of service or harming a WordPress website they don’t need anyone’s permission to out it to anyone. Let the consumer decide, and by the looks of the comments at the word fence site the consumers have decided. You are a grown man. You run a business. If you can’t be bothered to vet the people you hire to work on your precious code, the that says a lot about your naïveté and your business acumen.

  24. I’m ont going to comment on the issue itself. I think everything has already been said. In a sentence, my position is: I’m giving you the benefit of the doubt, but, as a developer, I just can’t understand how you can let someone control a piece of your plugin.

    The question I have is: who is the nefarious developer how did it? You said (s)he is a plugin developer; I’d be glad to know who (s)he is in order to avoid all plugins from this author.

    If you do not wish to disclose this information, I’d be curious to know how you handled the situation with him/her.

    1. Hi Julien,

      Thank you for the comments. I don’t have his wp.org username 🙁 I have discussed this with .ORG plugin team and given the details I have, to find his other plugins, if there are any. I will not be having partnership with him anymore.

  25. Sneaky TOS, why not code the ‘Credit link’in properly? Why link to another domain than your own anyway?
    BS. – You knew what you were doing and thought you’d black hat some $.
    If you didn’t know what you were doing then stop programming malware and learn to code properly.

  26. Your explanation for what happened is all well, except for this part:

    “He did not want to add his own wp.org account as a committer for the plugin. Instead we used same account (my account) to commit both his code and mine.”

    I mean, how can you ever accept anything like that from a total stranger that you probably have not even met? Isn’t it like if I got an text message from someone, asking to use my personal e-mail account to send a message to someone, because he do not want to create an e-mail account for himself?

    And still, after everything, you are still protecting this individual’s privacy?

  27. I read what WordFence reported, and I read your side of the story. Sorry, you don’t have a leg to stand on to defend yourself. You thought that there would be ads at the bottom of the page instead of the top of the page. This is an admission that you knew about these ads. What was the point of this plug-in any way? The public deserves to be warned, especially when Google rankings are at risk, and some sites might be blacklisted. YOUR plug-in was responsible for this mess! Yes, you made a big mistake letting someone else use your account to upload this plug-in.

    1. “You thought that there would be ads at the bottom of the page instead of the top of the page”

      Incorrect. I thought there will be credit text link(something like, “Powered by XYZ”. I never knew it was wrong, but now I realise the seriousness.

  28. I had been using this plugin and I deactivated it after reading the Word Fence article. But it looks like you are sincere and have made every effort to resolve the problem, so I will reactivate it and give you another try. It is a useful tool and I was sad to feel like I couldn’t use it safely. Thanks for the time and effort in creating this plug-in.

  29. Hi Joel,

    I was looking for a plugin to fix my 404 problems and yours seemed pretty fitting to my needs. Then I read some more on 404’s and came on the site of https://www.elegantthemes.com/blog/resources/the-7-best-404-plugins-for-wordpress to discover that for security reasons they removed their text about your plugin. I found the wordfence article and decided to look further. I tried some other plugins and had a lot of issues, some worked, but I was not completely satisfied. In the mean time I had noticed that there are still 700.000 installs of your plugin and that one new one left a positive comment. Hmm. I read some more and found in the changelog your link to this page (finally).

    I now think I dare to take the risk and will try your plugin. Still a bit concerned maybe … All this information is a bit difficult to understand. I am just an amateur (what is a TOS, what does an end-user notice exactly with the tracking and stuff and more issues that I do not understand precisely). But I understand that the problem is fixed, so I will go ahead now.
    Maybe you could make it somewhat easier to find this blog for people like me who are searching, so they do not turm their back on your plugin rightaway? (Just a suggestion)
    Anyway, I thank you upfront for the plugin, hoping it will suit me fine. I am very glad that people like yourself are making these plugins!
    Glad you fought back.

    1. Thank you so much for the feedback, suggestion and trust, Ton. Sure, I will contact the Elegant theme to let them know what really happened.

      I assure you that you can use this plugin without any risk.

  30. Joel, first of all, it takes balls of steel to admit to a mistake and take ownership. You had done that and you have my respect. Secondly, you have provided the plugin (and others) free of cost for so long and yet your intentions and integrity has been questioned by this one mistake. That is deplorable and saddening, but not completely unexpected. But do not lose heart because of this, and I know you will not. Keep up the fight and earn back that trust. And like you have said, you have learnt a valuable lesson, too. Keep going, Joel. Good luck to you!

Leave a Reply

Your email address will not be published. Required fields are marked *