This is not a review. This is a documented technical record. Every claim in this article is reproducible by anyone with an internet connection. The commands are included. Run them yourself.

How This Started

I joined CoderLegion as a content creator and reached #2 on the monthly leaderboard within days — not because I’m exceptional, but because barely anyone posts.

Then the founder, Mehadi Hasan, sent me this:

“I’d love to give you Premium free for a month and get your feedback on whether it actually helps. No pressure at all.”

Before accepting any offer involving payment details or long-term content investment, I look at what a platform is actually built on.

What I found is below. Every line is publicly verifiable.

Finding 1: The Founding Date Is Fiction

Run this in any terminal:

$ curl -s https://coderlegion.com | grep -C 2 "dateCreated"

"dateCreated": "2020",
"publisher": "Coder Legion"

That markup is baked into every single page on the platform. It tells search engines — and every visitor — that this operation has existed since 2020.

Now run this:

$ whois coderlegion.com | grep -E "Creation Date|Registry Expiry Date|Domain Status" | sort -u

Creation Date: 2023-07-21T16:50:42Z

The domain was not registered until July 21, 2023.

The predecessor domain — kodlogs.net, the platform they rebranded from — only goes back to May 2021. That is the earliest any version of this operation can be placed in public record. Two years short of what they claim. And the current domain adds another two years on top of that.

There is no archived platform. No prior domain. No public evidence of existence before 2021.

Three years of claimed history. Zero evidence. Embedded in every page.

Finding 2: They Said No Ads. The Source Code Disagrees.

From their About page, verbatim:

“The platform is completely free to use. We don’t run ads or charge authors.”

Press Ctrl+U on any CoderLegion page. Search for adsbygoogle. You'll find an active Google AdSense implementation with publisher ID ca-pub-1763140298030248.

Ads appear in the sidebar. At the bottom of posts. On the homepage.

And on the Delete Profile page — while you are in the process of permanently erasing your account:

“We don’t run ads.” — The About page. This is the Delete Profile page.

During the investigation, a second ad network also appeared on mobile — MetroOpinion, a third-party survey platform:

Two ad networks. On a platform that explicitly claims to run no ads.

The About page is marketing copy. The source code is the ground truth. They do not match.

Finding 3: The User Count Is Not Accurate — And It’s Not Even Consistent

Every visitor to CoderLegion sees this in the login modal:

That number was 4,065 during an earlier analysis session. It’s now 4,081. The number is not pulled from the database in real-time — it changes manually, which means someone is editing it by hand.

Here is what the database actually says. The users page has public pagination. Pagination has math:

URL pattern:          /users?start={offset}
Items per page:       30
Last accessible offset: 1170

Calculation:
  1170 / 30 = 39 full pages
  + final page = ~40 pages total
  40 × 30 = ~1,200 real users

The modal claims 4,081. The database supports ~1,200.

That is a 70% inflation in the number shown to every prospective user at the exact moment they decide whether to sign up. And the fact that the number changes between sessions — going from 4,065 to 4,081 — confirms it is being managed manually, not calculated.

Finding 4: The Infrastructure Behind the $10/Month Plan

$ curl -I https://coderlegion.com | grep -i server
server: LiteSpeed

LiteSpeed shared hosting. Market rate: $3–5/month.

Open the page source (Ctrl+U). Search for qa-theme:

/qa-theme/CoderLegion/
/qa-plugin/q2a-badges-master/
/qa-content/jquery-3.3.1.min.js

Session cookies:
  qa_key     ← Question2Answer token
  PHPSESSID  ← PHP backend

This platform runs on Question2Answer — a free, open-source PHP script. Zero license cost. Publicly available at question2answer.org.

This is what they are charging you $10/month for:

“Supercharge Your Developer Journey.” Free Q2A script. $5 shared hosting. ~37 active writers per month.

“10x More Visibility” among 37 people. On a free script. On a $5 server.

Finding 5: GoDaddy Has Blocked Renewal on Both Domains

The WHOIS output from the terminal screenshot above tells the full story:

$ whois coderlegion.com

Domain Status: clientRenewProhibited ⚠
Registry Expiry Date: 2026-07-21$ whois kodlogs.netDomain Status: clientRenewProhibited ⚠
Registry Expiry Date: 2026-05-08

clientRenewProhibited is not a default flag. A registrar applies it when the domain owner is blocked from renewing — typically due to outstanding billing disputes, account holds, or compliance violations.

Both the current domain and the predecessor domain carry this flag.

kodlogs.net has already expired as of the date of this writing. coderlegion.com expires July 21, 2026.

One additional data point: the WHOIS record for coderlegion.com was updated April 14, 2026 — days after a technical analysis of this platform was published publicly. WHOIS records do not update themselves.

If you have content on CoderLegion, export it today. Not next week. Today.

Finding 6: The Database Is Observable from the Public Internet

This is a passive observation, not an exploit. Standard security practice requires database services (MariaDB/MySQL, port 3306) to be bound to localhost — invisible to the outside world.

Expected:   127.0.0.1:3306  ← accessible to local services only
Observed:   0.0.0.0:3306    ← observable from public internet

A payment-collecting platform with a publicly observable database port is the kind of configuration that ends with breach notification emails. Verifiable via Shodan or standard port scanning. No credentials required.

If you have entered payment information on CoderLegion, you should be aware of this.

Finding 7: The Authentication Controls Are Broken

Observed during normal use of my own account:

Password reset: The forgot-password flow accepts a new password directly without sending a verification link to the registered email. Ownership of the account is never confirmed.

Account deletion: The deletion confirmation field — marked “Please enter your password” — accepts any non-empty string. It does not validate against the account’s actual password. An account can be deleted by anyone who can reach the page.

Both are basic authentication failures. Both were found in under five minutes of normal account usage.

Finding 8: There Is No Peter Jones

Before this investigation, I received the following:

From:    Peter Jones <[email protected]>
To:      [my email]

Hi Rockman,Your recent post "You Don't Need Chaos Monkey" on Hashnode really
caught my attention...

My name is FreeRave. Not Rockman. The {{first_name}} merge variable pulled a different contact's data from the bulk list. The email was sent anyway.

Independent reports confirm the same template was sent from different sender names — “Peter Jones,” “Ross,” and others — all from @legioncoder.com addresses, all referencing a specific Hashnode post, all word-for-word identical.

The sender domain — legioncoder.com, not coderlegion.com — is a standard cold-email infrastructure pattern: use a separate sending domain to protect the primary domain's deliverability reputation.

There is no editorial team. There is no personal curation. There is a template, a mailing list, and occasionally the wrong name in the salutation.

The Sequence After Publication

Following a prior technical analysis going public, this happened:

Step 1 — IP block:

Desktop access timed out. Mobile network access (different IP range) remained fully operational — confirming a targeted IP-level block, not server failure or maintenance. Ads continued serving on mobile while desktop was blocked.

Step 2 — Newsletter delivered to deleted account:

From:    Peter Jones <[email protected]>
Subject: This Week at CoderLegion: New Articles, Your Analytics & More!

Hi FreeRave,
Your profile is ready to grow!

Account status:    Deleted ✅
IP status:         Blocked ✅
Newsletter status: Delivered ✅

Continuing to send marketing email to a deleted account’s address is not a UX bug. Under GDPR Article 17, account deletion triggers a right to erasure that extends to all processing — including marketing lists.

The response to published technical findings was not a statement, a correction, or engagement. It was a network-level IP block on the reviewer’s machine.

Reproduce Everything Yourself

# Domain creation date and renewal status
$ whois coderlegion.com
$ whois kodlogs.net

# Server software
$ curl -I https://coderlegion.com | grep -i server# Founding date embedded in source
$ curl -s https://coderlegion.com | grep -C 2 "dateCreated"# Platform identification (or just press Ctrl+U in browser)
# Search for: qa-theme, adsbygoogle, dateCreated# User count math
# Navigate to /users — find last page number — multiply by 30# AdSense publisher ID
# Ctrl+U → search: pub-# DB exposure
# Shodan: hostname:coderlegion.com port:3306

15 minutes. A browser. Every finding above independently reproducible.

Who This Is For

Developers considering joining: The information above existed before you arrived. Now you have it.

Content creators with published posts: Your content lives on a domain expiring July 21, 2026, with renewal blocked. Export everything now.

Premium subscribers: You paid $10/month for boosted visibility among ~37 active writers per month, on a free open-source script, on shared hosting, on a platform that misrepresented its founding date, user count, and monetization model. If you believe the service was misrepresented at point of purchase, your card provider has a formal dispute process.

Security researchers: Port 3306 publicly observable on a payment-collecting service is reportable to the relevant consumer protection authority in the operator’s jurisdiction.

Conclusion

One person building a developer community from scratch is hard. That deserves acknowledgment.

None of it justifies:

A founding date embedded in every page that no public domain record supports.
An ad-free promise directly contradicted by AdSense source code.
A user count inflated by ~70% — and manually edited between sessions.
A $10/month plan built on a free script and a $5 shared server.
Two domains blocked from renewal by their registrar.
A database port observable from the public internet on a payment-collecting platform.
Bulk outreach disguised as individual editorial curation — with mail merge errors left in.
An IP block as the response to published technical findings.
Marketing email delivered to deleted accounts in violation of erasure rights.

Developers deserve accurate information about platforms asking for their time, content, and money.

Run the commands. Verify the findings. Make your own decision.

All findings derived exclusively from public record: WHOIS lookups, HTTP headers, HTML source code, URL parameter enumeration, and first-party account use. No credentials other than the author’s own account were used. No unauthorized access was performed or implied at any stage.

Have you received a “Peter Jones” email? What name appeared in your salutation field? Leave a comment — every data point helps establish the scope of the campaign.