The curious case of a WordPress plugin, a rival website spammed with visitors, a disagreement, and authorized threats

The curious case of a WordPress plugin, a rival website spammed with visitors, a disagreement, and authorized threats

Up to date A British web-dev outfit has denied allegations it intentionally hid code inside its WordPress plugins that, amongst different issues, spammed a rival’s web site with junk visitors.

Pipdig, which focuses on designing themes and templates for websites working the favored WordPress publishing system, was accused late final week of together with code inside its plugins that fired duff requests to the dot-com of a competing maker of themes. It was additionally accused of slipping in code that allowed it to remotely wipe its customers’ databases, modify URLs in hyperlinks, change website admin passwords, and disable different third-party plugins.

These plugins are put in server-side by site owners to reinforce their WordPress installations, they usually embrace backend and frontend code executed as guests land on pages. Pipdig has denied any wrongdoing.

The accusations have been made by Jem Turner, an internet developer who questioned the aim of a number of subroutines throughout the Pipdig Energy Pack (P3), a set of plugins bundled with Pipdig’s themes.

“An unnamed shopper approached me this week complaining that her web site, which was working a theme she’d bought from a WordPress theme supplier, was behaving oddly. Amongst different issues, it was getting slower for no apparent cause,” Turner claimed on Friday. “As velocity is a crucial rating issue for search engines like google (to not point out essential for retaining guests), I mentioned I’d do some digging. What I found completely blew me away; I’ve by no means seen something prefer it.”

Turner claimed she’d discovered that, amongst different issues, Pipdig’s plugins fired off visitors to a stranger’s web site: thus, net servers internet hosting the P3 PHP code would typically ship HTTP GET requests to a rival’s website – – thus flooding it with connections from everywhere in the world, it was claimed.

The P3 instruments additionally, it was alleged, manipulated hyperlinks in prospects’ pages to direct guests away from sure web sites, collected information from buyer websites, might change admin passwords, disabled different plugins, and carried out a remotely activated kill-switch mechanism permitting Pipdig to drop all database tables on a buyer’s website. Once more, that is in accordance with an evaluation of the P3 supply code.

On the identical time, Wordfence, a safety vendor specializing in providers for WordPress websites, says it fielded an identical grievance in regards to the P3 code from considered one of its customers, and likewise discovered the identical subroutines Turner described.

“The person, who needs to stay nameless, reached out to us with considerations that the plugin’s developer can grant themselves administrative entry to websites utilizing the plugin, and even delete affected websites’ database content material remotely,” Wordfence defined. “We’ve got since confirmed that the plugin, Pipdig Energy Pack (or P3), accommodates code which has been obfuscated with deceptive variable names, operate names, and feedback so as to conceal these capabilities.”

Do not take a look at me, I did not do it

The studies prompted a powerful denial from Pipdig, which argued the claims have been unfounded. In its response on Sunday, the Pipdig staff denied its software program intentionally lobbed net visitors at different websites. What was taking place, in accordance with Pipdig, was that the P3 code would, as soon as an hour, fetch the contents of…

…which, surprisingly, contained…

…inflicting the P3 code to then fetch that web page, which is on one other server. That is how the dot-com got here to be flooded with requests from techniques around the globe working Pipdig’s code. The biz mentioned it’s attempting to determine how the exterior website’s URL ended up in its license textual content file, which has since been cleared of any textual content to stop any pointless fetching.

“We’re now wanting into why this operate is returning this URL,” Pipdig mentioned in its response. “Nonetheless it appears to recommend that a number of the ‘Creator URLs’ have been set to ‘’. We do not at the moment know why that is the case, or whether or not the location proprietor has deliberately modified this.

“The response ought to hit our website’s wp-admin/admin-ajax.php file beneath regular circumstances. On the floor it might imply that some pipdig themes have been renamed to different authors. We might be wanting additional into this subject and supply extra data because it comes up. We will affirm that it will not trigger any points for websites utilizing pipdig themes, even when the writer title/URL has been modified.”

In the meantime, the power to drop database tables on buyer websites is to reset installations to their default state, Pipdig claimed.

“The operate is in place to reset a website again to defaults, nevertheless it is just activated after being in contact with the location proprietor,” the small enterprise defined.

As for altering URLs, Pipdig chalked that as much as anti-piracy measures to make sure hyperlinks to websites internet hosting counterfeit copies of its themes are modified over to its area. Moreover, Pipdig mentioned third-party plugins have been disabled in the course of the set up course of to stop any conflicts over performance, and that it doesn’t change admin passwords, and that the one data it collects from customers’ installations is the location URL, license key, WordPress model, and plugin or theme model.

In response to Wordfence, Pipdig has eliminated a number of the aforementioned code from its software program in a newly launched model,, which persons are urged to replace to. “We reached out to the Pipdig staff with questions on these points, and inside hours a brand new model of P3 was launched with a lot of the suspicious code eliminated,” Wordfence reported.

In an e-mail to The Register on Monday, Pipdig artistic director Phil Clothier acknowledged the modifications, however maintained his firm has executed nothing mistaken. “Wordfence have agreed that newest model of the plugin is protected, nevertheless we additionally stand by that older variations have been protected too,” Clothier mentioned. “We all the time advocate that folks preserve all plugins up to date to the most recent model both means.”

Turner, in the meantime, stood behind her findings and conclusions on the matter. “I’m conscious that Pipdig have launched an announcement claiming that I’m mendacity,” Turner wrote in an replace submit. “Firstly, this assertion solely serves to try to assault my character fairly than dispute any of my accusations. Secondly, it addresses solely my submit, and not one of the accusations made by Wordfence or different builders.”

Pipdig mentioned it was searching for authorized recommendation on the matter, although Turner informed The Register she has not but heard something from the corporate.

“We might be searching for authorized recommendation for the unfaithful statements and misinformation which has little doubt broken our good title,” the Pipdig staff added. “Anybody which has labored with us is aware of how a lot we care about this neighborhood and each single blogger we work with. We’re vastly upset, however we are able to hopefully re-earn any belief that has been misplaced because of this.” ®

Up to date so as to add

Wordfence has, to make use of a technical time period, given Pipdig each barrels on Tuesday, analyzing the plugin code in depth.

Turning into a Pragmatic Safety Chief

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.