On Friday evening, two blog posts appeared within a few hours of each other. One was written by a UK based independent female WordPress developer, and one was written by a US based male who works for Wordfence, a WordPress security provider.
They had both noticed code in a WordPress plugin created by Pipdig, a popular UK based web developer, which was causing unexpected behaviour. Both Jem (Jemjabella) and Mikey (Wordfence) found that the plugins had various pieces of code, either in the plugin or calling back to their website. This plugin is called the Pipdig Power Pack (also known as P3) which is provided with every WordPress theme. P3 “includes our custom widgets and WordPress enhancements“
Here’s a brief list of the issues that Jem and Mikey discovered:
- The plugin contained code in it to use the site that it was installed in to perform a DDoS (a Distributed Denial of Service) against a competitor of theirs, Kotryna Bass Design (In very basic English, a DDoS is when you have lots and lots of people all visiting one site at once which overwhelms the site and makes it crash. It should be noted that Kotryna had no knowledge of this and has nothing to do with it, other than being affected)
- It would cause links to a different competitor to be changed to link back to their site with a certain phrase as the link
- It contained a “kill switch” which could completely wipe the
- It gathered data from the users website could use it in part to reset the
usersadmin account passwords
- It could disable plugins and features of WordPress that Pipdig deemed unnecessary
- If the site was hosted on a non Pipdig host, then the site could be slower than expected (see this tweet which explains how the P3 plugin could disable the cache that BlueHost implements)
- The coding created to do these things was hidden with misleading titles and descriptions – so even if you could understand a brief glance at the code involved, they’re saying that this bit of code does something innocuous like fetching new icons for social profile links and why wouldn’t you believe that?
The issues listed above are much more detailed over in Jem and the Wordfence articles so we would recommend going to read up on those
Jemjabella: Security alert: pipdig insecure, DDoSing competitors
Wordfence: Peculiar PHP Present In Popular Pipdig Power Pack (P3) Plugin
Pipdig published a post originally entitled “Sad Times” (which some people have mentioned is a strange title for a business to be defending themselves under) which went through the points raised in Jem’s post (oddly ignoring the Wordfence post) and highlighted how they had many happy users and that they were a small business being attacked. The post claims that the features found in their code were to prevent unauthorized use of their themes – there was a situation last year where someone was giving away a theme they had bought which meant
Jem wrote a follow up post at the weekend, entitled Pipdig: Your Questions Answered which also went through the Pipdig post. If the first two articles are a little techy for you, this may help to explain what the original points meant and what they do.
Pipdig released a new version of their plugin which appears to have removed some of the code being highlighted in their posts however Jem and Mikey have both looked at previous versions of the plugin and can see these pieces of code going back at least a year or so.
Yesterday (2nd April), Mikey has published on the Wordfence blog further discoveries entitled Pipdig Update: Dishonest Denials, Erased Evidence, and Ongoing Offenses. The article goes through the defence given by Pipdig and explaining how the response is not correct compared to what the actual code says. It also notes how Pipdig have wiped their public BitBucket git repository which is fairly suspicious behaviour – why would you delete your historical records of a product if the product is totally innocent? (a git repository is where developers can store their code which tracks any changes made from the creation date – to wipe this history is an incredibly dubious act)
The Wordfence article also goes through the historial occurences of the coding that has been discussed – such as how Pipdig have had the ability to completely wipe users websites since November 2017 and gives a timeline about how they conducted this investigation.
It’s a long read (yes, even longer than this article!) and if you’re not a coder then some of this will go over your head, but it is worth a read if you want to make sure you are listening to all sides of this situation.
The investigation then goes into how Wordfence looked at the Blogger layouts. As we mentioned previously, it was believed that this situation only affected the
To clarify, every time a visitor reaches any site running a Blogger theme from Pipdig using this script, their browser would fire an additional request to their competitor’s site. This request hides where it came from, hits a literally randomized file on the competitor’s server, and does nothing with the data. This behavior is hidden not only from the visitors to these sites, but to the owners of these sites as well.https://www.wordfence.com/blog/2019/04/pipdig-update-dishonest-denials-erased-evidence-and-ongoing-offenses/
There are sure to be further updates to this, so we’ll update this post with any new information. This story is ongoing, and is starting to be picked up and discussed by other, more technical sites such as The Register, Reddit and Hacker News (first post relating to Jem’s original article, second post relating to the new findings from Wordfence)
Why have they done this?
Honestly, who knows. There are a few elements that may give us a clue into why they wrote this code:
- Since Pipdig can supply hosting for WordPress users, they have an interest in making your site appear slower. When you say to them “Hey, my site is really slow, what should I do?” then they could say “Well our hosting is super quick, move your blog over to us”.
- The DDoS against Kotryna’s site would cause one of their closest competitors to go down – potential customers trying to get to her site may just give up or think “She can’t even keep her own site up, I should look elsewhere”
- If the user linked to blogerize.com, then the plugin could change both the link and wording (what you used to link to that site) to create a link back to the Pipdig site. As we all know from sponsored posts, companies like to have links with certain wording from various sites as it increases their search rankings.
What does this mean?
This situation isn’t just unethical but potentially illegal. We are not lawyers, but we would be unsurprised to hear if there are further actions taken.
Does this affect me?
If you are currently using a Pipdig theme, it’s very likely this situation affects you. At first, it was believed that this just affected
What should I do?
First, back up your site (you can find our guides to backing up WordPress and Blogger – consider doing this on a more regular basis – you will never regret making too many backups!)
Next, find a new theme. There are many good themes for both Blogger and WordPress out there – even the basic free versions from the creators can look good with the right images, etc.
If you’re on WordPress and have the P3 plugin installed, disable this before installing any new themes. We have heard of users having problems uploading a new layout otherwise.
Install the WP
Activate your new layout, check everything looks good and take a full back up again. (Did we mention back up your site? Seriously. BACK IT UP)
(Some of this information has been taken from this thread by Zoe Corkhill, who we have known for about 10 years, and trust her knowledge on this topic. If you are looking for someone to help you, we would recommend talking to her – you can find her web design site at zoecorkhill.co.uk)
Who should I believe?
When this story broke, many of the larger bloggers that have worked with Pipdig defended them and we are still seeing people defending Pipdig. However, we are also seeing many developers all looking at the code and coming to the same conclusions.
It’s up to you, of course, what you believe in, but if there are numerous experts all saying the same thing, then maybe that should be your guide.
Does this affect the other Pipdig plugins and products?
It’s unknown so far how far this goes, but you may want to deactivate any plugins currently active.
Should I change my Pipdig theme?
What other themes do you recommend?
We have various posts throughout the years giving links to good layouts (both free and paid , and for WordPress and Blogger) but it is up to you to look into these before using them. If you have any recommendations, feel free to leave them in the comments! Another good place to look for themes is ThemeForest.
After speaking with the ICO, they have advised anyone affected by using Pipdig’s theme/plugin can report a complaint to email@example.com It has already been clarified and reported. It’s also reported to Action Fraud. If you have been personally affected, DM me.— Sam – A Testing Time (@testingtimeblog) April 2, 2019
If you feel like you have been affected, consider contacting the ICO (Information Commissioner UK) and Action Fraud. The allegations made against the code published are incredibly serious.
It’s incredibly disappointing to learn all of these developments, as we have had good experiences with Pipdig, but that doesn’t mean that they can not be guilty of doing this. Pipdig layouts have been incredibly popular in the UK fashion, beauty and lifestyle blogosphere partly because you didn’t need to know any coding information to have a beautiful blog, which makes this even more upsetting that users with not much technical knowledge have been taken advantage of.
If you have any questions, please let us know and we’ll update the post for you.
Our statement concerning the migration from pipdig[dot]host to Kualo. #pipdig— Kualo (@kualo) April 5, 2019
Optional. No Downtime. Free for two years.
Any questions, we're standing by.https://t.co/uVMWSYSSJ6
You can read the full statement from Kualo here, but here are the main points:
Kualo arean independent entity to Pipdig. They are totally separate companies and do not have any ownership in common. (If you want to check this, you can look up these companies at Companies House, where all UK registered companies details can be found.) Kualo werethe hosting provider that Pipdig were using to provide hosting services to their clients. This is something known as reseller hosting,and is a pretty normal way of providing hosting to a small group of clients. You can see the Kualoreseller hosting page here ,if you are interested in what sort of thing this involves. Kualo aretaking on all of the people who had their sites hosted with Pipdig and will be providing hosting for them for 2 years for free. (Screenshot of relevant part of articlecan be found here). If you are already hosted by Pipdig, you don’t need to do anything, unless you want to move away from Kualo. Kualo havebeen able to edit the files hosted by Pipdig that were causing some of the functions listed above, so those people who haven’t switched themes (both Blogger and WordPress) yet won’t be helping cause those DDoS attacks previously mentioned. (In basic terms, this means you don’t need to switch your theme asap but many users are still choosing to ditch the Pipdig themes because of their reputation)
- Kualo, like many others, recommend updating the P3 plugin to 4.9.0 if you do choose to keep your layout on WordPress, which should not contain the coding detailed above that can harm your website
Kualo areextending the free hosting offer to any affected Pipdig user, even if you weren’t hosted with them. (screenshot of relevant part of articlecan be found here)
If you have any questions regarding the Kualo migration of services, they ask that you email them at firstname.lastname@example.org, use the live chat feature on their website or send them a tweet.
Notes: All links provided in this post are for informational purposes. We have no affiliation with any of the companies or individuals mentioned in this blog post. We have previously linked to both Kotryna Bass Design and Pipdig as places that you can buy layouts for your blogs, and have recommended Pipdig layouts in conversations more recently.
That’s all well and good for exposing unethical and potentially illegal behaviour (feeling extremely dissaponted with Phil & team), but what are people who have bought themes and hosting services in good faith and who are completely non tech savvy meant to do now? It’s not that easy to change themes overnight. We ended up using pipdig because of the services they provided and making things so easy. If I had a clue, I would have done it by myself in the first place. Not to mention I am a hobby blogger and don’t have cash knocking about to invest in a new theme. Any thoughts? Thanks!
Totally understand! That’s what I feel is the more upsetting part about all of this – that their audience aren’t tech friendly and that we have all trusted them to do the right thing.
If you were hosted by Pipdig, then you’ve probably already seen the offer by Kualo, and updating to the latest version of the P3 plugin should at least mean that the unethical parts of the code have been removed now. This at least means that you don’t need to switch your theme straight away (if you even want to change the theme!). If you’re looking for a new theme, I would recommend looking at those listed with WordPress’ directory or ThemeForest (which is where I bought the theme that you are currently looking at! I think it was about US$50 a few years ago, and I have made a few tweaks to make it more my style)
If you do need any help with switching your theme, please feel free to drop me an email through the contact page, and I’ll do my best to help you out!