back to article The curious case of a WordPress plugin, a rival site spammed with traffic, a war of words, and legal threats

A British web-dev outfit has denied allegations it deliberately hid code inside its WordPress plugins that, among other things, spammed a rival's website with junk traffic. Pipdig, which specializes in designing themes and templates for sites running the popular WordPress publishing system, was accused late last week of …

  1. FF22

    Smart. Not.

    So, they first admit that they and their plugin are capable of all what they were accused of, but then go on to say that the statements were untrue and they will sue because of that.

    1. Pascal Monett Silver badge

      Re: Smart. Not.

      Agreed. And I personally find quite stupid to maintain that posture because it's quite easy to prove if it is in the code.

      Maybe Pipdig thinks that, because they changed the code (hey, that was quick), nobody will think of keeping a copy of the code that had issues ?

      In any case, I do not appreciate the idea of a theme plugin with code to "reset to default". If I want to reset to default, I can do that myself thank you very much, or I will get a plugin that says it does that on the tin. I hate hidden features that I only discover when something goes wrong.

    2. Michael B.

      Re: Smart. Not.

      I wonder if this is due to the wondrous quote in the wordfence blog from their creative director, who has never heard of the computer misuse act.

      “Last year we had some serious problems after someone obtained a huge list of license keys and downloaded all of our products. The keys and files were then distributed on their file sharing site, which has since been taken down (not by us, ironically!). The drop tables function was put in place to try to stop this at the time.”

      This is so blatant and open I'd have a hard time believing it is not true. The suing is probably from the rest of the directors once they released what their colleague has done.

      1. Anonymous Coward
        Anonymous Coward

        Re: Smart. Not.

        As others have pointed out they can't simply make this go away by releasing "fixed" code. On the other hand if they're guilty then let's see the proof with a trusted version of their old offending code.

        If their old code has a link to their competitor in it then was it done maliciously or by accident (can't see how but...).

        Let's also see proof that they can access a clients Wordpress site and drop every table in the DB.

  2. Psycho Flump

    Well, the drop tables thing is a reset of sorts, just a more nuclear one. Also, the fact that they've removed their git repo and replaced it with the sanitised version isn't dodgy at all is it?

    1. zuckzuckgo Bronze badge

      > Well, the drop tables thing is a reset of sorts...

      I think their lead designer is little Bobby Tables. He just likes to leave a signature in all his work.

  3. chivo243 Silver badge

    Oh, crap

    You caught me! But don't say anything about it or I will sue?

  4. revenant


    ...within hours a new version of P3 was released with much of the suspicious code removed,"

    A resolution that quick (including decision time) suggests the existence of a pre-prepared fallback release.

    Just in case people misunderstood their honest intentions, of course.

    Yeah, right.

  5. Will Godfrey Silver badge

    Trojan Horse

    The really disturbing take-away from this is (yet another example of) just how far browser based crap can secretly dig into your systems these days. At what point does the entire system collapse? Do we now have to get dedicated sacrificial computers just for Internet use?

    1. Michael B.

      Re: Trojan Horse

      This has nothing to do with the browser - it is entirely server side in PHP code. Look at the linked Wordfence blog post, its code examples are pretty daming.

      1. Will Godfrey Silver badge

        Re: Trojan Horse

        OKOKOK I get the point.

        Blame it on me skim reading while trying to sort out 'stuff'.

        ... Oh, and I failed at that too :(

    2. phuzz Silver badge

      Re: Trojan Horse

      I left a comment saying you don't need a sacrificial computer when you have a VM, but apparently it was too controversial for the mods.

      Sorry mods :(

  6. Paul Johnston

    Aren't Wordpress Plugin great!

    I used to look after loads of Wordpress sites and whilst the product was generally okay the whole infrastructure around it was a nightmare.

    The number of times site owners found a new wonderful plugin/theme and installed it with hilarious consequences were legion!

    1. Ogi

      Re: Aren't Wordpress Plugin great!

      > I used to look after loads of Wordpress sites

      You are so lucky to have used the past tense there. I still look after wordpress sites (in addition to other web/service hosting), and wordpress by far is the most time and resource intensive to keep up and running.

      The number of times a client has installed some plugin/theme that hoses their entire config, destroys their uploaded data, or compromises the server resulting in a whole rebuild for everyone else are legion.

      It got so bad I had to separate normal web hosting and wordpress hosting onto different servers, just to stop compromised wordpress sites from affecting non wordpress sites (so got a dedicated machine just for wordpress, with the extra DC costs). Then the constant vigilance, patching, monitoring, backing up, etc... makes me wonder if it is worth the effort for the income I get for it.

      Best thing is, when the clients do eventually cock up their wordpress instance, it is always my fault, because "the plugin has good reviews, and thousands of downloads, so people are obviously using it just fine. It is your crap service that is the problem, why can others use it but not me, when will you fix your systems, etc..."

      Problem is wordpress is loved by non technical people who want a website. They can go off and apply themes, add features with plugins, and upload their own content, all without paying for a web designer or developer. I would say a good 4/5ths of all the sites I have hosted were wordpress, so it is really popular, and has a massive ecosystem of themes and plugins, many of them free. I admit, when I log in to wordpress as an end user, it is quite nice. You can easily create a decent looking website, auto-add social media buttons, flashy graphics, even complete e-commerce plugins to turn your site into an online store, and then just concentrate on the content you want to publish. I see the appeal for the user, I just agree that it is s complete and utter nightmare at the sysadmin/infra/other end.

      In order to stop the rampant problems I actually ended up locking the wordpress instances, preventing any updates or plugin/theme installations unless the client emails me and requests an unlock for a fixed time period, after which I can diff the changes and see what they have done (and then commit to the live git repo so I have the latest copy of their site).

      This worked well, because few clients would make big changes once they set their site up the way they wanted, however it did change the nature of complaints to "why can't I do anything without your permission, why does it lock after you unlock it, stop locking the sites, etc, etc ,etc... ". but at least I can respond with "its our security policy", and that usually quietens them down (especially nowadays with privacy and online security being in the limelight).

      1. Richard Lloyd

        Re: Aren't Wordpress Plugin great!

        One problem with WordPress is that it's all too easy to give the "wrong" people the Administrator role, which really should be only reserved for whoever setup and keeps the actual WordPress installation running. The lack of a role inbetween "Administrator" and "Editor" (i.e. one that can't change plugins/themes/core WP, but can do everything else an Administrator can do) doesn't help either.

        It's not uncommon to see a WordPress site with a dozen or more users, all of which have the Administrator role - madness!

  7. sitta_europea

    I can't for the life of me understand why people keep on using this cr@p and letting themselves in for the more or less inevitable consequences.

    1. ds6

      Because Wordpress is one of the most popular blogging-related CMS solutions? Maybe?

  8. mrtom84

    The article makes no mention of the fact that the plugin disabled the bluehost cache, then injected content into the page suggesting that their site was running slowly and that they should switch to new hosting

  9. Doctor Syntax Silver badge

    Oh what a tangled web...

    ...again and again.

    It's hard to think how you might construct a worse foundation for building systems than the JavaScript "ecosystem".

    1. myhandler

      Re: Oh what a tangled web...

      eh? it's server side PHP

      1. Nick Kew

        Re: Oh what a tangled web...

        It's hard to think ...

        Um, really?

        eh? it's server side PHP

        doesn't really seem so hard to think.

        I love wordpress. That's 'cos I'm just an end-user, and my blog isn't of such value as to lose sleep over risks it might run. It's easy to love when you're not responsible for any of the admin.

        I'll get me coat.

        1. ds6

          Re: Oh what a tangled web...

          Yes, let's punish the webadmins by forcing them to use WordPress! Bind them to the rafters and whip them with paid plugins!! They WILL install a new image box to scroll through Nana's holiday photos or they get the hose (again)!!!

  10. Christoph

    "This bit looks very bad but is really totally innocent. And this completely different bit is also really innocent. And this other completely different bit."

    Once is chance, twice is coincidence ...

    1. Pascal Monett Silver badge

      and three times is a conspiracy

      1. ds6
        Paris Hilton

        and four is a party...?

    2. Groaning Ninny

      It all feels like a beautifully contrived set of BOFH excuses...


    Wordpress, again...

    ... please suggest an alternative. Seriously...

    1. elDog

      Re: Wordpress, again...

      Dunno. I'm looking at django (python-based) but it doesn't have the "rich" set of add-ons that are the benefit and bane of WP. Still, anything but PHP, please!

    2. Hstubbe

      Re: Wordpress, again...

      I really like the 'Pelican Static Site Generator'. No server-side dynamic code, scales really well in addition to be really secure!

  12. GuildenNL

    Here's hoping the people at tie up dear old Phil in the courts for years, while draining all of his financial assets.

  13. Potemkine! Silver badge

    After reading this article all my sympathy goes to Mrs. Turner.

    Pipdig's FUD defence doesn't help to make them appear sympathetic...

    I get they don't deny having put weird hidden code, but they claim the use was legitimate, so legitimate they removed it promptly from the last version. Sounds weaselly.

    1. ds6

      Nah, they scrubbed their commit history to keep bitbucket costs down, surely. No FUD here.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like