So, they first admit that they and their plugin are capable of all what they were accused of, but then go on to say that the statements were untrue and they will sue because of that.
A British web-dev outfit has denied allegations it deliberately hid code inside its WordPress plugins that, among other things, spammed a rival's website with junk traffic. Pipdig, which specializes in designing themes and templates for sites running the popular WordPress publishing system, was accused late last week of …
Agreed. And I personally find quite stupid to maintain that posture because it's quite easy to prove if it is in the code.
Maybe Pipdig thinks that, because they changed the code (hey, that was quick), nobody will think of keeping a copy of the code that had issues ?
In any case, I do not appreciate the idea of a theme plugin with code to "reset to default". If I want to reset to default, I can do that myself thank you very much, or I will get a plugin that says it does that on the tin. I hate hidden features that I only discover when something goes wrong.
I wonder if this is due to the wondrous quote in the wordfence blog from their creative director, who has never heard of the computer misuse act.
“Last year we had some serious problems after someone obtained a huge list of license keys and downloaded all of our products. The keys and files were then distributed on their file sharing site, which has since been taken down (not by us, ironically!). The drop tables function was put in place to try to stop this at the time.”
This is so blatant and open I'd have a hard time believing it is not true. The suing is probably from the rest of the directors once they released what their colleague has done.
As others have pointed out they can't simply make this go away by releasing "fixed" code. On the other hand if they're guilty then let's see the proof with a trusted version of their old offending code.
If their old code has a link to their competitor in it then was it done maliciously or by accident (can't see how but...).
Let's also see proof that they can access a clients Wordpress site and drop every table in the DB.
...within hours a new version of P3 was released with much of the suspicious code removed,"
A resolution that quick (including decision time) suggests the existence of a pre-prepared fallback release.
Just in case people misunderstood their honest intentions, of course.
I used to look after loads of Wordpress sites and whilst the product was generally okay the whole infrastructure around it was a nightmare.
The number of times site owners found a new wonderful plugin/theme and installed it with hilarious consequences were legion!
> I used to look after loads of Wordpress sites
You are so lucky to have used the past tense there. I still look after wordpress sites (in addition to other web/service hosting), and wordpress by far is the most time and resource intensive to keep up and running.
The number of times a client has installed some plugin/theme that hoses their entire config, destroys their uploaded data, or compromises the server resulting in a whole rebuild for everyone else are legion.
It got so bad I had to separate normal web hosting and wordpress hosting onto different servers, just to stop compromised wordpress sites from affecting non wordpress sites (so got a dedicated machine just for wordpress, with the extra DC costs). Then the constant vigilance, patching, monitoring, backing up, etc... makes me wonder if it is worth the effort for the income I get for it.
Best thing is, when the clients do eventually cock up their wordpress instance, it is always my fault, because "the plugin has good reviews, and thousands of downloads, so people are obviously using it just fine. It is your crap service that is the problem, why can others use it but not me, when will you fix your systems, etc..."
Problem is wordpress is loved by non technical people who want a website. They can go off and apply themes, add features with plugins, and upload their own content, all without paying for a web designer or developer. I would say a good 4/5ths of all the sites I have hosted were wordpress, so it is really popular, and has a massive ecosystem of themes and plugins, many of them free. I admit, when I log in to wordpress as an end user, it is quite nice. You can easily create a decent looking website, auto-add social media buttons, flashy graphics, even complete e-commerce plugins to turn your site into an online store, and then just concentrate on the content you want to publish. I see the appeal for the user, I just agree that it is s complete and utter nightmare at the sysadmin/infra/other end.
In order to stop the rampant problems I actually ended up locking the wordpress instances, preventing any updates or plugin/theme installations unless the client emails me and requests an unlock for a fixed time period, after which I can diff the changes and see what they have done (and then commit to the live git repo so I have the latest copy of their site).
This worked well, because few clients would make big changes once they set their site up the way they wanted, however it did change the nature of complaints to "why can't I do anything without your permission, why does it lock after you unlock it, stop locking the sites, etc, etc ,etc... ". but at least I can respond with "its our security policy", and that usually quietens them down (especially nowadays with privacy and online security being in the limelight).
One problem with WordPress is that it's all too easy to give the "wrong" people the Administrator role, which really should be only reserved for whoever setup and keeps the actual WordPress installation running. The lack of a role inbetween "Administrator" and "Editor" (i.e. one that can't change plugins/themes/core WP, but can do everything else an Administrator can do) doesn't help either.
It's not uncommon to see a WordPress site with a dozen or more users, all of which have the Administrator role - madness!
It's hard to think ...
eh? it's server side PHP
doesn't really seem so hard to think.
I love wordpress. That's 'cos I'm just an end-user, and my blog isn't of such value as to lose sleep over risks it might run. It's easy to love when you're not responsible for any of the admin.
I'll get me coat.
After reading this article all my sympathy goes to Mrs. Turner.
Pipdig's FUD defence doesn't help to make them appear sympathetic...
I get they don't deny having put weird hidden code, but they claim the use was legitimate, so legitimate they removed it promptly from the last version. Sounds weaselly.