> Another one from the @pipdig plugin. If you use one of their themes on @bluehost then they intentionally slow your website down by disabling the BlueHost cache plugin, then they can inject content with the title "Is your host slowing
you down?"
While the call to host switch is malicious, almost every developer in WordPress world will agree BlueHost, and their parent company with all their 50+ hosting companies, are utter garbage. The only reason they exist is because they have hired an army of bloggers and pay them affiliate income of $65 / signup.
As far as disabling Endurance Cache goes, it is completely legitimate. It's a plugin forced upon BlueHost users, without being told so, and is a "must-use" plugin that most users will never check (and can't be completely disabled from WordPress admin).
And this just illustrates the horror that is the proprietary market place of WordPress plugins. It is annoying because this results in incentives to take away freedom from users and require payment for proprietary code in the guise of a free software project. To expand Word Press functionality beyond the core functions you have to wade through a minefield of freemium plugins that have all been slightly broken to encourage you to shell out money to someone for code you won't have any freedom with and the worst of it possibly demonstrated by code like this. I have built some sites with WordPress but I have always felt stifled by the way the plugins and themes are distributed. On the other hand I understand people like being able to charge money and create businesses from the code they right which can be more challenging if you actually write free as in libre software vs. attempting to extract money from every potential user.
For my personal site, I've left WP behind about 3 years ago. I had to go back last month, trying to build something instead of a Wix site for a school, and the experience was terrifying: after adding one of the events plugin, within 5 minutes I started getting spam registration. All plugins have ugly admin interface "extras" and are very pushy to buy them.
The WordPress of 2007, which I loved very much, has nothing to do with this monster of 2019.
You get what you pay for with Wordpress plugins. There are some great free ones that are mainained.
Then you get ones that can't survive minor wordpress upgrades, or are full of security holes.
The worst is when you have a highly motivated person who throws a ton of them together to buid a website, and then it languishes and becomes out of date, and any upgrading you do will start culling plugins from their baby.
> And this just illustrates the horror that is the proprietary market place of WordPress plugins.
Same stories emanate from the Google Play marketplace, and to a lesser extent the highly curated Apple app store marketplace. How is WordPress any different?
> you have to wade through a minefield of freemium plugins
Just like every other app store.
> for code you won't have any freedom with
Unlike smartphone apps, or apps for my PC I can and do inspect the source code of any WordPress plugin or theme.
> I have built some sites with WordPress but I have always felt stifled by the way the plugins and themes are distributed
I'd feel the same way about platforms I've only been exposed to a few times as well.
Thanks. My crew put this write-up together. We're here if you have any questions. Jem and us published almost at the same time although I think we beat her by an hour or so. We're in contact. Funny coincidence we were working on the same story at the same time.
This has blown up on Twitter. Our team has stayed out of the online debate mostly other than answering questions. We're trying to just focus on the data here.
They took their public repo offline, but we mirrored it before they did that. It contradicts some claims they're making re timing. We're publishing a timeline tomorrow and are recording our weekly podcast tonight instead of tomorrow as per normal because of this insanity. We'll break it down on the show.
I guess what really jumps out at me here is how they're trying to gaslight the thing.
> Wow, peoples' responses on Twitter are even more delusional. Wtf?
I find this so baffling. It's like being shown the bodies of a serial killer's victims, and publicly stating "oh, but he never murdered me, so why are you all complaining?"
A percentage of the population treats something like this as a personal attack. I have Atari/Sega/Chevy thus Commodore/Nintendo/Ford sucks. I use it, why are you saying those things about X, are you calling me stupid? etc.
If I'm reading this correctly, they're essentially admitting to some of the malicious features described by the researcher, but claiming that they were included for support purposes, or as a way of sabotaging sites using pirated versions of their plugin.
1. Including features which can remotely grant unauthorized access or cause damage to a user's web site is inappropriate under any circumstances. Even if they're your customers, or if they aren't your customers, or whatever. You don't do that.
2. Pipdig hasn't come up with any sensible explanation for why their license checks were pointed at a competitor's web site. It's not even clear why the license check would be architected in a way that allowed for this.
3. Altering user's site content to change links from Blogerize to Pipdig is beyond the pale. Pipdig's explanation of this feature is incoherent; it isn't even consistent with the behavior of the code presented.
4. Obfuscating the code surrounding all of these questionable bits of functionality stinks of wrongdoing. It's understandable for a license check to be a little obfuscated, perhaps, but there's no reason why a remote administration feature should be (even if it had any reason for existing).
"But all my customers love and trust me!" == "I'm just an above-average con man."
"But I was just doing this to support them without bothering them!" == "I'm clearly not ready to take responsibility and fess up to anything because I thought my deceptively named functions would fool everybody (and still do)."
"But my girlfriend and I love cat memes!" == "Please, for the love of god, can we forget about all this and talk about cat memes instead?" [I honestly have no clue what he was trying to get at in the first six paragraphs...]
It sounds like they got a little overaggressive fighting with the company that had hijacked their themes and were selling them last year.
They were probably obfuscating those functions to hide them from the people selling their themes. Sounds like they were also disabling this plugin as well.
But they definitely went about things the wrong way, including functions like that and obfuscating them is definitely not the right way to do things.
I think a simple, we're sorry we had included these functions in this manner to combat the company stealing our themes last year. We understand this was wrong and a fresh clean version of the plugin will be out this week.
We will do things the right way from now on, you can trust us and we welcome audits of all our code.
It looks like the company involved is based in the U.K. and also seems likely this software and their usage of it is a violation of the Computer Misuse Act.
One of their competitors should consider filing a complaint with the relevant authorities, so this gets formally investigated.
Yes, absolutely. The responses so far have been too tepid; DDOSing competitors, adding a database-dropping kill switch, disabling other software, and adding an admin login backdoor are all separate criminal offenses. The developer responsible should not just be blacklisted, he should be in prison.
I would be interested to hear from CloudFlare as to whether there is any possibility of confirming that the URL "https://pipdigz.co.uk/p3/id39dqm3c0_license_h.txt" - fetched by the "license check" code - did at some point return the text "https://kotrynabassdesign.com/wp-admin/admin-ajax.php". I suspect this will be difficult, or impossible, to verify (I'm not a security expert) and the "license check" code in and of itself (while extremely fishy) only betrays the potential of a DDoS and is not a smoking gun.
tons of wordpress themes and plugin are complete crap - even popular stuff. nobody reads the code or knows how to read it. it makes claiming bug bounties on wordpress sites easy.
There are many solutions out there that can generate static sites from a WordPress installation. For example, you can use gatsby.js to generate a static site using WordPress as data source.
Their reply is an exercise in basic obfuscation and dissembling. Instead of explaining the specific 'features' of their code, their response is in a question-and-answer format. They chose the questions, and they are sufficiently broad and otherwise carefully chosen so that they can avoid being specific about what, exactly, they were up to. Some obvious follow-up questions to their initial answers are conspicuously absent.
Being able to drop someone else's full site contents is not something anyone should get away with under any circumstance.
The want to prevent pirated theme - reset the theme to twentysexteen; block frontend access; overlay frontend with notification, etc - so many options. Deleting data? That is not one of them.
I won't even get into the deliberate other plugins disabling with comments like "sorry not sorry", including cache plugins to advertise their own hosting.
[+] [-] pmlnr|7 years ago|reply
https://twitter.com/nickstadb/status/1112479746972151808
pipdig is a goldmine.
[+] [-] asadkn|7 years ago|reply
While the call to host switch is malicious, almost every developer in WordPress world will agree BlueHost, and their parent company with all their 50+ hosting companies, are utter garbage. The only reason they exist is because they have hired an army of bloggers and pay them affiliate income of $65 / signup.
As far as disabling Endurance Cache goes, it is completely legitimate. It's a plugin forced upon BlueHost users, without being told so, and is a "must-use" plugin that most users will never check (and can't be completely disabled from WordPress admin).
[+] [-] reustle|7 years ago|reply
[+] [-] 29ssyg|7 years ago|reply
[+] [-] Ayesh|7 years ago|reply
[+] [-] robotbikes|7 years ago|reply
[+] [-] pmlnr|7 years ago|reply
The WordPress of 2007, which I loved very much, has nothing to do with this monster of 2019.
[+] [-] bluedino|7 years ago|reply
Then you get ones that can't survive minor wordpress upgrades, or are full of security holes.
The worst is when you have a highly motivated person who throws a ton of them together to buid a website, and then it languishes and becomes out of date, and any upgrading you do will start culling plugins from their baby.
[+] [-] josefresco|7 years ago|reply
Same stories emanate from the Google Play marketplace, and to a lesser extent the highly curated Apple app store marketplace. How is WordPress any different?
> you have to wade through a minefield of freemium plugins
Just like every other app store.
> for code you won't have any freedom with
Unlike smartphone apps, or apps for my PC I can and do inspect the source code of any WordPress plugin or theme.
> I have built some sites with WordPress but I have always felt stifled by the way the plugins and themes are distributed
I'd feel the same way about platforms I've only been exposed to a few times as well.
[+] [-] nickodell|7 years ago|reply
[+] [-] mmaunder|7 years ago|reply
This has blown up on Twitter. Our team has stayed out of the online debate mostly other than answering questions. We're trying to just focus on the data here.
They took their public repo offline, but we mirrored it before they did that. It contradicts some claims they're making re timing. We're publishing a timeline tomorrow and are recording our weekly podcast tonight instead of tomorrow as per normal because of this insanity. We'll break it down on the show.
I guess what really jumps out at me here is how they're trying to gaslight the thing.
[+] [-] admax88q|7 years ago|reply
[+] [-] Shivetya|7 years ago|reply
you would think there would different levels of user accounts and perhaps two level authentication for any change regardless of how it is invoked
[+] [-] skilled|7 years ago|reply
Edit: Wow, peoples' responses on Twitter are even more delusional. Wtf?
[+] [-] ceejayoz|7 years ago|reply
I find this so baffling. It's like being shown the bodies of a serial killer's victims, and publicly stating "oh, but he never murdered me, so why are you all complaining?"
[+] [-] rasz|7 years ago|reply
[+] [-] tfaruq|7 years ago|reply
[+] [-] duskwuff|7 years ago|reply
If I'm reading this correctly, they're essentially admitting to some of the malicious features described by the researcher, but claiming that they were included for support purposes, or as a way of sabotaging sites using pirated versions of their plugin.
1. Including features which can remotely grant unauthorized access or cause damage to a user's web site is inappropriate under any circumstances. Even if they're your customers, or if they aren't your customers, or whatever. You don't do that.
2. Pipdig hasn't come up with any sensible explanation for why their license checks were pointed at a competitor's web site. It's not even clear why the license check would be architected in a way that allowed for this.
3. Altering user's site content to change links from Blogerize to Pipdig is beyond the pale. Pipdig's explanation of this feature is incoherent; it isn't even consistent with the behavior of the code presented.
4. Obfuscating the code surrounding all of these questionable bits of functionality stinks of wrongdoing. It's understandable for a license check to be a little obfuscated, perhaps, but there's no reason why a remote administration feature should be (even if it had any reason for existing).
[+] [-] jakejarvis|7 years ago|reply
"But all my customers love and trust me!" == "I'm just an above-average con man."
"But I was just doing this to support them without bothering them!" == "I'm clearly not ready to take responsibility and fess up to anything because I thought my deceptively named functions would fool everybody (and still do)."
"But my girlfriend and I love cat memes!" == "Please, for the love of god, can we forget about all this and talk about cat memes instead?" [I honestly have no clue what he was trying to get at in the first six paragraphs...]
[+] [-] saluki|7 years ago|reply
They were probably obfuscating those functions to hide them from the people selling their themes. Sounds like they were also disabling this plugin as well.
But they definitely went about things the wrong way, including functions like that and obfuscating them is definitely not the right way to do things.
I think a simple, we're sorry we had included these functions in this manner to combat the company stealing our themes last year. We understand this was wrong and a fresh clean version of the plugin will be out this week.
We will do things the right way from now on, you can trust us and we welcome audits of all our code.
[+] [-] ceejayoz|7 years ago|reply
[+] [-] aiCeivi9|7 years ago|reply
[+] [-] nixgeek|7 years ago|reply
One of their competitors should consider filing a complaint with the relevant authorities, so this gets formally investigated.
[+] [-] koboll|7 years ago|reply
[+] [-] gadgetoid|7 years ago|reply
[+] [-] duskwuff|7 years ago|reply
https://www.jemjabella.co.uk/2019/pipdig-your-questions-answ...
[+] [-] aboutruby|7 years ago|reply
And original link: https://web.archive.org/web/20190401004514/https://www.jemja...
I'm getting errors when using a VPN:
> The firewall on this server is blocking your connection.
[+] [-] huxflux|7 years ago|reply
[+] [-] jarym|7 years ago|reply
Further, they peddled this into who knows how many themes they sold and never thought they'd get caught?
[+] [-] wp381640|7 years ago|reply
[+] [-] pmlnr|7 years ago|reply
"Extend your WordPress experience with 54,886 plugins."
And those are only the ones on wp.org itself; the "premium" themes are in the tens thousands as well. It's not simple to catch these.
[+] [-] fastbeef|7 years ago|reply
a) Wordpress, which is a swamp filled with mines in the form of plugins b) Wix, which forces hosting and bad HTML on you
Basically I want a Wordpress-like frontend + the rich template ecosystem and for it to spit out static HTML files.
[+] [-] neurostimulant|7 years ago|reply
[+] [-] DerekRobot|7 years ago|reply
[+] [-] EKSolutions|7 years ago|reply
[+] [-] longwave|7 years ago|reply
[+] [-] cy6erlion|7 years ago|reply
[+] [-] auslander|7 years ago|reply
[deleted]
[+] [-] 29ssyg|7 years ago|reply
[deleted]
[+] [-] juiced|7 years ago|reply
[deleted]
[+] [-] mannykannot|7 years ago|reply
[+] [-] ceejayoz|7 years ago|reply
[+] [-] pmlnr|7 years ago|reply
The want to prevent pirated theme - reset the theme to twentysexteen; block frontend access; overlay frontend with notification, etc - so many options. Deleting data? That is not one of them.
I won't even get into the deliberate other plugins disabling with comments like "sorry not sorry", including cache plugins to advertise their own hosting.
Conclusion: nasty, lying bag of s*.