1. Vitor Madeira

    Now, this is really heavy-duty stuff… :(


  2. Ron Warnick

    Holy crap. This not only is highly informative, but highly good journalism. And I bet a district attorney somewhere can get a grand jury to bring down indictments against the company. The company certainly is liable for civil suits. If nothing else, the Federal Trade Commission should be notified.


  3. Dano

    Great reporting, Sarah. This is a long article, but content flowed and it kept my attention to the end. I agree with @Ron Warnick – “good journalism”. Thank you.


  4. Paul F Gilzow

    This incident shines a spotlight on how unregulated the commercial plugin and theme ecosystem is and how little protection users have from companies that abuse their power.

    You can just leave off “commercial” in that statement and it still holds 100% true.

    all of the plugins go through a security review by the WordPress Plugin Team.

    This only happens on initial submission, and it’s only a superficial review. This is why situations like the one that happened to the Display Widgets plugin are able to happen. And why new vulnerabilities are discovered every week in WordPress plugins.

    While it is easier for these types of things to go unnoticed in commercial plugins, this is an issue with the entirety of the WordPress plugin/theme ecosystem. And it’s something that is not going to get better until the community and WordPress leadership decide it is a priority and put resources into cleaning it up.


    • rtpHarry

      I appreciate the concern you are airing but I don’t see a clean solution to this. Once you start pulling at the thread, the whole of computing unravels.

      At the moment you have to give 30% of your profits to the gatekeepers of mobile app stores which covers, in part, them taking responsibility. Not all of it is cut and dry though and once a regulatory body is in between the users and the developers a lot of it comes down to opinion.

      Plus it’s at every level that this could be compromised. Web hosts in the past have done things that inject unwanted adverts or created security holes. Your web developer could be doing unsavoury stuff. The WordPress themes and plugins could be doing it. The libraries that they depend on could be doing it. A hacker could break in and do it.

      There is no guarantee of safety with this stuff.

      At the end of the day I think you are right that this does happen but as a % of the total things that are happening it is small and pushing everything through some single gatekeepers doesn’t seem like the way forward to me.

      This is a suitably rare occurrence that it is headlines everywhere at the moment.

      What you can do though is follow best practices, like having backups and security plugins. It’s insurance for your site.

      Also, we have laws against this type of stuff which will do what it can to deter most and punish the rest.

      I think if you want real safety go sign up for WordPress.com, Wix or Squarespace.

      There is a certain amount of risk in the real world.


    • Plugin Vulnerabilities

      Here is how the review that is supposed to be happening when plugins are initially submitted is described:

      At that point, someone will manually download and review your code. If we find no issues with the security, documentation, or presentation, your plugin will be approved.

      From what we have seen though it seems like there may not be any review, as among other issues, not only do we keep seeing vulnerabilities being included in the initial versions of plugins that should have been caught by even a superficial review, but in one recent instances where there was possibly a vulnerability, when we went to check further into that we found that plugin appeared to be fundamentally broken.

      We have offered to work with the team handling those reviews to improve the security review process, but so far they have shown no interest in that.


  5. William Earnhardt

    The comment about disabling Bluehost caching still doesn’t make any sense.

    Disable Bluehost page cache since it does not refresh automatically.

    It also doesn’t explain why they have a meta box with the title “Is your host slowing you down?” that specifically targets Bluehost sites after they have disabled the edge caching at plugin activation.


  6. Guido

    Why on earth would a small company like this intentionally add malicious code to it’s plugin, because the truth will come out sooner or later.. don’t get it.


  7. Alex

    All things considered, the two things that stand out are masking competitor links and messing with Bluehost. That’s just something you don’t do, and there’s really no excuse for this.

    And it sucks to be Pipdig right now because this kind of heat is not something you can extinguish easily, if at all.


  8. Anh Tran

    FYI, this is a collection of tweets about this drama:



  9. Studiosi

    If you can’t read code, it does not matter whether the theme is GPL or not, the license says nothing about the code, only that needs to be released publicly. Actually, it gives the code “as-is” and takes all responsibility out of the developer.

    The GPL license, says, literally, this:

    “This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.”

    That is horrible advice. The hard truth is that if you don’t know how to code, there is no other way around it than trusting your provider.

    Also, as far as I know, the official WordPress.org repository does not do periodic audits or code reviews (only one pretty superficial one on first upload), so the theme being there means absolutely nothing in terms of security (you can send a clean version and then push the dark code on an update, which can be applied even, in some cases, automatically to all the users). Don’t spread misinformation.


Comments are closed.

%d bloggers like this: