Pipdig Updates P3 Plugin after Reports Expose Vendor Backdoors, Built-in Kill Switch, and Malicious DDoS Code

Over the weekend, Pipdig, a small commercial theme company, has been at the center of a scandal after multiple reports exposed a litany of unethical code additions to its Pipdig Power Pack (P3) plugin.

On Friday, March 29, Wordfence threat analyst Mikey Veenstra published a report with code examples of the backdoors Pipdig built into their plugin, along with some unsavory and questionable additions to the code.

“We have confirmed that the plugin, Pipdig Power Pack (or P3), contains code which has been obfuscated with misleading variable names, function names, and comments in order to hide these capabilities,” Veenstra said.

These include an unauthenticated password reset to a hard-coded string, which was deliberately obscured with code comments indicating it was added to “check for new social channels to add to navbar.” Veenstra also demonstrated how the plugin contained code for an unauthenticated database deletion, wherein the Pipdig team could remotely destroy any site WordPress site using the P3 plugin.

The code for remote site deletion was removed in version 4.8.0 but it still a concern for users who haven’t updated. Michael Waterfall, iOS Engineer at ASOS, tested the “kill switch” function and demonstrated that it still works with prior versions.

Veenstra’s investigation also uncovered questionable remote calls in the plugin’s cron events, undisclosed content and configuration rewrites, and a list of popular plugins that are immediately deactivated when P3 is activated, without the user’s knowledge. He found that some of these plugins are deactivated alongside admin_init, so any user attempts to reactivate the plugins will not stick.

Wordfence estimates the P3 plugin to have an install base of 10,000-15,000 sites. The changes made in version 4.8.0 of the plugin are not transparently identified in the changelog, so it’s not easy for users to know what has changed. The content filtering and the plugin deactivations remain in the most recent release. These types of veiled functions performed without permission could have unintended consequences on sites using the plugin, which non-technical users may not be able to fix themselves.

Pipdig P3 Plugin Performed a DDoS Attack on a Competitor’s Site

Jem Turner, a freelance web developer based in the UK, published a lengthy analysis of the P3 plugin the same day that Wordfence released its analysis. She drilled down further into the remote requests, demonstrating how Pipdig has been using the P3 plugin to perform a DDoS attack on a competitor who also provides WordPress themes and installation services to bloggers. The code triggers an hourly cron job on users’ sites, effectively using their customers’ servers to send malicious requests to the competitor’s site.

The code comment tells us this is “checking the CDN (content delivery network) cache”. It’s not. This is performing a GET request on a file (id39dqm3c0_license_h.txt) sat on pipdigz.co.uk, which yesterday morning returned ‘https://kotrynabassdesign.com/wp-admin/admin-ajax.php’ in the response body.

Every single hour night and day, without any manual intervention, any blogger running the pipdig plugin will send a request with a faked User Agent to ‘https://kotrynabassdesign.com/wp-admin/admin-ajax.php’ with a random number string attached. This is effectively performing a small scale DDoS (Distributed Denial of Service) on kotrynabassdesign.com’s server.

Turner also contacted Kotryna Bass, Pipdig’s competitor, who said she had contacted her host after finding that her admin-ajax.php file was under some kind of attack. Bass’ exchanges with her host are also published in Turner’s report.

Turner’s post explained how Pipdig’s P3 plugin code manipulated links to point to their own products and services when a user includes a link to a competitor in the the content:

Here we have pipdig’s plugin searching for mentions of ‘blogerize.com‘ with the string split in two and rejoined – concatenated – to make it harder to find mentions of competitors when doing a mass ‘Find in Files’ across the plugin (amongst other things). When the plugin finds links to blogerize.com in blogger’s content (posts, pages), they’re swapped out with a link to ‘pipdig.co/shop/blogger-to-wordpress-migration/’ i.e. pipdig’s own blog migration services. Swapping these links out boost the SEO benefit to pipdig, and the vast majority of bloggers wouldn’t notice the switcheroo (especially as if the page/post was edited, the link to blogerize would appear in the backend as normal).

The plugin did not ask users’ permission before performing any of these actions and most of them were implemented with obfuscated code. Turner’s investigation also covers how the P3 plugin could harvest data and change admin passwords. Many of the findings overlap with Wordfence’s analysis.

“I was aware that Wordfence had been contacted for an opinion, although I was unaware they were writing a post and vice versa,” Turner said. “I wasn’t surprised that they wrote about it though, given the risk to WordPress users.”

She has been in contact with authorities regarding Pipdig’s unethical coding practices and privacy violations.

“From my side of things, I’ve been in contact with Action Fraud (submitted a report through their website) and NCSC (who pointed me back to Action Fraud and gave me a number to call). From pipdig’s side, there are threats of legal action in their blog post but I’ve received nothing yet.”

Pipdig’s Public Response Skirts Critical Concerns

Pipdig Creative Director Phil Clothier published a public response from the company which opens by characterizing the recent investigations as “various accusations and rumours spreading about pipdig” and includes an emotional plea regarding how distressing recent developments have been for his company. He claims that his team and their supporters are being harassed.

After pushing out the 4.8.0 version of the P3 plugin, removing some but not all of the offensive code, Clothier opts for a Q&A style format for his post, putting every question in the present tense:

Do you DDOS competitors?

Do you “kill” sites?

Do you have the ability to kill sites via the pipdig Power Pack?

Regarding the “kill switch” feature they built in, which detects all tables with the WordPress prefix and drops each of them, Clothier said it was simply a function to reset a site back to its default settings. He deliberately misrepresented what it does:

There was function in an older version of the plugin which could be used to reset a site back to the default settings. This function had no risk of of malicious or unintentional use. I can say categorically that there was no risk to your site if you were using a pipdig theme. This feature has been dug up and labelled a “Kill Switch” for maximum negative impact on us.

Clothier claims the function was available in the P3 plugin in July 2018 when a third party started posting Pipdig themes for sale on their own site:

A 3rd party was able to download all of our themes illegitimately and post them on a clone of our own site. This included previews of our themes and the ability to purchase them. We were first alerted to this by people which had purchased a pipdig theme from there, but were finding that certain features did not work correctly. After investigation, we found that the victim had purchased the theme from the 3rd party, thinking it was us. The 3rd party not only gained the financial benefit of the theme payment, but also used it as a way to inject malware and ads into the victim’s site. The reset function was put in place in order to remove the 3rd party’s ability to host preview sites with our themes. It worked, and they have since disappeared. The function was then removed in a later version of the plugin.

This is a false claim, as Wordfence pointed out in an updated article. The first instance of the code responsible for database deletion was committed to the plugin in November 2017.

The company failed to address the most critical concerns presented in the Wordfence analysis in its first pass at issuing a public statement. Instead, on the matter of coordinating a DDoS attack on competitors, Pipdig blames users and suggests they may have added the competitor’s URL to their sites.

“We’re now looking into why this function is returning this url,” Clothier said. “However, it seems to suggest that some of the ‘Author URLs’ have been set to ‘kotrynabassdesign.com’. We don’t currently know why this is the case, or whether the site owner has intentionally changed this.”

Further investigations published by Wordfence today showed that Pipdig also added DDoS code to its Blogger templates and was actively issuing malicious requests up until yesterday:

During the investigation of Pipdig’s WordPress plugin and themes, we also came across some curious code associated with their Blogger themes. This code is part of Pipdig’s suspected DDoS campaign against their competitor, and was active until April 1, four days after Pipdig’s denial of any such behavior.

Some of Pipdig’s Blogger themes have been confirmed to make external JavaScript calls to Pipdig’s server, specifically to the script hXXps://pipdigz[.]co[.]uk/js/zeplin1.js.

On March 31, as the investigations became public, Pipdig deleted its public Bitbucket repository and replaced it with a “clean one,” removing three years of commit history. Wordfence and many others cloned the repository before it was deleted and saved snapshots of pages to cite in the investigation.

Pipdig’s public statement contains a number of other false claims that are outlined in Wordfence’s followup piece with code examples. Clothier closes the article by casting aspersion on the press, presumably to encourage customers not to trust what they read from other sources.

I contacted Pipdig for their comment on recent events, but Clothier declined to answer any of my questions. One of those was why the plugin disables Bluehost’s caching plugin without informing customers.

Clothier said he didn’t have any comments beyond what he said in the public statement but encouraged anyone interested to read the new comments added to the code in version 4.9.0:

We’ve also updated version 4.9.0 of the plugin which includes extra commenting in the code, which will hopefully help clear things up like issues with Bluehost caching and the_content() filter.

If anyone is unsure, we recommend updating to the latest version as always. However we also contend that the previous versions had no serious issues too.

Pipdig declined to answer questions about licensing but the products do not appear to be GPL-licensed. This may be why the company deemed it within its rights to take action on those who they believe to have “stolen” their themes.

Pipdig Customers Share Mixed Reactions to Reports of Vendor Backdoors and DDoS Attacks

In what is perhaps one of the most brazen abuses I’ve ever seen from a theme company in WordPress’ history, Pipdig’s user base has unknowingly been used to target the company’s competitors. Regardless of the company’s motive in combatting the unauthorized distribution of their themes, these types of backdoors and undisclosed content rewrites are indefensible. They prey upon user trust and in this case the victims were primarily bloggers.

One of the more puzzling aspects of this story is that many of Pipdig’s users seem to be unfazed by the gravity of the findings in these reports. Without full knowledge of the inner workings of a product, many customers make decisions based on how they feel about a company, regardless of being confronted with facts that should cause them to question their experiences.

Others are angry to have had their sites used in an attack. Getting set up on a new theme is not a trivial task for non-technical users who may have had to pay a developer to launch their sites in the first place.

“My mind is absolutely blown by pipdig’s public response,” Jem Turner said. “I understand that they were counting on their users’ completely non-tech background to bamboozle them, and it certainly seemed to be working in the beginning, but anyone with even the slightest bit of coding knowledge can see that they are lying and I genuinely don’t understand how they think they’ll get away with it.”

This incident shines a spotlight on how unregulated the commercial plugin and theme ecosystem is and how little protection users have from companies that abuse their power. If you are a Pipdig customer affected by this incident, there is no assurance that the company will not build more backdoors into your site in the future. The plugin updates are not reviewed by any kind of authority. Fortunately, there are a few actions you can take to create a safer environment for your website.

First, look for GPL-licensed themes and plugins, because they grant you more freedoms as the user and are compatible with WordPress’ legal license. GPL-licensed products are also a strong indication that the authors respect user freedoms and the shared economic principles that this open source license supports.

Many reputable theme companies choose to host their products’ companion plugins on WordPress.org for ease of distribution and shipping updates. The official directory does not permit these kinds of shady coding practices described in this article and all of the plugins go through a security review by the WordPress Plugin Team. If you are concerned about code quality and the potential for abuse, do a little research on your next prospective commercial theme provider or opt for free WordPress.org-hosted themes and plugins that have undergone a more rigorous vetting process.


11 responses to “Pipdig Updates P3 Plugin after Reports Expose Vendor Backdoors, Built-in Kill Switch, and Malicious DDoS Code”

  1. Holy crap. This not only is highly informative, but highly good journalism. And I bet a district attorney somewhere can get a grand jury to bring down indictments against the company. The company certainly is liable for civil suits. If nothing else, the Federal Trade Commission should be notified.

  2. This incident shines a spotlight on how unregulated the commercial plugin and theme ecosystem is and how little protection users have from companies that abuse their power.

    You can just leave off “commercial” in that statement and it still holds 100% true.

    all of the plugins go through a security review by the WordPress Plugin Team.

    This only happens on initial submission, and it’s only a superficial review. This is why situations like the one that happened to the Display Widgets plugin are able to happen. And why new vulnerabilities are discovered every week in WordPress plugins.

    While it is easier for these types of things to go unnoticed in commercial plugins, this is an issue with the entirety of the WordPress plugin/theme ecosystem. And it’s something that is not going to get better until the community and WordPress leadership decide it is a priority and put resources into cleaning it up.

    • I appreciate the concern you are airing but I don’t see a clean solution to this. Once you start pulling at the thread, the whole of computing unravels.

      At the moment you have to give 30% of your profits to the gatekeepers of mobile app stores which covers, in part, them taking responsibility. Not all of it is cut and dry though and once a regulatory body is in between the users and the developers a lot of it comes down to opinion.

      Plus it’s at every level that this could be compromised. Web hosts in the past have done things that inject unwanted adverts or created security holes. Your web developer could be doing unsavoury stuff. The WordPress themes and plugins could be doing it. The libraries that they depend on could be doing it. A hacker could break in and do it.

      There is no guarantee of safety with this stuff.

      At the end of the day I think you are right that this does happen but as a % of the total things that are happening it is small and pushing everything through some single gatekeepers doesn’t seem like the way forward to me.

      This is a suitably rare occurrence that it is headlines everywhere at the moment.

      What you can do though is follow best practices, like having backups and security plugins. It’s insurance for your site.

      Also, we have laws against this type of stuff which will do what it can to deter most and punish the rest.

      I think if you want real safety go sign up for WordPress.com, Wix or Squarespace.

      There is a certain amount of risk in the real world.

    • Here is how the review that is supposed to be happening when plugins are initially submitted is described:

      At that point, someone will manually download and review your code. If we find no issues with the security, documentation, or presentation, your plugin will be approved.

      From what we have seen though it seems like there may not be any review, as among other issues, not only do we keep seeing vulnerabilities being included in the initial versions of plugins that should have been caught by even a superficial review, but in one recent instances where there was possibly a vulnerability, when we went to check further into that we found that plugin appeared to be fundamentally broken.

      We have offered to work with the team handling those reviews to improve the security review process, but so far they have shown no interest in that.

  3. The comment about disabling Bluehost caching still doesn’t make any sense.

    Disable Bluehost page cache since it does not refresh automatically.

    It also doesn’t explain why they have a meta box with the title “Is your host slowing you down?” that specifically targets Bluehost sites after they have disabled the edge caching at plugin activation.

  4. All things considered, the two things that stand out are masking competitor links and messing with Bluehost. That’s just something you don’t do, and there’s really no excuse for this.

    And it sucks to be Pipdig right now because this kind of heat is not something you can extinguish easily, if at all.

  5. If you can’t read code, it does not matter whether the theme is GPL or not, the license says nothing about the code, only that needs to be released publicly. Actually, it gives the code “as-is” and takes all responsibility out of the developer.

    The GPL license, says, literally, this:

    “This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.”

    That is horrible advice. The hard truth is that if you don’t know how to code, there is no other way around it than trusting your provider.

    Also, as far as I know, the official WordPress.org repository does not do periodic audits or code reviews (only one pretty superficial one on first upload), so the theme being there means absolutely nothing in terms of security (you can send a clean version and then push the dark code on an update, which can be applied even, in some cases, automatically to all the users). Don’t spread misinformation.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: