“Lurking” Under the WordPress Hood: A Wolf in Sheep’s Clothing

On 29 March, the folks at WordFence, the renown security experts with the same monikered plugin, uncovered a massive security risk with the Pipdig Power Pack (P3) Plugin (see the link).   

In a follow-up article yesterday, WordFence announced:

“The plugin, which is installed alongside WordPress themes sold by Pipdig, was found to contain a number of suspicious or malicious features. Among these features were a remote “killswitch” Pipdig could use to destroy sites, an obfuscated function used to change users’ passwords, and code which generated hourly requests with the apparent intent of DDoSing a competitor’s site.”

“Lurking” Under the WordPress Hood: A Wolf in Sheep’s Clothing

Pipdig has denied malicious intent and insists bad code was in older versions or asserts that they were a victim of a phishing type of scheme (see the link to their response).  They insist that all is well if people simply update their themes and plugins to the latest versions.  WordFence has countered Pipdig’s assertions issue-by-issue in their second blog posted yesterday on 1 April 2019 (see the link to their response).

Pipdig themes are incredibly popular and visually, quite lovely.  This is a big, profitable business. They have a collection of about 28 themes that range from $59 to $69 per license, and they

Is there any reason a theme or plugin developer would need administrative access to a website?

The answer is a qualified yes.

There is NO ethical reason that any plugin or theme developer requires functions that enable surreptitious backend access to websites or the ability to literally destroy a website or alter a database unbeknownst to the site owner.   

For the qualified yes:  Sullivan Solutions often engages the assistance of reputable theme and plugin developers by providing temporary, short-term administrative credentials when we encounter a problem necessitating legitimate support. Especially with premium plugins or themes, it is incumbent on the original developer to provide support and fix problems.  We often choose a premium tool over a freebie with the same functionality as insurance that we’ll have support available.  It’s a type of insurance policy for our clients after they’ve made a significant business investment.   So, resolving a conflict with another plugin justifies providing the developer access so they can analyze the in situ occurrence.  Once confirmed resolved, that credential is either destroyed or the password is changed.  However, for any developer to have a secret “back door” enabled, is a blatantly unethical and intolerable practice.

It’s important that anyone with a WordPress website is made aware of this serious issue and takes a look to see what is installed under the hood on their website. 

Fortunately for all Sullivan Solutions client websites, we have no installations of the P3 plugin or any Pipdig themes.  This is one of those instances where it’s appropriate for non-technical people to spread the word to anyone they know with a WordPress website.  In addition to keeping a website well-maintained, it is also important to know what you have installed besides WordPress core and to work with a trusted maintenance partner who keeps abreast of security protocols and best practices to ensure a site not only performs well on the front-end but also is secure and safe on the back end from hidden threats.

“Help!  I don’t know what theme or plugins are installed, do I have a Pipdig theme?”

Two things you can do. 

1. Know what you’re doing in WordPress? Go to Appearances | Themes and look at the active theme name installed.  You should see a thumbnail image and the name and developer of the theme is usually pretty prominent.  Not sure yet?  Then go to the Pipdig website to examine the list of their themes. Check against yours.  
2. Not that comfortable with your WordPress Dashboard? Either reach out to the person who is, or contact us here at Sullivan Solutions. We’d love to sit down and talk. 

At the end of the day, Pipdig is the literal “Wolf in Sheep’s Clothing”.