Pipdig – The Story So Far

This post was published 3 months ago. Some things may have changed since then - use the search function to see if anything has been posted since then, or reach out to us on Twitter if you'd like to see a more updated post!

On Friday evening, two blog posts appeared within a few hours of each other. One was written by a UK based independent female WordPress developer, and one was written by a US based male who works for Wordfence, a WordPress security provider.

They had both noticed code in a WordPress plugin created by Pipdig, a popular UK based web developer, which was causing unexpected behaviour. Both Jem (Jemjabella) and Mikey (Wordfence) found that the plugins had various pieces of code, either in the plugin or calling back to their website. This plugin is called the Pipdig Power Pack (also known as P3) which is provided with every WordPress theme. P3 “includes our custom widgets and WordPress enhancements

Here’s a brief list of the issues that Jem and Mikey discovered:

  • The plugin contained code in it to use the site that it was installed in to perform a DDoS (a Distributed Denial of Service) against a competitor of theirs, Kotryna Bass Design (In very basic English, a DDoS is when you have lots and lots of people all visiting one site at once which overwhelms the site and makes it crash. It should be noted that Kotryna had no knowledge of this and has nothing to do with it, other than being affected)
  • It would cause links to a different competitor to be changed to link back to their site with a certain phrase as the link
  • It contained a “kill switch” which could completely wipe the users website
  • It gathered data from the users website could use it in part to reset the users admin account passwords
  • It could disable plugins and features of WordPress that Pipdig deemed unnecessary
  • If the site was hosted on a non Pipdig host, then the site could be slower than expected (see this tweet which explains how the P3 plugin could disable the cache that BlueHost implements)
  • The coding created to do these things was hidden with misleading titles and descriptions – so even if you could understand a brief glance at the code involved, they’re saying that this bit of code does something innocuous like fetching new icons for social profile links and why wouldn’t you believe that?

The issues listed above are much more detailed over in Jem and the Wordfence articles so we would recommend going to read up on those

Jemjabella: Security alert: pipdig insecure, DDoSing competitors

Wordfence: Peculiar PHP Present In Popular Pipdig Power Pack (P3) Plugin

Pipdig published a post originally entitled “Sad Times” (which some people have mentioned is a strange title for a business to be defending themselves under) which went through the points raised in Jem’s post (oddly ignoring the Wordfence post) and highlighted how they had many happy users and that they were a small business being attacked. The post claims that the features found in their code were to prevent unauthorized use of their themes – there was a situation last year where someone was giving away a theme they had bought which meant less people were buying the theme.

Jem wrote a follow up post at the weekend, entitled Pipdig: Your Questions Answered which also went through the Pipdig post. If the first two articles are a little techy for you, this may help to explain what the original points meant and what they do.

Pipdig released a new version of their plugin which appears to have removed some of the code being highlighted in their posts however Jem and Mikey have both looked at previous versions of the plugin and can see these pieces of code going back at least a year or so.

Yesterday (2nd April), Mikey has published on the Wordfence blog further discoveries entitled Pipdig Update: Dishonest Denials, Erased Evidence, and Ongoing Offenses. The article goes through the defence given by Pipdig and explaining how the response is not correct compared to what the actual code says. It also notes how Pipdig have wiped their public BitBucket git repository which is fairly suspicious behaviour – why would you delete your historical records of a product if the product is totally innocent? (a git repository is where developers can store their code which tracks any changes made from the creation date – to wipe this history is an incredibly dubious act)

The Wordfence article also goes through the historial occurences of the coding that has been discussed – such as how Pipdig have had the ability to completely wipe users websites since November 2017 and gives a timeline about how they conducted this investigation.

It’s a long read (yes, even longer than this article!) and if you’re not a coder then some of this will go over your head, but it is worth a read if you want to make sure you are listening to all sides of this situation.

The investigation then goes into how Wordfence looked at the Blogger layouts. As we mentioned previously, it was believed that this situation only affected the self hosted WordPress sites that used their plugin, but the Blogger layouts also have the same call to the JavaScript files that cause a DDoS against a competitors site. This quote from the Wordfence site explains it much more simply.

To clarify, every time a visitor reaches any site running a Blogger theme from Pipdig using this script, their browser would fire an additional request to their competitor’s site. This request hides where it came from, hits a literally randomized file on the competitor’s server, and does nothing with the data. This behavior is hidden not only from the visitors to these sites, but to the owners of these sites as well.

https://www.wordfence.com/blog/2019/04/pipdig-update-dishonest-denials-erased-evidence-and-ongoing-offenses/

There are sure to be further updates to this, so we’ll update this post with any new information. This story is ongoing, and is starting to be picked up and discussed by other, more technical sites such as The Register, Reddit and Hacker News (first post relating to Jem’s original article, second post relating to the new findings from Wordfence)         

Why have they done this?

Honestly, who knows. There are a few elements that may give us a clue into why they wrote this code:

  • Since Pipdig can supply hosting for WordPress users, they have an interest in making your site appear slower. When you say to them “Hey, my site is really slow, what should I do?” then they could say “Well our hosting is super quick, move your blog over to us”.
  • The DDoS against Kotryna’s site would cause one of their closest competitors to go down – potential customers trying to get to her site may just give up or think “She can’t even keep her own site up, I should look elsewhere”  
  • If the user linked to blogerize.com, then the plugin could change both the link and wording (what you used to link to that site) to create a link back to the Pipdig site. As we all know from sponsored posts, companies like to have links with certain wording from various sites as it increases their search rankings.

What does this mean?

This situation isn’t just unethical but potentially illegal. We are not lawyers, but we would be unsurprised to hear if there are further actions taken.

Does this affect me?

If you are currently using a Pipdig theme, it’s very likely this situation affects you. At first, it was believed that this just affected self hosted WordPress users because the code was included in the P3 plugin, but the latest article from Wordfence shows that code has been inserted in the Blogger themes that causes some of the same issues

What should I do?

First, back up your site (you can find our guides to backing up WordPress and Blogger – consider doing this on a more regular basis – you will never regret making too many backups!)

Next, find a new theme. There are many good themes for both Blogger and WordPress out there – even the basic free versions from the creators can look good with the right images, etc.

If you’re on WordPress and have the P3 plugin installed, disable this before installing any new themes. We have heard of users having problems uploading a new layout otherwise.

Install the WP Crontrol plugin and remove any cron jobs relating to Pipdig (these will start with p3) (The term cron is used to talk about reoccuring routines in software – in terms of your site, this can be used to do anything like run a backup or check for external information. It’s not a scary term, but the P3 plugin was using cron jobs to do some of the tasks previously talked about)

Activate your new layout, check everything looks good and take a full back up again. (Did we mention back up your site? Seriously. BACK IT UP)

(Some of this information has been taken from this thread by Zoe Corkhill, who we have known for about 10 years, and trust her knowledge on this topic. If you are looking for someone to help you, we would recommend talking to her – you can find her web design site at zoecorkhill.co.uk)

Who should I believe?

When this story broke, many of the larger bloggers that have worked with Pipdig defended them and we are still seeing people defending Pipdig. However, we are also seeing many developers all looking at the code and coming to the same conclusions.

It’s up to you, of course, what you believe in, but if there are numerous experts all saying the same thing, then maybe that should be your guide.

Does this affect the other Pipdig plugins and products?

It’s unknown so far how far this goes, but you may want to deactivate any plugins currently active.

Should I change my Pipdig theme?

Yes.

What other themes do you recommend?

We have various posts throughout the years giving links to good layouts (both free and paid , and for WordPress and Blogger) but it is up to you to look into these before using them. If you have any recommendations, feel free to leave them in the comments! Another good place to look for themes is ThemeForest.

If you feel like you have been affected, consider contacting the ICO (Information Commissioner UK) and Action Fraud. The allegations made against the code published are incredibly serious.

It’s incredibly disappointing to learn all of these developments, as we have had good experiences with Pipdig, but that doesn’t mean that they can not be guilty of doing this. Pipdig layouts have been incredibly popular in the UK fashion, beauty and lifestyle blogosphere partly because you didn’t need to know any coding information to have a beautiful blog, which makes this even more upsetting that users with not much technical knowledge have been taken advantage of.

If you have any questions, please let us know and we’ll update the post for you.


Edit: Friday April 5. Many of you who used Pipdig’s hosting product have been obviously concerned with what these developments meant for your site. Self-hosting your own website can be quite costly, especially for those of you who blog as a hobby, rather than making any money from it. Pipdig sent out an email on Thursday prematurely announcing that Kualo would be taking over the hosting of those websites, so Kualo released their statement today

You can read the full statement from Kualo here, but here are the main points:

  • Kualo are an independent entity to Pipdig. They are totally separate companies and do not have any ownership in common. (If you want to check this, you can look up these companies at Companies House, where all UK registered companies details can be found.)
  • Kualo were the hosting provider that Pipdig were using to provide hosting services to their clients. This is something known as reseller hosting, and is a pretty normal way of providing hosting to a small group of clients. You can see the Kualo reseller hosting page here, if you are interested in what sort of thing this involves.
  • Kualo are taking on all of the people who had their sites hosted with Pipdig and will be providing hosting for them for 2 years for free. (Screenshot of relevant part of article can be found here). If you are already hosted by Pipdig, you don’t need to do anything, unless you want to move away from Kualo.
  • Kualo have been able to edit the files hosted by Pipdig that were causing some of the functions listed above, so those people who haven’t switched themes (both Blogger and WordPress) yet won’t be helping cause those DDoS attacks previously mentioned. (In basic terms, this means you don’t need to switch your theme asap but many users are still choosing to ditch the Pipdig themes because of their reputation)
  • Kualo, like many others, recommend updating the P3 plugin to 4.9.0 if you do choose to keep your layout on WordPress, which should not contain the coding detailed above that can harm your website
  • Kualo are extending the free hosting offer to any affected Pipdig user, even if you weren’t hosted with them. (screenshot of relevant part of article can be found here)

Kualo did not have to do any of this, but we are really impressed with what they are doing to help out those affected by this. We haven’t come across them previously, but hearing from some of you who already use them, they seem like they’re a great host.

If you have any questions regarding the Kualo migration of services, they ask that you email them at pipdig-enquiries@kualo.com, use the live chat feature on their website or send them a tweet.


Notes: All links provided in this post are for informational purposes. We have no affiliation with any of the companies or individuals mentioned in this blog post. We have previously linked to both Kotryna Bass Design and Pipdig as places that you can buy layouts for your blogs, and have recommended Pipdig layouts in conversations more recently.

  • Alex

    That’s all well and good for exposing unethical and potentially illegal behaviour (feeling extremely dissaponted with Phil & team), but what are people who have bought themes and hosting services in good faith and who are completely non tech savvy meant to do now? It’s not that easy to change themes overnight. We ended up using pipdig because of the services they provided and making things so easy. If I had a clue, I would have done it by myself in the first place. Not to mention I am a hobby blogger and don’t have cash knocking about to invest in a new theme. Any thoughts? Thanks!

    April 3, 2019 at 6:51 pm Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: