Hacker News new | past | comments | ask | show | jobs | submit login
WordPress theme provider Pipdig using customer sites to DDoS competitors (jemjabella.co.uk)
325 points by JamieF1 55 days ago | hide | past | web | favorite | 81 comments

> Another one from the @pipdig plugin. If you use one of their themes on @bluehost then they intentionally slow your website down by disabling the BlueHost cache plugin, then they can inject content with the title "Is your host slowing you down?"


pipdig is a goldmine.

On a tangent, let's talk BlueHost.

While the call to host switch is malicious, almost every developer in WordPress world will agree BlueHost, and their parent company with all their 50+ hosting companies, are utter garbage. The only reason they exist is because they have hired an army of bloggers and pay them affiliate income of $65 / signup.

As far as disabling Endurance Cache goes, it is completely legitimate. It's a plugin forced upon BlueHost users, without being told so, and is a "must-use" plugin that most users will never check (and can't be completely disabled from WordPress admin).

Wait... so if I write a WP plugin, I'm entitled to disable other plugins I don't like when people install mine? Of course not. That endurance cache is not the only one, there's a list of "plugins we disagree with" which are disabled:


As for hosting providers: GoDaddy, BlueHost, etc - yes, they're all bad. But that doesn't justify moves like these.

Serious question though, on the technical part: WP needs an advanced-cache.php file, which needs to be in wp-content in order for the cache to work; this will list as dropin. Are you sure the endurance cache is MU and not dropin? (Genuine question).

Which is why I stated it's a tangent about BlueHost and I definitely don't agree with disabling other plugins.

However, I believe it's perfectly valid to disable a forced plugin. If a host forced enabled an almost hidden plugin, without user consent [1], then it's no more evil to undo the evil for the good of users.

As for drop-in vs mu, every other cache plugin itself stays a normal plugin so it's not a technical limitation. That's beside the point though, the plugin is force enabled without user consent.

[1] https://github.com/bluehost/endurance-page-cache/issues/4#is...

Well... the thing with a hosted service is the host needs to protect their arses as well, and WP resource abuse can get fascinating - a mandatory cache plugin is not _that_ bad. It's not The Right Way, but shipping WP without enabled cache or a full page cache isn't either.

I actually understand this perspective, having hosted wordpress sites and having written wordpress cache plugin myself.

I'm curious which host you'd recommend. I want a good host for making websites. Not sure if I need to be a reseller or just use their shared hosting. I'm hoping to create lots of static websites for different small businesses, and then cheaply host them. Considering Namecheap, DreamHost, and BlueHost, but I'm also hoping there's one that allows nudity (not porn, just artistic nudity). Or if there's a host that allows any content, that's a plus.

I've been trying to find non-Amazon or non-Google hosting options, wanting to spend my money elsewhere. Is this a waste of time or effort? I imagine that cloud hosting with Google would be less restrictive, though more complicated to setup.

Thanks for any ideas

NearlyFreeSpeech.NET has strong free-speech policies. But they do expect you to be technically competent. If you're not comfortable with the command line and wp-cli (if you're using WordPress), you probably won't be happy with them.

If you checked them out years ago, they've since added support for custom HTTP servers. It's not as flexible as a VPS, but they're no longer limited to static files, PHP, or CGI. You can now run Django, Ruby-on-Rails, etc.

A developer at Pipdig wrote these lines of code and shipped it, I wonder how they felt.

    foreach ($tables as $table) {
        $wpdb->query("DROP TABLE $table");

Feels right to remind people to keep backups :P

While I don't disagree that this is horrible, perhaps the $tables array is hardcoded array.

  global $wpdb;
  $prefix = str_replace('_', '\_', $wpdb->prefix);
  $tables = $wpdb->get_col("SHOW TABLES LIKE '{$prefix}%'");
  foreach ($tables as $table) {
   $wpdb->query("DROP TABLE $table");
Essentially for those who aren't familiar with WordPress databases - this drops all tables relating to the WordPress install

It is not, you can check the post for the full context.

Or, better still, an Archive.org snapshot of the commit that added this very code: https://web.archive.org/web/20190331195338/bitbucket.org/pip...

(As a resident geek, I was asked to look into this by a friend)

For good measure, the commit seems to be removed from the original repo.

It's pretty much the same as if it was hardcoded, it drops all tables that have a name starting with the WP prefix. It's extremely ugly, but it's not unsafe (if your plan is removing all WP related tables from the DB).

And this just illustrates the horror that is the proprietary market place of WordPress plugins. It is annoying because this results in incentives to take away freedom from users and require payment for proprietary code in the guise of a free software project. To expand Word Press functionality beyond the core functions you have to wade through a minefield of freemium plugins that have all been slightly broken to encourage you to shell out money to someone for code you won't have any freedom with and the worst of it possibly demonstrated by code like this. I have built some sites with WordPress but I have always felt stifled by the way the plugins and themes are distributed. On the other hand I understand people like being able to charge money and create businesses from the code they right which can be more challenging if you actually write free as in libre software vs. attempting to extract money from every potential user.

For my personal site, I've left WP behind about 3 years ago. I had to go back last month, trying to build something instead of a Wix site for a school, and the experience was terrifying: after adding one of the events plugin, within 5 minutes I started getting spam registration. All plugins have ugly admin interface "extras" and are very pushy to buy them.

The WordPress of 2007, which I loved very much, has nothing to do with this monster of 2019.

I share a similar sentiment. Since about 2-3 years ago, most WordPress plugins are marketed bloatware that messes up the entire dashboard UI. And don't get me started on plugins that don't let you close their notifications unless you do "some thing".

It really is a shame, because frankly speaking - most of these plugins are utter trash anyway.

I've tried out a massive amount of gutenberg block plugins; whichever added a new line in the admin menu instead of adding it into a submenu of settings, deserves immediate deletion.

On the plus side, you can see the code and turn those off. So if you think of the plugins as a starting point it's not so bad.

You get what you pay for with Wordpress plugins. There are some great free ones that are mainained.

Then you get ones that can't survive minor wordpress upgrades, or are full of security holes.

The worst is when you have a highly motivated person who throws a ton of them together to buid a website, and then it languishes and becomes out of date, and any upgrading you do will start culling plugins from their baby.

> And this just illustrates the horror that is the proprietary market place of WordPress plugins.

Same stories emanate from the Google Play marketplace, and to a lesser extent the highly curated Apple app store marketplace. How is WordPress any different?

> you have to wade through a minefield of freemium plugins

Just like every other app store.

> for code you won't have any freedom with

Unlike smartphone apps, or apps for my PC I can and do inspect the source code of any WordPress plugin or theme.

> I have built some sites with WordPress but I have always felt stifled by the way the plugins and themes are distributed

I'd feel the same way about platforms I've only been exposed to a few times as well.

Here's a second writeup, which also contains a response from pipdig: https://www.wordfence.com/blog/2019/03/peculiar-php-present-...

Thanks. My crew put this write-up together. We're here if you have any questions. Jem and us published almost at the same time although I think we beat her by an hour or so. We're in contact. Funny coincidence we were working on the same story at the same time.

This has blown up on Twitter. Our team has stayed out of the online debate mostly other than answering questions. We're trying to just focus on the data here.

They took their public repo offline, but we mirrored it before they did that. It contradicts some claims they're making re timing. We're publishing a timeline tomorrow and are recording our weekly podcast tonight instead of tomorrow as per normal because of this insanity. We'll break it down on the show.

I guess what really jumps out at me here is how they're trying to gaslight the thing.

I'd also like to add that the DDoS functionality isn't what really jumped out at me. It was the ability to reset your site's admin password remotely using a hard-coded password that anyone can read. And then there is also the ability to drop all your tables.

When we contacted them before publishing via email, they explained that someone had been pirating their software so this was a countermeasure. (quote is in the Wordfence post above) I guess the idea was that they would destroy sites using pirated licenses. Then they backpedalled that later on after this went viral.

> I guess the idea was that they would destroy sites using pirated licenses.

Isn't it GPL?

Depends who you ask. Also some sites use a SaaS model with API key for back-end access. They claimed license keys were stolen. “Last year we had some serious problems after someone obtained a huge list of license keys and downloaded all of our products. The keys and files were then distributed on their file sharing site, which has since been taken down (not by us, ironically!). The drop tables function was put in place to try to stop this at the time.”

Jesus christ, that page is 50% ads for "Wordfence" with a static header and footer.

Yeah, it's pretty annoying. The Chrome extension "eKill" is a godsend. It makes websites like Medium readable.


I am just amazed, provided I am reading this right, that anyone can simply with a bit of code overwrite any user password on the site.

you would think there would different levels of user accounts and perhaps two level authentication for any change regardless of how it is invoked

There are user levels. But if you can execute code on the site ... any site, what difference does that make?

Did they seriously have the audacity to deny all this after all those code examples were shown?

Edit: Wow, peoples' responses on Twitter are even more delusional. Wtf?

> Wow, peoples' responses on Twitter are even more delusional. Wtf?

I find this so baffling. It's like being shown the bodies of a serial killer's victims, and publicly stating "oh, but he never murdered me, so why are you all complaining?"

They surely do not understand they are looking at bodies. They're seeing a bunch of nerd speak about "DDoS" and "dropping database tables" and their eyes glazed over. But they understand their site looks pretty...

A percentage of the population treats something like this as a personal attack. I have Atari/Sega/Chevy thus Commodore/Nintendo/Ford sucks. I use it, why are you saying those things about X, are you calling me stupid? etc.


If I'm reading this correctly, they're essentially admitting to some of the malicious features described by the researcher, but claiming that they were included for support purposes, or as a way of sabotaging sites using pirated versions of their plugin.

1. Including features which can remotely grant unauthorized access or cause damage to a user's web site is inappropriate under any circumstances. Even if they're your customers, or if they aren't your customers, or whatever. You don't do that.

2. Pipdig hasn't come up with any sensible explanation for why their license checks were pointed at a competitor's web site. It's not even clear why the license check would be architected in a way that allowed for this.

3. Altering user's site content to change links from Blogerize to Pipdig is beyond the pale. Pipdig's explanation of this feature is incoherent; it isn't even consistent with the behavior of the code presented.

4. Obfuscating the code surrounding all of these questionable bits of functionality stinks of wrongdoing. It's understandable for a license check to be a little obfuscated, perhaps, but there's no reason why a remote administration feature should be (even if it had any reason for existing).

We're just a poor small company... that is acts maliciously against our competitors using our code we sell to clients who have no idea! we're sorry we got caught and it's hard to explain why this isn't bad.

Oh and they deleted repos apparently, gotta hide the evidence

Re #2, it's clear from reading the code that the function has absolutely nothing to do with a licensing check anyway.


"But all my customers love and trust me!" == "I'm just an above-average con man."

"But I was just doing this to support them without bothering them!" == "I'm clearly not ready to take responsibility and fess up to anything because I thought my deceptively named functions would fool everybody (and still do)."

"But my girlfriend and I love cat memes!" == "Please, for the love of god, can we forget about all this and talk about cat memes instead?" [I honestly have no clue what he was trying to get at in the first six paragraphs...]

It sounds like they got a little overaggressive fighting with the company that had hijacked their themes and were selling them last year.

They were probably obfuscating those functions to hide them from the people selling their themes. Sounds like they were also disabling this plugin as well.

But they definitely went about things the wrong way, including functions like that and obfuscating them is definitely not the right way to do things.

I think a simple, we're sorry we had included these functions in this manner to combat the company stealing our themes last year. We understand this was wrong and a fresh clean version of the plugin will be out this week.

We will do things the right way from now on, you can trust us and we welcome audits of all our code.

> It sounds like they got a little overaggressive fighting with the company that had hijacked their themes and were selling them last year.

Some of this might be explainable in this fashion, but not all.


> Firstly, the plugin includes a content filter that automatically replaces references to Blogerize, a service which claims to be a beginner’s blogging course, with references to Pipdig’s own services.

It sounds like that might have been the place that stole it?

Doesn't matter. A WordPress plugin/theme developer has no business altering the content of sites using their software.

I don't know anything about WordPress, but isn't a plugin supposed to alter the content of the site using their software? If it didn't, why use it?

Not changing content linking to a competitor's services into one linking to author of the plugin's without the user's knowledge.

Generally speaking, most WordPress plugins alter the presentation or functionality of a site, not its content. There's some exceptions, like search-and-replace [1], but even in those cases the functionality is made obvious to the user.

[1]: https://wordpress.org/plugins/search-and-replace/

Saw this on Twitter:

> Phil you need to stop with the lies. Not only do you outright lie about having the ability to kill sites with your plugin, you state that this was implemented in response to a security breach you experienced in July 2018. The code was implemented in November 2017.


Unfortunately, pipdig wiped and recreated the repo an hour ago, so that history is no longer available there at least.

y, even having this in their plugin wasn't the right way to do things. And if the timing isn't lining up that starts poking holes in their response.

I was just trying to give them the benefit of the doubt if this was done to try to combat piracy.

With GPL some piracy is expected though, and this isn't the right way to combat it.

WordPress plugins and development is still the Wild Wild West.

Most developers are good but they are some Black/Gray Hats out there for sure.

A pretty sad attempt at turning themselves into the victims, by my reading.

They seem to be getting some support on Twitter: https://twitter.com/pipdig/status/1112310062956064768

It's easy enough these days to blame things on journalists and "fake news".

Agreed, it's a pathetic response that avoids addrssing the obviously malicious behavior. At best it shows incredibly awful development practices.

I am sorry, that we got caught.

It looks like the company involved is based in the U.K. and also seems likely this software and their usage of it is a violation of the Computer Misuse Act.

One of their competitors should consider filing a complaint with the relevant authorities, so this gets formally investigated.

Yes, absolutely. The responses so far have been too tepid; DDOSing competitors, adding a database-dropping kill switch, disabling other software, and adding an admin login backdoor are all separate criminal offenses. The developer responsible should not just be blacklisted, he should be in prison.

I would be interested to hear from CloudFlare as to whether there is any possibility of confirming that the URL "https://pipdigz.co.uk/p3/id39dqm3c0_license_h.txt" - fetched by the "license check" code - did at some point return the text "https://kotrynabassdesign.com/wp-admin/admin-ajax.php". I suspect this will be difficult, or impossible, to verify (I'm not a security expert) and the "license check" code in and of itself (while extremely fishy) only betrays the potential of a DDoS and is not a smoking gun.

Hopefully not. Cloudflare has no business in law enforcement or legal investigations. If they are trustworthy, this will not know about the contents of sites in the past.

Agreed. Separation of concerns and all that.

archive.org version: https://web.archive.org/web/20190401005430/https://www.jemja...

And original link: https://web.archive.org/web/20190401004514/https://www.jemja...

I'm getting errors when using a VPN:

> The firewall on this server is blocking your connection.

These guys put all this evil into their code (PHP no less so easily readable by anyone) and it took this long for them to get caught?

Further, they peddled this into who knows how many themes they sold and never thought they'd get caught?

tons of wordpress themes and plugin are complete crap - even popular stuff. nobody reads the code or knows how to read it. it makes claiming bug bounties on wordpress sites easy.


"Extend your WordPress experience with 54,886 plugins."

And those are only the ones on wp.org itself; the "premium" themes are in the tens thousands as well. It's not simple to catch these.

What options are left if you need a simple website builder that's not

a) Wordpress, which is a swamp filled with mines in the form of plugins b) Wix, which forces hosting and bad HTML on you

Basically I want a Wordpress-like frontend + the rich template ecosystem and for it to spit out static HTML files.

There are many solutions out there that can generate static sites from a WordPress installation. For example, you can use gatsby.js to generate a static site using WordPress as data source.

Just to clarify for myself, this person asked for alternatives that are not WordPress and Wix and you're recommendation is to use WordPress?

My point if if you want wordpress ecosystem but don't want the associated risk, there are many ways to generate static websites from a wordpress installation. You can run wordpress locally in your local development computer and only host the generated static html in your server/hosting provider.

Not a web developer, but Grav CMS is pretty neat.

I'm a little late on the wagon here but someone seems to have made a recent backup of the code on Github: https://github.com/longwave/p3

That is me, I found a Dropbox link containing the repo on Twitter and thought it might be a good idea to preserve it.

Well thanks Sir! It seems they've lost their copy of the code history so it's a good job you made a nice backup of it for them.

The more I read the more it sounds like an April fools joke.


Their reply is an exercise in basic obfuscation and dissembling. Instead of explaining the specific 'features' of their code, their response is in a question-and-answer format. They chose the questions, and they are sufficiently broad and otherwise carefully chosen so that they can avoid being specific about what, exactly, they were up to. Some obvious follow-up questions to their initial answers are conspicuously absent.

I've got enough technical knowledge (I was a co-creator of the Tarski WP theme available on WordPress.com for several years) to know that this doesn't have two sides: https://twitter.com/nickstadb/status/1112479746972151808

pmlnr 54 days ago [flagged]

Being able to drop someone else's full site contents is not something anyone should get away with under any circumstance.

The want to prevent pirated theme - reset the theme to twentysexteen; block frontend access; overlay frontend with notification, etc - so many options. Deleting data? That is not one of them.

I won't even get into the deliberate other plugins disabling with comments like "sorry not sorry", including cache plugins to advertise their own hosting.

Conclusion: nasty, lying bag of s*.


I did. It's factually inaccurate.

> There was function in an older version of the plugin which could be used to reset a site back to the default settings. This function had no risk of of malicious or unintentional use.

> The portrayal of this feature is not based on reality. There is a function in the plugin which can be used to clear database tables, much like a backup or standard reset plugin. To confirm, we do not have the ability to “kill” a site, nor would we ever, ever want to do that! The function is in place to reset a site back to defaults, however it is only activated after being in touch with the site owner.

It dropped all wordpress tables. This is not a reset. There's also no reason to only have PipDig able to do this via their server, vs. an option in the configuration.

They also don't address the password reset functionality.

At best, these people are incompetent and don't realize the power their code wields. At worst, they're just backpedaling and trying to mitigate damage. (I especially like their attempt to humanize themselves by saying they're just four people who like cat memes.)

Not just inaccurate, but heavily misleading as well.

"Older version", for example, is only true because they pushed a new version after getting caught that stripped out the nasty code.

Definitely. That they're trying to position this as an oversight is frankly disgusting. That code was intentional.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact