Pipdig WordPress Themes Security Threats – Update!
In the days since we published that report, Pipdig has taken a series of increasingly questionable steps in their attempts to mitigate the fallout of their actions. Their team has issued baseless accusations that facts have been fabricated, collusion between their competitors had taken place, and that no wrongdoing of any sort had occurred.
These assertions stand in direct conflict with their actions. They’ve pulled down incriminating files from their sites, pushed undocumented updates to their plugins to remove additional malicious code, and have attempted to rewrite history by modifying dates of changelog entries. Then, perhaps most egregiously, Pipdig took down the Bitbucket repository containing a great deal of evidence of these actions. All of this had been done while an entire community of WordPress developers watched.
In today’s followup, we’ll use Pipdig’s official responses to recap their documented offenses. Then, we’ll discuss the timeline of events in the deployment and subsequent removal of Pipdig’s malicious code. After that, we’ll look at the evidence they’ve made efforts to destroy. Last, we’ll reveal new evidence that Pipdig’s suspected DDoS campaign against their competitor had still been active until April 1st, using Blogger themes.
Recap: Pipdig’s Words vs. Pipdig’s CodeApril 4, 2019 In the uproar following the publication of their missteps, Pipdig released (and subsequently updated) a statement with the intent of dispelling the controversy. Unfortunately, instead of admitting fault and apologizing to their users, Pipdig leaned into a series of accusations and denials. Let’s take a look at the individual points of these responses, and why each fails to help Pipdig’s cause. We’ll avoid using code samples in this section, though the Timeline section that follows will contain code as evidence.
Unauthenticated WordPress Database DeletionIn our report, we explained how a cron (scheduled process) built into the P3 plugin was effectively asking Pipdig’s server every hour for permission to destroy the database of the site it’s running on. Pipdig hasn’t denied that the code existed, but has attempted to “rebrand” the behavior in a number of ways.
These Highly Rated plugins are just a fraction of the WordPress Plugins. There are many great plugins yet to be reviewed.
H5P makes it easy to create interactive content by providing a range of content types for various needs. Preview and explore these content types below.
Check out the author guide to get started.
The Power, Ease and Beauty of H5P (HTML5)
Abuse of Power by moderator – esmi
Calendars – Events
E-Commerce – Shop
Is there an Etsy-like (multi-vendor marketplace) e-commerce plugin out there?
Learning Management (Authorware)
Popup Maker and others
Riibons – Corner Ribbons
SEO – Search Engine Optimization
Headway Themes - a defunct business that is no longer in business however they are still selling the product.