Exposing Malicious Code from UK WordPress Theme Provider
Uncovering the Pipdig plugin problems
Earlier this year, a WordPress client came to me with concerns about their site speed. They were using a theme from UK based provider, Pipdig, and they were experiencing some odd behaviour on their site. I agreed to look into it further, and soon discovered some shockingly nefarious code at play.
Pipdig themes were bundled with a “Power Pack” plugin, which was estimated to be present on 10,000-15,000 websites, and my research discovered that this plugin contained a variety of suspicious features.
Hidden within the Pipdig Power Pack (P3) plugin was a function allowing Pipdig to change user passwords, a site “kill switch” that could be activated remotely, and downright malicious code that utilises users’ servers to perform DDoS attacks on a direct competitor. Other functions of the P3 plugin included the ability to manipulate website content to redirect links to competing services towards the Pipdig site, disabling other WordPress plugins without permission and harvesting data in contravention of GDPR.
And it wasn’t just me – leading WordPress security experts Wordfence coincidentally published the result of their independent research into the Pipdig Power Pack plugin the very same day.
I sat down with Mark Maunder from Wordfence at WordCamp Europe to discuss our findings for their podcast which you can watch below.
My research was also covered by prominent tech publications including WP Tavern and The Register, drawing light to the severity of the situation.
Protecting those affected
Worryingly, the vast majority of Pipdig customers were bloggers, many of which did not possess the technical knowledge to understand the consequences of the P3 plugin or fix the issues presented by themselves. Pipdig’s addressal of the situation was lacking, leaving their concerned customers in the dark as to how to best protect their site.
I worked closely with numerous bloggers to ensure their WordPress sites were safe, secure, and most importantly, no longer infected with this malicious code that could be used to actively carry out illegal activity.
Want to talk about testing the security of your WordPress website, or hack recovery services? Get in touch or find out more about my WordPress security services.