About two months ago, a story started circulating that caught my attention. Pipdig, a commercial theme shop with templates for WordPress and Blogger, was accused of including obfuscated (hidden) code inside their Pipdig Power Pack (P3) plugin. This plugin was installed alongside every theme bought by a customer, and so was presumably active on all sites using Pipdig’s products. The purpose of this code was to essentially enroll the unsuspecting customer in a botnet with the intention to DDoS Pipdig’s competitors.
That last sentence alone includes quite a lot of technical jargon, and I’d like to avoid that in this post. If you’re a person that enjoys such detailed information, feel free to check out the WordFence post on the matter (WordFence plug: WordFence is a WordPress security shop that sell a variety of security-based products and offer some services; if you’re in need of some experts on WordPress security, they’re the company you should look at).
Unfortunately, I think some of the problem with the discussion around Pipdig is that it’s been too technical. In fact, if you look at some of the tweets from Pipdig customers in the aftermath, you may notice a complete lack of concern and understanding:
The issue here is that a software company used the ignorance and naiveté of its customers to inflict pain on its competition and that we (I use the term “we” here in the broadest sense of “we technical people on the web”) were unable to convey the scope of what Pipdig had done. These are hard conversations, no doubt, and ones that I’ve failed at many times.
At LexBlog, we take a pretty hard-line stance against third-party WordPress plugins and themes, and more than once I’ve been in a position to discuss the security implications of installing software that you don’t (or can’t reasonably) trust. It’s a fine line to walk, because we use a number of “industry standard” WordPress plugins like Yoast SEO, Contact Form 7, Query Monitor, and probably a few dozen or so more.
However, all of these plugins are installed on millions of sites, have an active community of users, known developers and companies behind them, and have had a spotlight on them for years. That is to say, yes, they expose us to risk, but given the benefits they provide to us and our customers, it’s an acceptable risk. We mitigate that risk through regular reviews and audits and a great technology partner in WP Engine that has their own firewalls and malware scans keeping us appraised of exploits, but it’s risk nonetheless.
So why don’t we just let everything through the door? Because you’ll never know when a theme or plugin is hijacking your site to use it as a link farm. You never know when you’ll encounter your own “Dependence Day” (as our own Scott Fennell wrote on A List Apart a few years ago). You never know who or what you can trust.
So what can you do as a site owner? As a publisher trying to make their way through your first steps on the web?
In short, trust no one. Vet the partners you choose, from hosting to seemingly simple WordPress plugins or libraries of code. Be wary of things that are too good to be true and know that there is no free lunch to your choices. At some point, there will be a price to pay, you just have to make sure it’s one you can accept.