The curious case of a WordPress plugin, a rival website online spammed

A British web-dev outfit has denied allegations that it intentionally concealed code inside its WordPress plugins that, among other things, spammed a rival’s website with junk visitors.

Pipdig, which specializes in designing issues and templates for sites walking the favorite WordPress publishing gadget, became accused of being past due last week, along with code inside its plugins that fired duff requests to the dot-com of a competing maker of issues. It is also accused of slipping into a system that allowed it to wipe its customers’ databases remotely, regulate hyperlink URLs, change website admin passwords, and turn off other third-birthday celebration plugins.

These plugins are mounted server-facet by web admins to beautify their WordPress installations. They consist of backend and frontend code executed as site visitors land on pages. Pipdig has denied any wrongdoing.

The accusations were made by Jem Turner, a web developer who questioned the motives of several subroutines within the Pipdig Power Pack (P3), a set of plugins bundled with Pipdig’s themes.

“An unnamed purchaser approached me this week complaining that her internet site, which became running a subject she’d purchased from a WordPress theme company, turned into behaving oddly. Amongst other things, it was getting slower for no apparent purpose,” Turner claimed on Friday. “As the pace is an important ranking factor for serps (not to mention crucial for preserving traffic), I said I’d do a little digging. What I located surely blew me away; I’ve never seen something that loves it.”

Turner claimed she’d observed that, amongst other things, Pipdig’s plugins fired off traffic to a stranger’s website; therefore, net servers hosting the P3 PHP code might automatically send HTTP GET requests to a rival’s web page—kotrynabassdesign. Hence, it was flooding it with connections from all over the globe, so it changed into claim.

The P3 gear also turned into alleged, manipulated links in clients’ pages to direct traffic away from certain websites, accumulated information from purchaser websites, should alternate admin passwords, disabled other plugins, and implemented a remotely activated kill-transfer mechanism allowing Pipdig to drop all database tables on a consumer’s website. Again, that aligns with an evaluation of the P3 source code.

At the same time, Wordfence, a protection vendor focusing on offerings for WordPress websites, says it fielded a comparable criticism about the P3 code from one in every one of its customers and additionally discovered the same subroutines Turner defined.

“The user, who wishes to stay nameless, reached out to us with issues that the plugin’s developer can provide themselves administrative get entry to web sites the usage of the plugin, or maybe delete affected sites’ database content material remotely,” Wordfence explained. “We have shown that the plugin, Pipdig Power Pack (or P3), carries a code which has been obfuscated with misleading variable names, function names, and feedback to hide these abilities.”

Don’t study me; I didn’t do it.

The reports caused a strong denial from Pipdig, which argued the claims had been unfounded. In its reaction on Sunday, the Pipdig team denied its software program deliberately lobbed net site visitors at different web places. In step with Pipdig, what became going on was that the P3 code could, as soon as an hour, fetch the contents of…