No doubt if you’ve been on Twitter over the past 7 days, you’ll have seen some of the news about pipdig. There’s been a lot of questions and confusion around this situation and I’ve been getting quite a lot of questions since I tweeted about it Tuesday evening.
I wasn’t planning on writing this post here on my blog. Actually I was sure that I wasn’t and honestly, I don’t like the idea of it being on my blog forever… but I was putting together an overview for my newsletter and it was getting WAY too long so I’ve decided to put it here after all.
I’m going to try break it down as simply as I can and I’ll continue to update over the coming days. I appreciate it’s lonnnngg! I wanted to cover all the main questions… Hopefully it will help!
Pipdig, a popular blog theme developer based in the UK, has been accused of inserting unethical, malicious and possibly illegal code into both their Blogger & WordPress themes and plugins.
What exactly does this code do?
In simple terms, the major things are the following:
- Your site has been used to bombard competitor’s servers.
- The code on your site has been getting a TXT file from the pipdig server. This file contained a link to a file on at least two competitor sites. Once this file was received, another request happened to get that linked file on the competitors site by pretending to be a user on a Windows computer. This happens hourly and is suspected to be an DDoS attack. A DDoS attack is purposely overloading the server to make the site go offline. They are illegal.
- Your site has been intentionally slowed down
- Another piece of code checks to see what web host provider you are with. If you’re with specific companies, the cache is disabled and your site slows down. You also receive a notification that if your site is slow you should try pipdig hosting.
- Your site is not secure
- They have the ability to control your blog like limit and remove displayed notifications, deactivate plugins, remotely access your admin, change links in your content and completely wipe your database (which holds all of the data from your site including your content).
How do we know this? Where’s the proof?
There are arguments about how this is just about tearing down the competition. Wordfence are a WordPress security company, who I have followed and trusted for years. They are well respected within the WordPress community and have nothing to gain from this.
Developer and blogger Jem was also investigating the pipdig code after a client asked for help with their slow website. She published an article on Friday also, and followed up by answering reader questions.
There are a number of web developers and security experts who have been looking into this and documenting everything. Popular developer news sites have also reported on this story, such as The Register and WP Tavern. The ICO are also looking into the GDPR issue in this situation. If you search “pipdig” on Twitter you’ll find a bunch of evidence. Here are some examples…
My opinion? To be honest, I have a personal/professional conflict with this. I have met two members of the pipdig team in the past and they were lovely. I find it difficult to believe that anyone would intentionally do this to clients. BUT I have taken a look at a pipdig theme and the p3 plugin myself and can confirm what’s being said online. As I said in my tweet, I am shocked and disappointed.
Have the pipdig team responded?
Yes, you can read their response here. Personally I feel that the response is unsatisfactory and avoids answering a lot of the more technical questions being asked. I know many people agree. They also contradict themselves with answers.
They deleted their public repository, which stores the themes and plugin code. It did show a history of plugin versions and changes being made in each version. A few developers managed to get a repo copy of it before it was removed and replaced by a clean version.
Pipdig also run a web hosting service. They act as a reseller for Kualo hosting to offer their clients hosting packages. On Thursday 4th of April pipdig sent an email to their hosting clients letting them know that they’ll be moved to Kualo, who have released a full statement here. They have said that will offer two years free hosting to affected hosting clients.
I’m so glad I’ve come across Kualo Hosting as I think they’ve handled this very well. They even disabled some of the code found in scripts in pipdig’s Blogger and WordPress themes that were sending requests to competitors.
Update April 20th – Some web hosts including GoDaddy and Pagely have started banning the pipdig plugin so you may notice some features on your blog not working correctly.
I’m on WordPress with a pipdig theme/plugin/hosting, what do I do?
WordPress bloggers should update their pipdig p3 plugin to version 4.9.0.
- Backup your database (very important) and blog content.
- Deactivate & delete the p3 plugin. Please make sure you do this step before changing themes, as it’s been reported that skipping this step will break your site.
- Install & activate an alternative theme. I discuss themes further below.
- My previous post explains how to install, update and change WordPress themes (with some theme recommendations)
- Delete your previous theme.
- Install wp crontrol plugin and check the list of crons. Remove any that reference pipdig or p3.
- Check your new theme and see what needs to be redesigned or tweaked. Remember to replace missing functionality such as your Cookie banner, disclaimers or disclosures, DISQUS comments and so on.
As mentioned, your hosting will be transferred to Kualo and remain the same. Though if you want you can use another hosting provider, most will help you to migrate your site. I list some recommendations in my Hosting 101 post.
I’m on Blogger with a pipdig theme, what do I do?
- Backup your content and theme using this tutorial. I’d recommend keeping a copy of your backed up theme on your computer in case you need to pull details from it for your new theme (like customised code, your Google analytics tracking ID, DISQUS comment code and so on)
- Remove any pipdig widgets (like the pipdig instagram widget for example)
- Replace with another theme using this tutorial
Where do I find a new theme for Blogger and WordPress? How do I know it’s safe?
When looking for a theme, ensure it has active support and is being regularly updated by the theme developer. You could also check on social media to see if they are active with replying to questions.
The best place to find a theme is the WordPress Theme Directory. All themes submitted to the official directory have to be reviewed and approved by WordPress developers and pass the set requirements. Though it is worth noting that this check is only done once, when the theme is initially submitted. So updates to the theme are not checked.
If you can’t find anything you like, try the premium theme market where you’ll pay for a license to access updates and support. Great examples of premium themes are:
- Genesis Framework (or a Genesis Child Theme) by StudioPress
- Divi Page Builder theme by Elegant Themes
- WooCommerce themes
- iThemes Builder
Related: How to install, update, find and change WordPress themes
You can also try Themeforest and Creative Market. As mentioned above, these places require approval before allowing you to sell products. Kotryna Bass Design also offers Blogger themes. I like the layouts on Blog Pixie, Heybi and Underline Designs.
How do I stay updated?
I’ll continue to update this post as information is released. The following Twitter users are very active and I recommend following them…
I still have questions…?
If you have any questions or need help with anything please do let me know and I will try advise as best I can or direct you to the best person or place for more information.