Making Sense of the Pipdig Drama

Making Sense of the Pipdig Drama

It’s been a busy few weeks in the blogging world.  Earlier this month, Pipdig – a small company that creates WordPress themes and offers hosting aimed at the blogging community – has been hit with multiple serious allegations.  In basic terms, it has been alleged that Pipdig’s code contains several instances of malicious content that could be truly harmful to its users.

A wealth of information has been created on the Pipdig problem since it was first discovered.  Many of the articles detailing the issues with Pipdig’s WordPress themes are extremely technical and rely on readers having an in-depth knowledge of coding.  Here, we’re aiming to provide a quick summary of what’s happened to help you make sense of the Pipdig drama as it has unfolded, along with some practical tips if you’re currently a Pipdig user.

Who Discovered The Problems With Pipdig?

First, it’s important to understand who it is that first discovered the problems and raised the allegations against Pipdig.  In particular, it’s important to note that these are not just rumors started by Pipdig’s competitors. As it turns out, it was a security company, Wordfence that first noticed an issue with some malicious content within Pipdig’s source code.  Wordfence specializes in WordPress security resources and plug-ins, and do not offer hosting or themes. As such, Wordfence is not a competitor of Pipdig and arguably have nothing to gain by reporting these problems.

During the investigations, Wordfence discovered that a developer and blogger by the name of Jem had also simultaneously raised concerns about Pipdig’s code, and was also looking further into the issues.  Wordfence has acknowledged Jem’s contributions, and it seems that both WordPress and Jem are in agreement about these concerning developments.

What Are The Allegations?

Without going into too much technical detail, the primary allegations against Pipdig are that the code includes malicious content with the following effects:

  • Causing the users’ sites to slow down competitors’ sites;
  • Potentially breaching GDPR by collecting hosting data on their users;
  • Disabling plug-ins on users’ sites;
  • Changing content on users’ sites;
  • Including code to delete a user’s site remotely at any time
  • Changing administrator passwords.

What Should I Do?

Currently, Pipdig users seem to be split into three distinct camps.  

First, there are those who recognize the genuinely real security issues raised by the allegations.  These users have been quick to cut all ties with Pipdig, including uninstalling any Pipdig themes and plug-ins they’re currently using and switching to a different host if necessary.

The second group is those who are displaying profound loyalty to Pipdig.  It must be acknowledged that Pipdig is well-regarded in the blogging community as having provided excellent customer service to their clients over the years.  Some of those clients who have previously received good customer service may now feel a sense of loyalty towards Pipdig, and a reluctance to abandon ship.

The Issue is a great alternative for Pipdig users.
The Issue is a great alternative for Pipdig users.

Finally, the third group of current Pipdig users are feeling confused and unsure about what this all means.  The reports by Wordfence and Jem are long, dry, code-heavy, and difficult to understand by people not well-versed in the relevant coding languages.  People in this group may understandably wonder how much truth there is to these allegations, and whether the security concerns raised will affect their site.

Ultimately, every user will need to make up their own mind about how to proceed.  If you decide to stay with Pipdig and see what happens next, it is absolutely essential that you update any Pipdig themes or plug-ins you’re currently running. Pipdig has made several changes since the allegations came to light and have released updated versions of their themes, which remove much (but not all) of the malicious content.  Next, ensure that your blog is completely backed up, ideally to DropBox or Google Drive to allow for an easy restore if necessary.

If you find the allegations against Pipdig to be as concerning as Wordfence claim, you may wish to move to new hosting and to install a new WordPress theme.  Our advice would be to act quickly, ensuring that all traces of Pipdig themes and plug-ins are completely removed from your site, and to choose a new theme from a reputable provider that mirrors the look and feel of your previous theme as much as possible.

We're part of the Asquared WordPress Agency. All rights reserved.