For the last 2 weeks my email inbox was full of people asking ‘I have used a pipdig theme, what should I do?’
On the 29th March 2019 Jem posted a blog post about security issues with the pipdig P3 plugin. Following this WordFence (one of the biggest WordPress security plugins followed with a post of their own.
WordFence followed this with a second post that updated the facts as they see them. I say as they see them, not to dismiss them at all, in fact to add strength to all the issues.
Last weekend I attended WordCamp London, a 2 day conference dedicated to everything WordPress. One of the talks I attended was by Tim Nash from 34SP all about WordPress security (You can see the whole presentation ‘Come to the dark side, theu have cookies’ here ). He went through a few examples of how WordPress sites are hacked. It was fascinating and terrifying, but I was also reassured, as although I can never tell a client their site is 100% safe, I also know the things to do to make it as close to that as possible.
Tim also talked about what had happened with pipdig, and the fact that the WordPress community has been shaken by it. Trust has been lost and it will take a lot of time to rebuild this. People buy themes and plugins assuming they are ‘safe’ and will not harm their sites. Pipdig by their actions (as documented by Jem and Wordfence ) have broken this trust.
For the details of what they have done, see here.
Last week when clients contacted me asking what to do, I had read the initial WordFence and Jem’s post and gave the advice of don’t do anything in a panic, as this was more likely to break your site that what pipdig could do their end.
I wanted to find out more, what the potential impact could be from the P3 plugin, and what the future is.
Client have not only paid money for the theme (which apparently pipdig won’t refund) but they have also paid money for their sites to be redesigned using it. And to start that process again was going to be time consuming and costly. So I wasn’t about to advise to do anything in haste.
After talking to Tim after his presentation, reading the 2nd Wordfence post I now have no choice but to advise clients to move from pipdig.
The company that pipdig used for their hosting, has been offering people free hosting directly with them, again showing that they see the issues.
I can’t find anywhere anyone involved in WordPress who can offer an explanation of why they could have done this, that wasn’t malicious and intended.
So trust is gone. They had the power to come into your site and delete everything. As a purchaser of a theme you did not give them permission to do that.
So what next?
Start looking for a new theme. I fully appreciate this isn’t an easy thing. That was the joy of pipdig, they worked really well.
If you choose not to move from them then I would advise to do the following
Make sure you do daily / weekly (depending on how often you update your site/ get comments / sales) off site back ups. Not just to your hosted site, and not just by your host.
Make sure you have updated the P3 plugin to the latest version that has some of the issues removed
Be aware of security on your site. Have WordFence (as a minimum installed & go through the set up) and read the email notifications you get.
But I would still advise looking for a new theme, no one knows if pipdig will survive this. And if they don’t then there will be no more updates from them of their theme. And that will mean in the future it may become incompatible with WordPress and plugins.