pipdig; dodgy WordPress developer caught out

If you develop themes, plugins, websites for paying customers there is obviously a strong notion that you don’t have malicious intent, that your code does what it’s described as doing and only that.

However pipdig sees it another way from packaging code to: change passwords on their clients websites, performing a DDoS attacks on a competitor, delete your database and changing words/links to benefit their SEO and sales. source 1, source 2

It’s a sin and a bad one.

Essentially pipdig used the trust of their customers to build in back doors and do things they shouldnt nor be known doing. You can’t defend that and any excuse will be seen through.

Pipdig were quick to release a “patch” when notified of the nasty code which obviously removed all the nasty bits of code.


The tweet that perfectly sums up the aftermath is this from @heyitsmikeyv

pipdig really took advantage of their customers, the evidence in the malicious code is there for all to see. Some can understand it others just see it as code. Packaged code does not lie.

Poor damage control

The pipdig response post glosses over the fact they were caught out, they try to spin it for something that the non technical, dev people who are their clients would believe. Despite the hard evidence in the code being very prevalent.

There genuinely seems to be a lot of delusion and mistrust for pipdig

pipdig bad code

Thats why the tweet above hits the spot. People who know PHP say its bad…..its bad. Dont trust the people who put a backdoor into the code you buy.

Sometimes when there is hard facts, evidence and those in the know stating your actions were dodgy and malicious you best not to further spin out of it with misinformation.