Gather ’round ladies – its storytime! I wanted to share a little blogger tea that is currently happening in my industry with a web design company, Pipdig. I talked about this briefly on Instagram and got quite a few requests for a blog post. The Pipdig theme scandal first got my attention because my blog design theme is by Pipdig. For my fellow bloggers who also have Pipdig, keep reading so you can figure out what is going on and the next best steps for your blog. I also have a great list of additional design resources.
WHAT IS PIPDIG??
Pipdig is a UK web design company that creates different theme designs for WordPress websites and blogs. My design template for Whit Wanders is by Pipdig. This company’s designs are very popular with bloggers and content creators.
WHAT IS THE SCANDAL??
The blogger community was up in arms on twitter after WordFence published a security investigation into Pipdig Plugin for WordPress. UPDATE: The Pipdig Plugin issue was originally found by Jem: blog post here. Pipdig was accused of adding code to the plugin to be able to: change the password of any site user, a remote kill function to delete the full contents of the website, disabled Bluehost caching, and even some code that appeared to attack a competitor of Pipdig.
A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress.
THE INVESTIGATION:
WordFence did a blog post around their investigation of the malicious code and even showed evidence of Pipdig trying to cover its tracks by deleting portions of their Github. Here is their full post: here.
KILL SWITCH
Managed to demonstrate Pipdig’s “kill switch” on a test install of WordPress with pipdig Power Pack (p3) v4.7.2. It worked, which confirms they have the power to remotely delete your entire blog & every post you’ve ever written simply by typing your blog URL into a text file.
— Michael Waterfall (@mwaterfall) March 31, 2019
DDoS ATTACKS
In this post, we additionally reveal new evidence that @pipdig used their Blogger themes, not just WordPress, to issue suspected DDoS requests. These scripts were found on Pipdig’s own servers, and were actively issuing malicious requests until yesterday. pic.twitter.com/GxWA35HYuc
— Mikey Veenstra (@heyitsmikeyv) April 2, 2019
GitHub cloud-based publishing tool and hosting platform. It also has a desktop application for locally storing projects. Github is used by programmers, developers, and designers to store projects and keep track of changes to their files.
PIPDIG’S RESPONSE:
Pipdig has responded to the allegation and posted a blog response which I found very unsatisfactory. They did not address all of the allegations that were found in the WordFence blog post or acknowledge their deletion of the Github repository. (disclosure: I do have a background in HTML, CSS, Javascript and Python). Their response never addressed the actual code elements that were presented in the WordFence blog post.
Sorry we’ve been a bit absent on Twitter. Our post at https://t.co/HFQyFvEmdB has been updated. This is our final word on all of this. Thank you for all the positive responses we have received from people! It is hugely appreciated ❤️
— pipdig (@pipdig) March 31, 2019
UPDATE – BLACKLISTING
- Due to all of the malicious code and allegation, there are now several hosting platforms that are now blacklisting the Pipdig plugin. They are currently on GoDaddy Blacklist.
WHAT TO DO IF YOU ARE A BLOGGER WHO:
A.) USES A PIPDIG DESIGN THEME
B.) PIPDIG IS YOUR HOST COMPANY
I am in group A – I currently use a Pipdig design theme. I am personally removing Pipdig from my website. I am not comfortable supporting a company that is not taking accountability for the flaws found in their code and intentionally trying to harm competitor sites.
RECOMMENDATION:
- Ask for a Refund – If you purchased your Pipdig template in the last 180 days – you should be able to get a refund
- Backup Your Site – Find a backup plugin that is compatible with your WordPress site and backup a copy of your site before making any changes
- Remove – Remove Pipdig from your website – themes and plugins.
- Hosting – Change Hosting Companies if Pipdig is your host
Recommended Host – I previously used BlueHost but had a lot of issue with my site being down. I switched to SiteGround and have really enjoyed my hosting experience with them. Here are some hosting company recommendations:
WHERE CAN I FIND A NEW THEME??
If you are looking for a new template I found quite a few female-owned web design companies that offer blogger friendly themes. Check them out below:
New Theme Recommendations:
TIP: Make sure to remove all Pipdig plugins from your site before adding a new theme. There have been reports of WordPress sites running into issues with the design changes.
WHAT IF I WANT TO KEEP MY PIPDIG TEMPLATE
It’s 100% your decision if you want to remain with Pipdig. But it may negatively impact your site in the long run. The Pipdig plugin is being blacklisted by quite a few hosting platforms which may impact how quickly your blog and design elements load.
NEW DESIGN – WHIT WANDERS
Changing my design is quite a time consuming as quite a few of my elements were custom – but its a huge priority for me. I still haven’t found a design I like but I am on the hunt. My goal is to update it this weekend. Bear with me as I address all these changes and update my design. My site may be a bit glitchy as I switch over the theme but appreciate your patience as I work through this latest issue.
Thanks for making it through this very long post! Happy Friday babes!
If you are a blogger and have questions around Pipdig – please email me!
Oh my gosh! That is really quite scary! And what makes it worse is the company’s rather suspect evasions. When are people going to learn that candor and transparency are the best policies? I look forward to seeing your new look in the near future!
Thank you for your sweet comment! I will be working on the new design all weekend! Fingers crossed it goes well.
xo, Whitney
Slight correction: the blogger community weren’t up in arms when Wordfence published their post, they (well, a very vocal minority) were up in arms when I published mine, accusing me of doing it for ‘drama’/a vendetta. It was only after people saw Wordfence post on it did they actually start to calm down and apply rational thought.
pipdig’s post didn’t address Wordfence’s points because they specifically addressed it to me (albeit edited it later on to remove some references to my name); I suspect they thought it’d be easier to tackle accusations from a comparatively small blogger compared to one of the biggest WordPress 3rd party security companies. I guess pipdig weren’t counting on me having plenty of security contacts of my own to back-up and increase the reach of my findings, though.
Thanks, Jem for additional context. I did not see your original post. Appreciate your hard work in identifying the issues in the plugin. I have updated my post to call out your original post. Regardless of who they address the plugin issues with originally – they should have had more accountability to their customers.
xo, Whitney
Hi Jem & Whit,
I tried to get my money back on the theme (bought less than 90 days ago) and Paypal refused the claim. In addition, I had transferred to pipdig hosting and also paid them to transfer 9 domains. When Kualo transferred me over, they informed me that pipdig never transferred 3 of the domains, so I had to pay AGAIN for the transfer. Fortunately they have influence with pipdig and did get them to refund the money. I would urge everyone caught in this mess post reviews so that those who don’t look at the tech websites or read some of the blogs know what they are in for. I’m guessing pipdig is trusting that unknowing bloggers won’t be aware of the scandal (especially here in the states), and will blindly purchase their themes.
Jem, I noticed you tried to post a review on Trust Pilot and pipdig shut you down. I posted my review since I can prove 100% I was a customer, both host, domain, theme, and shopr plug-in, so here’s hoping pipdig won’t try to get it taken off. Please encourage everyone to post reviews where possible. I’m so beyond unhappy for all the time. The real kicker is Paypal is denying the claims even though I presented Jem’s blog and the Wordfence article.
Hey girl, I am so sorry you are dealing with all of those issues. Yes, I am still getting a lot of emails and questions from bloggers and SMB owners over the Pipdig plugin issues. Have you contacted Pipdig directly to request a refund? That is frustrating that Paypal is refusing the claim. Thank you for sharing your experience. Email me further with any questions.
xo,
Whitney
Pipdig is refusing all refunds. Paypal refuses it because Pipdig is disputing all requests. Haven’t heard anyone getting back their money on themes.
OMG thank you so much for saving my money. GOD knows how many times I thought of buying it. Somewhere it was my gut feeling that stopped me. Thank you 🙏🙏