The Unprofessional Web

You may have heard some news over the last few days about obfuscated and malicious code allegedly being found within a WordPress plugin published by a theme shop called pipdig. Jem Turner covered it here and Wordfence Security covered it here, although the latter chose to only use the word “peculiar” as I suspect they’ve drawn the same conclusion that I have.

As the company is not claiming that their plugin was compromised — therefore ruling out third party interference — there are two possible reasons that they would publish a plugin containing code that’s capable of performing DDoS attacks, nuking customers’ websites, rewriting links, and resetting administrator passwords:

  1. Malicious intent.
  2. Incompetence and hopeless naïvety.

Let’s rule out malicious intent for now. My gut feeling says that this small theme shop is above board and would gain little from trying to take down competitors. I’m happy to be proven wrong, and time may tell, but let’s park that option.

So that leaves us with a business that defends its inability to react professionally to the situation it’s found itself in by describing itself thusly:

We’re just 4 people that really love cat memes

I love cats and I love cat memes, but I’m also able to recognise that if I wish to operate a business that employs staff and provides products and services to other businesses that in many cases are foundational to their business, then I need to have a good understanding of what my business is providing to its customers.

Huge swathes of web-based businesses operate in an unprofessional manner: either by being incompetent at the technical aspect of what they’re providing, or being naïve of their responsibilities to their customers and their staff, or both. By shipping code that can perform destructive actions and either being too incompetent to realise it or too naïve to consider your responsibilities regardless of your intent, you open up yourself and your staff to legal and financial problems.

The web industry is a festering pile of unprofessionalism, and we’ll carry on seeing more of this sort of news for years to come unless web-based businesses recognise the fact that transitioning a hobby into a business requires you to also transition your business and your technical competence from that of a hobbyist to that of a professional, and that general ignorance of quality control, information management, and business responsibilities isn’t good enough.

And don’t get me started on open-source projects.

4 replies on “The Unprofessional Web”

  1. They deliberately hid the problem code in amongst legitimate code, used comments to pretend it did something else, launched multiple attacks at their competitor over a period of 6 months or more and partially obfuscated both function names and competitors so it wasn’t immediately obvious what they did. How is that anything but malicious?

  2. “And don’t get me started on open-source projects ?.”

    Open source projects need critique, to evolve and get better; especially those open source projects that are created so the developer can learn and exercise his new knowledge. Even this pipdig case provide us something to learn, at least what kind of techniques new developers should avoid.

    Your blog and open source projects are an inspiration for me, and I always recommend new developers to follow you and learn from you.

    Please don’t hold back from saying what you think,(or when you see something wrong) just to protect(or babysit) someone or some big player.


  3. Would love to read more on open source projects; the ethics and all about professionalism while not just contributing but also while sharing critics and the ways to do it, to also make sure that other people on the public end shall learn from our perspectives.

Comments are closed.