You may have heard some news over the last few days about obfuscated and malicious code allegedly being found within a WordPress plugin published by a theme shop called pipdig. Jem Turner covered it here and Wordfence Security covered it here, although the latter chose to only use the word “peculiar” as I suspect they’ve drawn the same conclusion that I have.
As the company is not claiming that their plugin was compromised — therefore ruling out third party interference — there are two possible reasons that they would publish a plugin containing code that’s capable of performing DDoS attacks, nuking customers’ websites, rewriting links, and resetting administrator passwords:
- Malicious intent.
- Incompetence and hopeless naïvety.
Let’s rule out malicious intent for now. My gut feeling says that this small theme shop is above board and would gain little from trying to take down competitors. I’m happy to be proven wrong, and time may tell, but let’s park that option.
So that leaves us with a business that defends its inability to react professionally to the situation it’s found itself in by describing itself thusly:
We’re just 4 people that really love cat memeshttps://www.pipdig.co/blog/sad-times/
I love cats and I love cat memes, but I’m also able to recognise that if I wish to operate a business that employs staff and provides products and services to other businesses that in many cases are foundational to their business, then I need to have a good understanding of what my business is providing to its customers.
Huge swathes of web-based businesses operate in an unprofessional manner: either by being incompetent at the technical aspect of what they’re providing, or being naïve of their responsibilities to their customers and their staff, or both. By shipping code that can perform destructive actions and either being too incompetent to realise it or too naïve to consider your responsibilities regardless of your intent, you open up yourself and your staff to legal and financial problems.
The web industry is a festering pile of unprofessionalism, and we’ll carry on seeing more of this sort of news for years to come unless web-based businesses recognise the fact that transitioning a hobby into a business requires you to also transition your business and your technical competence from that of a hobbyist to that of a professional, and that general ignorance of quality control, information management, and business responsibilities isn’t good enough.
And don’t get me started on open-source projects.