New to blogging? Start here

A public response to some serious accusations (updated)

Post updated: 31st March 2019

As many people will have most likely seen, there have been various accusations and rumours spreading about pipdig as a company and our products and services.

Initially, I started writing this post to rebuke any comments which have been made against us, for the second time. However, after spending about 4 hours breaking down each point, I’ve decided against it (though I do answer some questions later on in this post). Anything we do/say seems to be fanning the flames to a core group of very angry people. Things have changed over the past 12 hours, taking a turn I never expected from people in our community.

I’m going to try and keep this post as concise as possible. The purpose of this is not to try to purely lay down facts and figures, instead, this is a personal response from me, Phil, as a human being.

The past few days have been some of the worst I have ever encountered. I’ve been awake for pretty much the full 48 hours. Initially, we were able to respond to any comments made on Friday evening, trying to put our side of the story out there. Since then, we took the decision to stay off social media since the attacks on us were becoming more personal and aggressive. Last night, I started to receive death threats from fake accounts on my personal Twitter and Facebook accounts. A small group of people have also started going out of their way to harass our clients, in a hunt to try and hurt us in any way possible, even directly recommending that they open a PayPal claim for work we have done for them.

pipdig is not a massive, faceless corporation which can deal with this. I’m not ashamed to admit that we simply don’t know how to respond to this situation. In the words of my girlfriend “We’re just 4 people that really love cat memes”. This was probably the only time I had smiled since this whole thing started.

One of the most concerning/upsetting things is the amount of harassment our supporters are receiving. Anyone which has said things along the lines of “I trust pipdig” or “Let’s at least wait for the facts” has been gunned down with insults and personal attacks on their intelligence. To the people trolling like this, all I can say is please stop and think about what you are doing. To anyone receiving this harassment, please know that we are here for you if you need us. You can email support@pipdig.zendesk.com and we’ll do anything we can to help.

pipdig is a small team of 4 people which has been built from nothing over the past few years. If you have any hatred you feel you need to push onto a particular person, please focus on me, Phil. I will not tolerate abusive/threatening comments to any other member of my team. Such comments will be dealt with via the the appropriate law enforcement agencies as cyber threats/bullying.

The information about us was published on a Friday night, which is a classic journalistic technique since it is assumed a company can’t defend itself until Monday. The information was initially published in closed Facebook groups, where we have no ability to defend ourselves or supporters. It was also published on Twitter, without tagging us or even contacting us for clarification. Any information which has been published from us has been cut/mashed up to fit with a narrow agenda.

Every single part of this appears to have been tactically planned by a small group of people which have worked together for maximum impact.

We simply don’t want to be part of this any more.

Instead of fuelling the flames any further, we’re not going to respond to any click-bait or self-promoting articles. This is the last post we’re going to publish publicly on the matter. As such, I’m going to answer some of the questions we’re receiving from customers, in the hope that it helps clear everything up:

I’m using a pipdig WordPress theme, what should I do?

You don’t need to take any action, however we do recommend updating all your plugins to make sure they are the latest version. This is generally a good idea anyway, to make sure you have the latest features available.

If you have any concerns at all, please don’t hesitate to open a support request. We’ll be happy to answer any questions you may have.

Do you DDOS competitors?

No.

Do you “kill” sites?

No!

Do you have the ability to kill sites via the pipdig Power Pack?

No.

Then how come people are saying that you do?

There was function in an older version of the plugin which could be used to reset a site back to the default settings. This function had no risk of of malicious or unintentional use. I can say categorically that there was no risk to your site if you were using a pipdig theme. This feature has been dug up and labelled a “Kill Switch” for maximum negative impact on us.

Why did this function exist?

The function was available in the pipdig Power Pack in July last year, when a serious incident occurred:

A 3rd party was able to download all of our themes illegitimately and post them on a clone of our own site. This included previews of our themes and the ability to purchase them. We were first alerted to this by people which had purchased a pipdig theme from there, but were finding that certain features did not work correctly. After investigation, we found that the victim had purchased the theme from the 3rd party, thinking it was us. The 3rd party not only gained the financial benefit of the theme payment, but also used it as a way to inject malware and ads into the victim’s site. The reset function was put in place in order to remove the 3rd party’s ability to host preview sites with our themes. It worked, and they have since disappeared. The function was then removed in a later version of the plugin.

It is worth noting that we have also provided a free legitimate license key to any victim of this issue, at a loss to ourselves.

Do you intentionally slow down sites with pipdig themes?

No, this would be self-defeating since we advertise our themes as being fast.

Do you remove features from the WordPress dashboard?

Yes, we remove features which our research shows that people do not use. This helps to keep your site running more smoothly. We’re constantly evaluating how to make working on your site a more efficient/enjoyable experience based on feedback/issues which arise in our support system. Some examples of this are listed at the very bottom of this page, in our original response.

Do you add any features to the WordPress dashboard?

Yes, we add various dashboard widgets such as a social stats counter and a button to view pipdig themes.

Do you disable plugins when a pipdig theme is activated?

Yes, during the initial activation the following plugins are deactivated. After the installation is complete, you can re-activate the plugins at any time, should you wish to use them.

This includes plugins such as “Instagram Feed” and “WD Instagram Feed”. You’re free to re-enable them afterwards at any time. We disable them initially to make theme installation an easier process. For example, our themes include Instagram features built-in, so Instagram plugins typically are not required. The less plugins you have, the faster/safer your site becomes, generally speaking.

Are there any plugins which can’t be re-activated?

Yes, we disable a small number of plugins which are not compatible with our themes. We’ve included a full list below. We even provide an explanation of this within the code for any developer to see. Each plugin is:

  • WP Support – This plugin injects malware into the WordPress dashboard. It is disabled to try and help protect people. We’ve had to clean 3 sites that were impacted by this within the past few weeks.
  • Query Strings Remover – This plugin removes “query args” from static files on your site, which breaks several features after plugins are updated.
  • Remove Query Strings from Static Resources – Same as the plugin above
  • Scripts to Footer -this plugin breaks the Current Location widget, as well as some instances of the Instagram feed.
  • Fast Velocity Minify – This plugin breaks the Instagram feed, as well as some post layout options
  • Contact Widgets – this plugin breaks the social icons throughout the theme.
  • Theme Check – This plugin is intended for checking if a theme is compatible with the WordPress.org theme repository. It checks for things like GPL licenses and tags being listed in a theme’s readme.txt file. Since our themes don’t include things like that (as we don’t offer free themes on the WordPress.org repository), we thought it would be best to disable this plugin. It was leading to support requests from people that thought our themes had errors, which isn’t the case in this context.

If you would like to use any of the plugins listed above, please contact us and we can remove this feature or suggest alternatives which work better.

Do you send personal data without consent, breaching GDPR?

No, we don’t send any personally identifiable information. The only data we receive from your site is to activate the license key. This is then used to keep the theme active and provide your site with automated updates.

Is there any other data you gather?

Yes, each time your site connects to our update server it will also report where in the world your site is hosted. For example, we can see how many themes are installed in the US or in Europe. This helps us to better serve people globally and plan our hours of support. No personal information can be used to identify the site owner and where they live or are located.

Do you have the ability to log in to any site using a pipdig theme without permission?

No. If we need to log in to provide assistance with an issue, we will ask for it in the support request. This is stored securely whilst the ticket is open and not shared with any 3rd parties.

I’m using a pipdig theme and I have some concerns, what should I do?

Please don’t hesitate to contact us via support@pipdig.zendesk.com. You are also welcome to tweet us, however please note that we may not be able to reply due to the amount of threats/comments we are receiving on that platform. As mentioned earlier in this post, we are not currently accessing twitter so there will be a delay in how quickly we can reply. There is also a small group of people actively harassing anyone that mentions us, so it is best to contact us via email if possible.

We always recommend keeping your plugins and theme up to date. This helps to keep your site running smoothly and also means you can get access to the latest features as they are released (we frequently add new widgets and social icons, for example). If there are any updates shown in your dashboard, you may wish to complete them.

What will happen to pipdig?

Essentially, nothing is going to change. We’re still going to keep doing what we do, and we hope you will continue to be part of it. The only thing that might change in the short term is our presence on social media, due to the issues mentioned above. We will also be less trusting of journalists and information available in the press/online, not just in this topic but as a whole. We’ve really had our eyes opened.

To end on a positive note, we would like to thank anyone which has sent us comforting messages of support both publicly and privately (even people without pipdig themes!). We have tried to respond to each one personally, however we may have missed some on Twitter/Facebook. If you are one of those people, thank you so much for being a rational, caring person. On a personal level, your comments have been the only thing keeping me going. It has really meant the world to everyone here.

Phil

 

 

 

 

— Original post below from Friday 29th March 2019 —

Today we were alerted to this post[no longer listed] which has some extremely serious accusations. Some true, some false, and some which are grossly misinformed. The purpose of this post is to respond to those accusations.

The post claims that our pipdig Power Pack plugin performs the following actions:

  • is using other blogger’s servers to perform a DDoS on a competitor
  • is manipulating blogger’s content to change links to competitor WordPress migration services to point to the pipdig site
  • is harvesting data from blogger’s sites without permission, directly contravening various parts of the GDPR
  • is using the harvested data to, amongst other things, gain access to blogger’s sites by changing admin passwords
  • contains a ‘kill switch’ which drops all database tables
  • deliberately disables other plugins that pipdig has decided are unnecessary, without asking permission
  • hides admin notices and meta boxes from WordPress core and other plugins from the dashboard, which could contain vital information

We’ll go through each point below:

“is using other blogger’s servers to perform a DDoS on a competitor”

This function is used to pass the theme’s license key to an external server, which then passes that data to our main site at pipdig.co. We use the Cloudflare CDN to make sure the data is sent securely and as quickly as possible regardless of where your site is hosted globally. This data includes what domain the theme is installed on, as well as a link to the “Author URL” from the theme’s readme.txt file. This is used to activate a theme’s license key.

“The code comment tells us this is “checking the CDN (content delivery network) cache”. It’s not. This is performing a GET request on a file (id39dqm3c0_license_h.txt) sat on pipdigz.co.uk, which yesterday morning returned ‘http://kotrynabassdesign.com/wp-admin/admin-ajax.php’ in the response body.”

We’re now looking into why this function is returning this url. However it seems to suggest that some of the “Author URLs” have been set to ‘kotrynabassdesign.com’. We don’t currently know why this is the case, or whether the site owner has intentionally changed this. The response should hit our site’s wp-admin/admin-ajax.php file under normal circumstances. On the surface it could mean that some pipdig themes have been renamed to other authors. We will be looking further into this issue and provide more information as it comes up. We can confirm that it won’t cause any issues for sites using pipdig themes, even if the author name/URL has been changed.

 

“is manipulating blogger’s content to change links to competitor WordPress migration services to point to the pipdig site”

This is true, though the basis is not as it may seem. Last year we experienced a series of cases where themes were not purchased legitimately. After being contact by many people, it became clear that the two mentioned companies had been distributing our themes and editing the pipdig Power Pack so that the license key was rejected. This meant that when the theme was updated, it no longer worked on the site, and that the site owner had to purchase their own license key to activate it. Not only was the site owner mis-sold a service and provided with a dodgy copy of our themes, but we also lost several month’s revenue after providing discount codes to people impacted.

To try and avoid anyone else from being a victim of this, we remove any links which point to such sites (for example if a link is added to the footer). We don’t edit any other content, it just removes the link or resets the footer credit back to pipdig.

 

“is harvesting data from blogger’s sites without permission, directly contravening various parts of the GDPR”

This is not true. The only data returned is:

  • Site URL
  • License Key
  • WordPress version
  • Plugin/theme version

This data is then used to activate the license and provide updates. It is no different to the data which is sent/received on a daily basis to the main wordpress.org servers to provide core WordPress updates. The only addition is the license key, which is required for activation purposes.

 

“is using the harvested data to, amongst other things, gain access to blogger’s sites by changing admin passwords”

This is simply not true. Anyone who has ever contacted us via our support system knows that we ask for the login details. Sometimes we wish we could log in automatically since it would save us having to ask. It is something we’re considering for the future, but it will be “opt-in” and temporary much like this plugin.

 

“contains a ‘kill switch’ which drops all database tables”

This is the most serious accusation of all, and not one which we take lightly. The portrayal of this feature is not based on reality. There is a function in the plugin which can be used to clear database tables, much like a backup or standard reset plugin. To confirm, we do not have the ability to “kill” a site, nor would we ever, ever want to do that! The function is in place to reset a site back to defaults, however it is only activated after being in touch with the site owner.

 

“deliberately disables other plugins that pipdig has decided are unnecessary, without asking permission”

Yes, this is completely true. We even provide an explanation of this within the code. Each plugin is:

  • WP Support – This plugin injects malware into the WordPress dashboard. It is disabled to try and help protect people. We’ve had to clean 3 sites that were impacted by this within the past few weeks.
  • Query Strings Remover – This plugin removes “query args” from static files on your site, which breaks several features after plugins are updated.
  • Remove Query Strings from Static Resources – Same as the plugin above
  • Scripts to Footer -this plugin breaks the Current Location widget, as well as some instances of the Instagram feed.
  • Fast Velocity Minify – This plugin breaks the Instagram feed, as well as some post layout options
  • Contact Widgets – this plugin breaks the social icons throughout the theme.
  • Theme Check – This plugin is intended for checking if a theme is compatible with the WordPress.org theme repository. It checks for things like GPL licenses and tags being listed in a theme’s readme.txt file. Since our themes don’t include things like that (as we don’t offer free themes on the WordPress.org repository), we thought it would be best to disable this plugin. It was leading to support requests from people that thought our themes had errors.

If you would prefer to allow these plugins on your site and you are using a pipdig theme, please contact us via our support site and we can remove this feature for you.

The other list of plugins such as “Instagram Feed” and “WD Instagram Feed” are disabled only when the pipdig Power Pack is first installed. You’re free to re-enable them afterwards at any time. We disable them initially to make theme installation an easier process. For example, our themes include Instagram features built-in, so Instagram plugins typically are not required. The less plugins you have, the faster/safer your site becomes, generally speaking.

The post suggests that it is “straight up rude” to disable the plugins. We don’t believe that to be the case, however we would be interested to hear people’s feedback on this. If you feel we have overstepped the mark, please contact us to let us know.

hides admin notices and meta boxes from WordPress core and other plugins from the dashboard, which could contain vital information

This is also true, however the use of the term “vital information” here is misguided. We change/hide some sections of the WordPress dashboard in order to streamline things. Generally we receive very positive feedback for this, as it helps people to concentrate on writing their content rather than dealing with other distractions.

Some examples of things we remove are listed below. Generally we remove features to speed up your dashboard/site, without removing any functionality that is useful.

The Quickdraft dashboard widget

The WordPress Events dashbaord widget (this loads content from a remove RSS feed which adds a few seconds to your main dashboard page)

The “Meta Widget” – this adds a link to your site’s login page on the front end of your site, which is best avoided

There are others features too, which we will describe in a later post. Currently we’re writing this quite quickly to try and respond and get our side of the story to people.

Conclusion

We find it very convenient that a competitor is heavily mentioned throughout the article, and even includes a backlink to their website.

We have also never been in touch with Jem, so can only assume she does not use our themes. We feel this whole issue could have been avoided if she had taken the time to talk with us and understand what we’re all about.

We will be seeking legal advice for the untrue statements and misinformation which has no-doubt damaged our good name. Anyone which has worked with us knows how much we care about this community and every single blogger we work with. We’re hugely upset, but we can hopefully re-earn any trust that has been lost due to this.

Team pipdig