A widely used add-on plugin for a popular WordPress site builder installed an anti-piracy script that essentially unpublishes all posts. WordPress developers are livid, with some calling the script a malware, a backdoor, and a violation of laws. The publisher of the site builder addon purposely added the backdoor in order to disrupt the websites of those who use pirated versions of their plugin.
Updated: Plugin Developer Apologizes
The plugin developer who was accused of purposely creating a backdoor in his plugin wrote a public apology.
He wrote:
“My intention in implementing controversial code within the plugin was solely to combat the issue of piracy I have been facing. However, I now realize that this was not the right approach. My attempt to safeguard my work has unfortunately backfired, causing harm and frustration to legitimate users of the plugin.”
Updated: New Information About Plugin Backdoor
A post in the Dynamic WordPress Facebook group (and a corresponding YouTube video) by Emil Trägårdh shares results of a review he did of different versions of the plugin that were submitted to him.
Emil wrote the following about his findings (spelling corrected):
“Some people sent me the code. I got 4 different versions.
1.5.18 (contains malware)
1.5.19 (edit: also contains malware, but its moved location)
1.5.20 (edit: also contains malware, but moved again)I found a persistent backdoor that calls home every third hour and executes any command that it receives straight to WP database.”
I communicated by email with Emil Trägårdh who offered more details of his findings.
He wrote of his discovery:
“It is designed to run any SQL command, but it can be used to target wp_posts. The command is set by remote source. So the command can be changed at any time.
In the video I show DROP TABLE wp_users; But it can also be used to insert a new admin account and execute PHP.”
Emil also emphasized the caveat that the code he examined was provided by others for him to review, that he did not himself download the code himself.
He wrote:
“I got the source code that I examined from third parties who said they downloaded the plugin from official developer sources.”
BricksUltimate Add-On For Bricks Builder
Bricks site builder is a site building platform for WordPress that is wildly popular with web developers who cite the intuitive user interface, the class-based CSS and the clean high performance HTML code it generates as features that elevate over many other site builders. What sets this site builder apart is that it’s created for developers who have advanced skills, which enables them to create virtually anything they want without having to fight against built-in code that’s created by typical drag and drop site builders that are meant for non-developers.
A benefit of the Bricks site builder is that there’s a community of third-party plugin developers that extends the power of Bricks to make it faster to add more website features.
BricksUltimate Addon for Bricks Builder is a third-party plugin that makes it easy to add features like breadcrumbs, animated menus, accordion menus, star ratings and other interactive on-page elements.
It is this plugin that has stirred up controversy in the WordPress developer community by adding anti-piracy elements that many in the WordPress community feel is a “very bad practice” and others referring to it as “malware”.
BricksUltimate Anti-Piracy Measures
What is causing the controversy appears to be a script that checks for a valid license. It is unclear exactly what is installed, but according to a developer who examined the plugin code there appears to be a script installed that is designed to hide all posts across the entire website if it detects a pirated copy of the plugin (more about this below).
The developer of the plugin, Chinmoy Kumar Paul, downplayed the controversy, writing that people are “overreacting”.
An ongoing discussion in the Dynamic WordPress Facebook group about the BricksUltimate anti-piracy measure has over 60 posts, with the overwhelming majority of posts objecting to the anti-piracy script.
Typical reactions in that discussion:
“…hiding a backdoor that reads the client database, is itself a breach of trust and shows malicious intent on the developer’s part.”
“I simply refuse to support or recommend any developer who thinks they have the right to secretly add a malicious payload to a piece of software. And then, once confronted defends it and sees no wrong. Absolutely not acceptable and I’m glad the community has clubbed together stating that such an approach should not be tolerated…”
“…the fact the code is there is terrible. I would not let any plugin with that sort of back door on any site, let alone anyone doing it for a client site. That spoils the plugin for me fully!”
“This dude here and his company could be easily reported and exposed to the The General Data Protection Regulation Authority (GDPR) in any EU country for injecting an undeclared “monitor” code that has a non authorized access to DB’s and actually behaves like malware!!!!!! is just unbelievable! “
One of the developers in the Dynamic WordPress Facebook community reported their findings of what the anti-piracy script does.
They explained their findings:
“Me and my colleague have investigated this. Granted, we are not backend experts. Our findings are that the plugin has an encoded code that is not human-readable without decoding.
That code is an additional remote license check. If it fails, it seems to replace values in the wp->posts database, essentially making all posts from all post types unreadable to WordPress.
It doesn’t seem to delete them outright as first suspected, but it does appear as deleted on the frontend for any non-expert user.This seems to be implemented in 1.5.3+ BU versions and as there aren’t any posts here about it from legit users, I tend to trust Chinmoy that it’s very unlikely to affect legit users.
Now, my colleague indeed had a pirated version of the plugin, but sadly, she wasn’t aware of it because it was purchased as a legitimate version from a third-party seller.”
Response From the BricksUltimate Developer:
The developer of the plugin, Chinmoy Kumar Paul, posted a response in the BricksUltimate Facebook group.
They wrote:
“Re: Some coders are bypassing the license API with some custom code. That time plugin is activating and it is smoothly working. My script is just tracking those sites and checking the license key. If not match, is deleted the data. But it is not the best solution. I was just testing.
Next time I shall improve it with other logic and tests.
People are just overreacting.
I am still searching for the best solution and updating the codes as per my report.
…A lot of unwanted users are submitting the issue via email and I am losing my time for them. So I am just trying to find the best option to avoid this kind of thing.”
Several BricksUltimate users defended the plugin developer’s attempt to fight back against users with pirated copies of the plugin. But for every post defending the developer there were others that expressed strong disapproval.
Developer Backtracks On Anti-Piracy Measure
The developer may have read the room and seen that the move was highly unpopular. They said they had reversed course on taking action.
They insisted:
“…I stated that I shall change the current approach with a better option. People do not understand the concept and spread the rumors here and there.”
Backdoors Can Lead To Fines And Prison
Wordfence recently published an article about backdoors left by developers that intentionally interfere with or damage a website by publishers who owe them money.
In post titled: PSA: Intentionally Leaving Backdoors in Your Code Can Lead to Fines and Jail Time they wrote:
“One of the biggest reasons a web developer may be tempted to include a hardcoded backdoor is to ensure their work is not used without payment.
…What should be obvious is that intentionally damaging a website is a violation of laws in many countries, and could lead to fines or even jail time. In the United States, the Computer Fraud and Abuse Act of 1986 (CFAA) clearly defines illegal use of computer systems. According to 18 U.S.C. § 1030 (e)(8), simply accessing computer systems in a way that uses higher privileges or access levels than permitted is a violation of the law. Further, intentionally damaging the system or data is also a crime. The penalty for violating the CFAA can include sentences 10 years or more in prison, in addition to large financial penalties.”
Fighting piracy is a legitimate issue. But it’s a little more difficult in the WordPress community because WordPress licensing specifies that everything created with WordPress must be released with an open source license.
Read the plugin developer’s apology:
An Open Apology and Immediate Rectification
Featured Image by Shutterstock/malidinc