Do you have a Pipdig? Check a small guide on how to clean the mess.

Additional menu

Ángel F. Plaza

Helping Business and Entrepreneurs to manage and understand their online presence

What to do if you have a Pipdig? (theme, plugin or host)

What to do if you have a Pipdig? (theme, plugin or host)


I have been starting again and again this post for a couple of hours and I have not been able to find a nice way to put it, so, this is the last attempt and it will be published like that.

So, first I need to explain a little bit what is happening for all of you that are not on the loop of these kind of news.

Last Friday two different posts were published almost at the same time explaining some weird code that they had found on a plugin called P3 from a company called Pipdig. One post was from WordFence, one of the most important security companies for WordPress, so something to consider. The other one was a less known developer called Jem but the post was equally good and very similar to the Wordfence one.

It looks like that this UK company has been doing a lot of illegal stuff using (abusing) the confidence that their clients had put on them. The list is too long so I won´t even list it here.

If you want to know the details, or check the code or have the full timeline of what happened since Friday, this latest post from Wordfence written today is what you need to read.
If you want to be a little more informed, you can read the post published by The Register here.

But the whole idea is this company is not trustworthy, they have done “bad things” (really I do not want to use other words, well, I want, but I should not) with their code, they are still doing it, and we can be sure that they will keep doing this in the future.

Also, the company could be in serious trouble really soon, not only because everybody on the WordPress world is recommending not to use them anymore and remove their products, but also because they could have problems with justice really soon.

So even if you are not sure what to think (which is a surprise right now) moving away from them is the best decision you can make, on the short and long term. I personally am writing the full name of both directors of the company (easy to find them as a registered UK company) to make sure I do not find them in the future and I will ban any theme or plugin from their current and future companies on my own WordPress hosting.

So, what do you do if you have a pipdig?

You need to remove everything they do from your website: plugins (this is their list of free plugins), themes and of course go away from their host asap.

If you bought it less than 180 days ago, you can have a refund. Follow this twitter thread.

And this is the main reason to write this post. I can understand that a a lot of people do not know what to do or how to fix it. So consider this a “quick guide to move away from pipdig”.

There are several groups of people here, so I need to do two different guides:

  1. The ones that have WordPress theme and plugins from Pipdig. Most of the people will be on this pack. If you have only plugins or only themes, it is the same guide.
  2. The ones that have the full package: theme, plugins and host. This is the most complicated but I want to help them too.

For all groups: First Backup.

The first thing you need to do is a full backup of your site and download it to your computer. There are so many ways to do this.

  • Contact your hosting for this.
  • Use a plugin, I like UpdraftPlus,  and the free one is enough for what you need now.
  • Do a manual backup, if you know how to do it you may not need this guide, so I won´t go so much into this.

Now lets go with the first group.

I just have a Pipdig Theme or Plugin

I am trying to make this as easy as I can without going into technical details. Following this steps is not that “easy” but is not that difficult either. I have marked some steps with an *. Those are optional and it will work too, but your site will be down or looking bad during the whole process if you miss those.

If you think you cannot do this by yourself, please check at the bottom of this post for alternatives.

If you just have a WordPress theme from Pipdig, but you are happy with your hosting, this is what you need to do:

  1. Make sure you have done the backup. This is the most important part.
  2. Find a new theme you want to use. This is the hardest part as you already have chosen that one, maybe not that long ago. I can recommend you to move into any theme that is using the Genesis Framework. You won´t be wrong with that. The official ones are here: https://my.studiopress.com/themes/ Some links from Twitter.
  3. * If your site has a lot of traffic and a shop or something like that, it is important that you take this into account when doing all this process. I will recommend to get professional help in this case if you are not confortable with all this.
  4. * Create a copy of your site. Your hosting should be able to help you with this. It is called Staging copy on most hostings. If your hosting does not provide this, contact support and explain the issue, they may do an exception to help you. You can create a copy on another hosting, but normally that will make sense if you are thinking to move away from your hosting. As a third option, but much more technical, you could create a local copy of WordPress, but again, this is not an easy think to learn on one day.
  5. Now you will upload the new theme. Do not activate it yet! Make sure you follow the instructions of the developers. If you have not make the step 2, you will do this on your main site. If you have done it, you will do this on your copy site.
  6. Before you activate the theme you need to remove the pipdig plugins and the pipdig themes.
  7. Go into the admin and into the Plugins section.
  8. Deactivate all plugins related to Pipdig.
  9. Now delete all plugins related to Pipdig. Here your site could stop working as expected. This is ok.
  10. Now go Appearance Themes and activate another theme (it does not matter which one at this moment). I recommend to use the Twenty-Eleven or any of the Twenty-XXXX themes.
  11. Delete the Pipdig themes from the install. The delete button for themes is a little hidden, you need to click on the theme details and then click on delete there (bottom right corner).
  12. * Now you should check the database and remove any traces from Pipdig but at this point is not clear that there is a backdoor there.
  13. Go into your wp-config file and replace your salt-keys. If you do not know what I am talking about here, ask your hosting provider, they will do this for you. You will be logged out from your website.
  14. Before you login again, use the “lost password” from your website to create a new password for your admin user.
  15. Once you have your new admin user, login again into the admin.
  16. Go again to the Appearance-Themes and activate your new theme. Follow the instructions from the developer to setup it properly. You will need to:
    • Review the widgets
    • Review the location of the menus.
    • Regenerate the thumbnails. Use this plugin or ask the hosting if they provide this kind of support (we do).
    •  The frontpage or some other pages may be broken.
    • The footer normally is also affected.
    • Review the whole site to find issues and fix them.
  17. Do another backup, from both the staging copy (if you are using one) and the live site,
  18. * If you have done all this on your copy, then you are ready to switch the old site with the new one. Again, ask the hosting to help you with this. There are so many ways to do this and I cannot cover them all here.

I have the host package

Ok, you also need to move the host. The guide is similar to the previous one but you have some extra things to do:

  1. Remember to do the backup. That is for everyone.
  2. Find a new host that suits you, most of the hosts provide free migrations, find one that do this for you. I am offering my own host services at the end of the post, but this list is for everyone no matter the host you choose. I cannot give you a list here as it is a conflict of interest and a complicated matter. There are so many hostings, good and bad.
  3. If you are using the Email services from their host, this could be a problem. The expert hosting providers do not offer email with their hosting, for reasons like what is happening now and others that I won´t explain here. I will use this opportunity to move your email to a dedicated email provider: Gsuite, Office365 and Zoho Mail are my recommendations for email. If you are not ready for this, look for a hosting that provide email services and that will migrate your email too.
  4. Once you have your hosting selected , make sure again they understand the problem and that they provide free migrations (email included if you need it). Explain them the issue with pipdig. and this is the key:
  5. You want to migrate the site, but not change the DNS yet (if you do not understand this, the hosting people will do, if they don´t pick another hosting ;)). You want the new hosting copy to be your Staging copy from the step 4 above, and then do steps 4-18 on the new hosting.
  6. When everything is ready on the new hosting, then you change the domain and the DNS and you will have successfully migrated your site and cleaned pipdig from it at the same time.

By this point you should have your site migrated and cleaned from all this mess.

Not that easy, I know

Ok, this was not that easy at all. The moment I was writing the step 3 with the staging copy I realise this was going to be much more complicated than it seems. So I have decided to do something more, with the small capacity I have.

I am the owner of a tiny company called WPHercules. I provide security, maintenance, performance and hosting services for WordPress websites. So for the second group (or anyone that is interested) I think I can do something more, but I am not sure what yet. One thing is for sure, I do offer free migrations on all my plans and I will help you to clean Pipdig plugins and themes during the migration. I am still trying to find a solution for the theme replacement, as that cannot be part of the free migration.

Edit: Ok, this is what I can do. It won´t be a solution for everyone, but it could be for someone.
All the details on the link: https://wpherc.com/free-premium-theme-migration/

If you are interested, write me through the contact form here or ping me on twitter and I am sure we can find a solution that works for both.

Edit

Just before I was going to hit publish I just saw this tweet from Jem suggesting an easy code to block some of the cron issues:

I will keep updating the post with any alternatives or other things you can do to fix this.

Photo by Bernard Hermant

 

Get all my posts on your inbox.

Just the posts, no more, no less.