WordPress

WordPress Site Builder Addon Allegedly Integrates “Backdoor” To Disable Websites

A commonly used add-on plugin for a popular WordPress site builder included an anti-piracy script that effectively unpublishes all posts. WordPress developers are outraged, with some labeling the script as malware, a backdoor, and a legal violation. The publisher of the site builder add-on intentionally added the backdoor to disrupt websites using pirated versions of their plugin.

Updated: Plugin Developer Apologizes

The plugin developer accused of purposely creating a backdoor in his plugin issued a public apology.

He wrote:

“My intention in implementing controversial code within the plugin was solely to combat the issue of piracy I have been facing. However, I now realize that this was not the right approach. My attempt to safeguard my work has unfortunately backfired, causing harm and frustration to legitimate users of the plugin.”

Updated: New Information About Plugin Backdoor

A post in the Dynamic WordPress Facebook group (along with a corresponding video) by Emil Trägårdh reveals the results of his review of different versions of the plugin submitted to him.

Emil wrote the following about his findings (spelling corrected):

“Some people sent me the code. I got 4 different versions.
1.5.18 (contains malware)
1.5.19 (edit: also contains malware, but its moved location)
1.5.20 (edit: also contains malware, but moved again)

I found a persistent backdoor that calls home every third hour and executes any command that it receives straight to WP database.”

I communicated by email with Emil Trägårdh, who provided more details of his findings.

He wrote of his discovery:

“It is designed to run any SQL command, but it can be used to target wp_posts. The command is set by a remote source. So the command can be changed at any time.

In the video, I show DROP TABLE wp_users; But it can also be used to insert a new admin account and execute PHP.”

Emil also emphasized that the code he examined was provided by others for him to review, and that he did not download the code himself.

He wrote:

“I got the source code that I examined from third parties who said they downloaded the plugin from official developer sources.”

BricksUltimate Add-On For Bricks Builder

Bricks site builder is a site-building platform for WordPress that is highly popular among web developers, praised for its intuitive user interface, class-based CSS, and clean, high-performance HTML code. What sets this site builder apart is that it’s designed for developers with advanced skills, allowing them to create virtually anything they want without struggling against built-in code typical of drag-and-drop site builders aimed at non-developers.

A benefit of the Bricks site builder is the community of third-party plugin developers that extends Bricks’ functionality, making it easier to add more website features.

BricksUltimate Addon for Bricks Builder is a third-party plugin that simplifies adding features like breadcrumbs, animated menus, accordion menus, star ratings, and other interactive on-page elements.

It is this plugin that has stirred controversy in the WordPress developer community by adding anti-piracy elements that many feel constitute "bad practice," with some referring to it as “malware.”

BricksUltimate Anti-Piracy Measures

The controversy centers around a script that checks for a valid license. According to a developer who examined the plugin code, there appears to be a script designed to hide all posts across the entire website if it detects a pirated copy of the plugin.

The developer of the plugin, Chinmoy Kumar Paul, downplayed the controversy, claiming that people were “overreacting.”

An ongoing discussion in the Dynamic WordPress Facebook group about the BricksUltimate anti-piracy measure has over 60 posts, with the majority objecting to the anti-piracy script.

Typical reactions in that discussion:

“…hiding a backdoor that reads the client database, is itself a breach of trust and shows malicious intent on the developer’s part.”

“I refuse to support or recommend any developer who thinks they have the right to secretly add a malicious payload to a piece of software. And then, once confronted, defends it and sees no wrong. Absolutely not acceptable, and I’m glad the community has clubbed together stating that such an approach should not be tolerated.”

“…the fact the code is there is terrible. I would not let any plugin with that sort of back door on any site, let alone anyone doing it for a client site. That spoils the plugin for me fully!”

“This dude here and his company could be easily reported and exposed to the General Data Protection Regulation Authority (GDPR) in any EU country for injecting an undeclared “monitor” code that has unauthorized access to DB’s and actually behaves like malware!!!!!! It is just unbelievable!”

One of the developers in the Dynamic WordPress Facebook community reported their findings on what the anti-piracy script does.

They explained their findings:

“Me and my colleague have investigated this. Granted, we are not backend experts. Our findings are that the plugin has encoded code that is not human-readable without decoding.

That code is an additional remote license check. If it fails, it seems to replace values in the wp->posts database, essentially making all posts from all post types unreadable to WordPress.

It doesn’t seem to delete them outright as first suspected, but it does appear as deleted on the frontend for any non-expert user.

This seems to be implemented in 1.5.3+ BU versions and as there aren’t any posts here about it from legit users, I tend to trust Chinmoy that it’s very unlikely to affect legit users.

Now, my colleague indeed had a pirated version of the plugin, but sadly, she wasn’t aware of it because it was purchased as a legitimate version from a third-party seller.”

Response From the BricksUltimate Developer:

The developer of the plugin, Chinmoy Kumar Paul, posted a response in the BricksUltimate Facebook group.

They wrote:

“Re: Some coders are bypassing the license API with some custom code. That time plugin is activating and it is smoothly working. My script is just tracking those sites and checking the license key. If not match, it is deleted the data. But it is not the best solution. I was just testing.

Next time I shall improve it with other logic and tests.

People are just overreacting.

I am still searching for the best solution and updating the codes as per my report.

…A lot of unwanted users are submitting the issue via email, and I am losing my time for them. So I am just trying to find the best option to avoid this kind of thing.”

Several BricksUltimate users defended the plugin developer’s attempt to fight back against users with pirated copies of the plugin. But for every post defending the developer, there were others expressing strong disapproval.

Developer Backtracks On Anti-Piracy Measure

The developer may have read the room and seen that the move was highly unpopular. They said they had reversed course on taking action.

They insisted:

“…I stated that I shall change the current approach with a better option. People do not understand the concept and spread the rumors here and there.”

Backdoors Can Lead To Fines And Prison

Wordfence recently published an article about backdoors left by developers that intentionally interfere with or damage a website by publishers who owe them money.

They wrote:

“One of the biggest reasons a web developer may be tempted to include a hardcoded backdoor is to ensure their work is not used without payment.

…What should be obvious is that intentionally damaging a website is a violation of laws in many countries, and could lead to fines or even jail time. In the United States, the Computer Fraud and Abuse Act of 1986 (CFAA) clearly defines illegal use of computer systems. According to 18 U.S.C. § 1030 (e)(8), simply accessing computer systems in a way that uses higher privileges or access levels than permitted is a violation of the law. Further, intentionally damaging the system or data is also a crime. The penalty for violating the CFAA can include sentences of 10 years or more in prison, in addition to large financial penalties.”

Fighting piracy is a legitimate issue. But it’s more complicated in the WordPress community because WordPress licensing specifies that everything created with WordPress must be released with an open-source license.

Read the plugin developer’s apology:
An Open Apology and Immediate Rectification

Featured Image by Shutterstock/malidinc

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button