It's certainly been a whirlwind of news this week involving Pipdig, a UK-based theme and plugin shop, and one of their plugins: Pipdig Power Pack, also known as P3. A lot of the controversy can be traced back to this blog post from Wordfence describing code that would give the developer “administrative access to sites using the plugin, or even delete affected sites’ database content remotely.” (Among other disturbing things.) 😶
Jem Turner independently discovered what P3 was doing when a client complained that her website “was behaving oddly.”
Pipdig wrote a response on their official blog, noting they will be “seeking legal advice for the untrue statements and misinformation” which they claim have “damaged [their] good name.”
Wordfence did a follow-up post after Pipdig's response and dug into the issue more deeply in a podcast. There is more to follow on Twitter, including some indications that Pipdig is still using their problematic code.
Rarst has also put together a Twitter Moment with various bits of coverage and relevant events.
One lesson to be drawn from the flurry of hot and confused reactions of developers and Pipdig customers is that many WordPress users don't know (and probably don't care) what their theme or plugin is doing under the hood. Developers should treat these users with respect and not expect them to understand technical matters quickly on their own.
Mark Jaquith has created a “P3 Neutraliser” plugin that “will prevent the P3 plugin from updating or phoning home.” 🔌