Allegations Against WordPress Site Builder Plugin for Alleged Backdoor Access
Accusations arise against a WordPress site builder plugin developer for allegedly including a hidden backdoor that restricts content on pirated versions of the platform.
BricksUltimate Add-On For Bricks Builder
A popular add-on plugin for the well-known WordPress site builder recently implemented an anti-piracy script. This script has caused a major uproar among WordPress developers, who are outraged by its effects. Many have gone as far as to label the script as malware, a backdoor, and a breach of legal regulations.
Bricks site builder is a popular platform for building websites on WordPress. Many web developers love it because of its easy-to-use interface, advanced CSS capabilities, and clean HTML code. Unlike other site builders, Bricks is designed for developers with advanced skills who want more control over their website design without being limited by pre-set templates.
One great advantage of Bricks is the community of third-party plugin developers who enhance its capabilities and make it easy to add new features to your website.
BricksUltimate Addon for Bricks Builder is a helpful third-party plugin that allows users to easily incorporate interactive elements such as breadcrumbs, animated menus, accordion menus, star ratings, and more on their website.
This plugin has sparked debate within the WordPress developer community due to the inclusion of anti-piracy features. Some members of the WordPress community view these features as unethical, while others have gone as far as labeling it as "malware".
BricksUltimate Anti-Piracy Measures
There seems to be some controversy surrounding a script that checks for a valid license. Even though the exact details are unclear, a developer who reviewed the plugin code found a script that hides all posts on the website if it detects a pirated copy of the plugin.
Chinmoy Kumar Paul, the plugin developer, mentioned that he believes people are "overreacting" regarding the controversy surrounding the plugin.
The Dynamic WordPress Facebook group has been actively discussing the BricksUltimate anti-piracy measure, with over 60 posts so far. The majority of the posts express objections to the anti-piracy script.
Typical reactions in that discussion:
“…hiding a backdoor that reads the client database, is itself a breach of trust and shows malicious intent on the developer’s part.”
I cannot support or endorse any developer who believes it's okay to sneakily insert harmful code into software. It's even worse when they try to justify their actions and show no remorse. This behavior is completely unacceptable, and I'm relieved that the community has come together to voice their disapproval of such tactics.
The presence of this malicious code is disturbing. I wouldn't trust any plugin that has a hidden back door on any website, let alone using it for a client's site. This completely ruins the entire plugin for me.
It's shocking to see this person and his company potentially violating the General Data Protection Regulation (GDPR) by injecting an undisclosed "monitor" code with unauthorized access to databases, acting like malware.
A developer from the Dynamic WordPress Facebook community shared their discovery of the actions of the anti-piracy script.
We investigated this issue, although we are not backend experts. Our findings show that the plugin contains encoded code that cannot be read without decoding.
The code is designed to perform an extra remote license check. If this check fails, it will proceed to alter the values in the wp->posts database. This action essentially renders all posts from all post types unreadable to WordPress.
Contrary to initial suspicions of deletion, the code does not actually delete the posts. However, on the frontend, it does appear as if the posts have been deleted for any user who is not an expert in this field.
It appears that this feature is available in versions 1.5.3 and above of the software. Since there are no reports from genuine users indicating any issues, I am inclined to believe Chinmoy's assurance that it is unlikely to impact legitimate users.
On a related note, my colleague unknowingly had a pirated copy of the plugin. Unfortunately, she was unaware of its illegitimate status as it was bought from a third-party seller who claimed it was genuine.
Response From the BricksUltimate Developer:
The developer of the plugin, Chinmoy Kumar Paul, posted a response in the BricksUltimate Facebook group.
Some developers are finding ways to bypass the license API using custom code. When the plugin is activated, it works smoothly. My script monitors these sites and verifies the license key. If there is no match, the data is deleted. However, this is not the ideal solution. I was simply testing it out.
Next time I shall improve it with other logic and tests.
People are just overreacting.
I am currently working on finding the best solution and making updates to the codes based on my report.
A large number of unauthorized users are sending their issues through email, which is causing me to waste time. Therefore, I am exploring different options to prevent this from happening.
Developer Backtracks On Anti-Piracy Measure
Several BricksUltimate users supported the developer's efforts to combat piracy, while others strongly criticized the move.
The developer may have read the room and seen that the move was highly unpopular. They said they had reversed course on taking action.
They insisted:
“…I stated that I shall change the current approach with a better option. People do not understand the concept and spread the rumors here and there.”
Backdoors Can Lead To Fines And Prison
Wordfence shared a recent article discussing how some developers are intentionally leaving backdoors in website code to sabotage or harm websites if they are not paid by the website owners.
In their post titled "PSA: Intentionally Leaving Backdoors in Your Code Can Lead to Fines and Jail Time," Wordfence emphasized the serious consequences that developers may face for this unethical practice.
Including a hardcoded backdoor in web development may seem like a way to protect against unpaid use, but it's important to consider the legal ramifications. Intentionally causing harm to a website is illegal in many countries and can result in fines or even imprisonment. In the United States, the Computer Fraud and Abuse Act of 1986 (CFAA) specifically addresses unauthorized access to computer systems. Violating this law by accessing systems with higher privileges than allowed or causing damage to the system or data can lead to severe penalties. Offenders may face sentences of 10 years or more in prison, along with substantial fines.
Fighting piracy is a valid concern, especially within the WordPress community. This task becomes slightly more challenging due to the licensing regulations of WordPress, which require all creations to be shared with an open source license.
Featured Image by Shutterstock/Dikushin Dmitry
Editor's P/S:
The BricksUltimate anti-piracy measure has sparked significant controversy within the WordPress developer community. While the developer's intent to combat piracy is understandable, the inclusion of a script that hides website posts if a pirated copy is detected has raised concerns about ethics and legality. The discovery of a backdoor in the plugin code has further fueled these concerns, leading to accusations of malware and breaches of trust.
The WordPress community has expressed strong disapproval of the anti-piracy measures, with many labeling them as unacceptable and unethical. The developer's initial response, dismissing the concerns as "overreacting," has further alienated the community. The subsequent backtracking on the anti-piracy measure and the promise of a better solution suggest that the developer may have realized the extent of the backlash and is attempting to mitigate the damage. However, the controversy highlights the importance of ethical practices and transparency in plugin development, especially when it comes to sensitive issues such as anti-piracy measures.
