Top WordPress plugin accused of adding backdoor that could unpublish all your posts

A padlock against a black computer screen.
(Image credit: Pixabay)

In an attempt to protect its intellectual property from piracy, a WordPress plugin developer implemented a rather controversial solution to one of its products. 

As a result, the community is up in arms, some people are calling the solution malware, and others are warning of potential legal fines, or even jail time, for the developer.

The plugin in question is called BricksUltimate Addon, and it’s developed for Bricks Builder, a widely popular site building platform, designed first and foremost for advanced WordPress users. BricksUltimate is a third-party plugin that allows those users to implement additional features and interactive elements, such as animated menus and star ratings. 

Invasion of privacy

However, Search Engine Journal has now reported how the developer of BricksUltimate, Chinmoy Kumar Paul, wrote a piece of code that secretly checked if the plugin’s license was valid. If it was, nothing would happen. If it wasn’t, though, it would unpublish all of the posts on the website. 

This pushed the community into a frenzy. Some people described the code as malware and a backdoor, others as an invasion of privacy. 

“Some coders are bypassing the license API with some custom code. That time plugin is activating and it is smoothly working. My script is just tracking those sites and checking the license key. If not match, is deleted the data. But it is not the best solution. I was just testing,” the developer said in response to the community outcry. 

“Next time I shall improve it with other logic and tests. People are just overreacting.I am still searching for the best solution and updating the codes as per my report. A lot of unwanted users are submitting the issue via email and I am losing my time for them. So I am just trying to find the best option to avoid this kind of thing.”

Finally, Search Engine Journal reminded its readers of a report by Wordfence (WordPress security project) which argued that intentionally leaving backdoors in the code can lead to fines and even jail time

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.