Posted on

iThemes Patches Vulnerability in BackupBuddy, Wordfence Tracks 5 Million Exploit Attempts

BackupBuddy, a commercial plugin from iThemes that performs scheduled backups with remote storage options, has patched a vulnerability that allowed for arbitrary file download by unauthenticated users. iThemes published an advisory for its users, indicating that the vulnerability affects versions 8.5.8.0 through 8.7.4.1 and is being actively exploited.

Wordfence reviewed its data and found that attackers began targeting this vulnerability on August 26, 2022. The company has blocked nearly 5 million attacks targeting the vulnerability since that time.

Wordfence found that the method BackupBuddy used to download locally stored files was insecurely implemented, making it possible for unauthenticated users to download any file stored on the server.

“Due to this vulnerability being actively exploited, and its ease of exploitation, we are sharing minimal details about this vulnerability,” Wordfence threat analyst Chloe Chamberland said.

Wordfence found the majority of the attacks are attempting to read sensitive files, including the following:

  • /etc/passwd
  • /wp-config.php
  • .my.cnf
  • .accesshash

iThemes published specific indicators of compromise and detailed steps to detect if a site was attacked. The company outlined additional steps for sites that have been compromised.

All BackupBuddy users are advised to update to the patched version 8.7.5. iThemes made it available to all users, regardless of their current BackupBuddy licensing status, due to the severity of the vulnerability.

Posted on

iThemes Acquires Kadence WP, Plans to Sunset Legacy Themes in 2022

iThemes has acquired Kadence WP, the Missoula-based makers of the Kadence Blocks plugin and its accompanying Kadence theme. Originally founded in 2008 as a themes company, iThemes became more of a plugin-oriented business over the years before it was acquired by Liquid Web in 2018. The company is returning to its roots with this acquisition and plans to make Kadence WP the official theme platform of choice for iThemes.

“It’s no secret that the ‘themes’ part of iThemes has been lacking for many years now,” iThemes general manager Matt Danner said. “While we got our start in WordPress themes in 2008, over the past 10 years, we pivoted to the more obvious needs of our customers (mainly WordPress security, backups, memberships and maintenance) as the theme marketplace got more competitive. 

Joining forces with Kadence WP means that iThemes can once again have an innovative and modern WordPress theme platform.”

iThemes announced it will be sunsetting its iThemes Builder theme framework and all of its legacy themes in 2022, in favor of supporting the Kadence theme which already has more than 50,000 active installations. Danner said the older themes “are no longer truly compatible with the future direction of WordPress.”

Kadence Blocks are even more popular than the accompanying theme, since they can be used in combination with any WordPress theme. The plugin has gained more than 100,000 users after its initial launch in August 2018. Kadence Blocks pioneered some of the first full-featured layout blocks in the early days of Gutenberg prior to its inclusion in core.

“This last year has marked some ridiculous growth for Kadence WP,” co-founder Ben Ritner said. “Only one year ago my sister Hannah (many users will know Hannah from our support channels) and I were the entirety of the Kadence WP team. It is hard to gauge user numbers with accuracy because of how many free products we have, but the amount of people using Kadence WP products has roughly quadrupled in the last 10 months! Our new Kadence Theme, which landed on the repo in November (only 160 days ago), now has more than 50,000 active users.”

Kadence WP will continue running under its same branding and as a separate company under the iThemes brand. Pricing will remain the same for existing Kadence WP customers. iThemes plans to raise its prices for its Agency Bundle on May 1, 2021, but renewal pricing will remain the same as long as the customers’ subscriptions auto-renew.

Kadence Blocks is adding dynamic content for its pro version in the next month. The team is also launching a new plugin called Kadence Cloud, which will allow users to create a pre-built cloud of content that they can pull down into any website. Both Kadence Blocks and the theme will also be rolling in many of the top-voted feature requests from its community. A major new product release is planned for Q4 2021.

iThemes will be hosting a townhall meeting Friday, April 9 at 11:00 am CST to address any questions or concerns that users and customers may have. They are also running an online training workshop titled “Learn How to Use Kadence WP” on May 5, 2021, at 1:00 p.m. CST.

Posted on

Liquid Web Acquires The Events Calendar WordPress Plugin From Modern Tribe

Liquid Web announced today via the iThemes blog that it acquired The Events Calendar from Modern Tribe. The acquisition gives them ownership of the plugin, its suite of event-related plugins, and the team behind it all.

“We’ve acquired all the associated plugins, including Event Tickets, etc.,” said Matt Danner, the COO at iThemes. “They identify under the single umbrella of The Events Calendar as a team, so we’ve continued to position the team that way.”

As part of the acquisition, the 50+ employees from The Events Calendar plugin team are now a part of the Liquid Web family. They will continue working on the plugin and its related products. Zach Tirrell announced on The Events Calendar blog that he would remain at the helm and that the team structure was not changing.

The remaining 74 employees of Modern Tribe will continue working on the agency’s other projects, including clients like Microsoft and Harvard University. Reid Peifer, the Creative Director at Modern Tribe, teased potential future projects in his announcement post. “We can’t help but make things, so you may see a few surprises from us in the coming months as well.”

The Events Calendar plugin on WordPress.org currently has over 800,000 active installs with an average rating of 4.4 out of 5 stars. Modern Tribe launched the plugin in 2011 and has continued to build a larger product line and customer base around it over the last decade.

For existing customers, it should be business as usual. Nothing has changed about who is currently developing The Events Calendar. The website is still a separate entity, and billing will remain the same.

The acquisition is mere months after iThemes, owned by Liquid Web, purchased Restrict Content Pro (RCP), a membership plugin. While RCP continues to have an independent site, users can snag it with one of the plugin bundles directly from the iThemes website.

However, The Events Calendar will be wholly independent of iThemes. Customers hoping to see a similar bundle with The Events Calendar will be out of luck.

“The RCP acquisition was done under the iThemes brand,” said Danner. “We brought that team into our team, and the membership product is a key part of how we’re positioning iThemes. The Event Calendar’s acquisition was done under the larger Liquid Web brand. Their team is coming into Liquid Web alongside iThemes as part of the bigger software division. While we definitely think there are future opportunities to collaborate between our teams (which could include bundles of products from both teams), their products are not going to become part of the iThemes product line.”

One of the biggest remaining questions is whether the separate teams will eventually create integrations between The Events Calendar and RCP. There are multiple reasons event organizers might want to restrict content based on memberships, especially when it comes to virtual events. Danner did not give up any specific plans in his response.

“We’re very excited to explore all the opportunities to integrate our products,” he said. “I think there are some great opportunities for RCP and TEC to work more closely together, and both customer bases have requested deeper integration between the two. This acquisition was a perfect fit from so many angles. The people, the values of the team, and the products all align with what we’re building at Liquid Web.”

Posted on

iThemes Buys WPComplete, Complementing Its Recent Restrict Content Pro Acquisition

Just one month after publicly announcing its acquisition of Restrict Content Pro (RCP), iThemes purchased WPComplete for an undisclosed amount. The acquisition is for the product, website, and customers only.

Paul Jarvis and Zack Gilbert created the WPComplete plugin in 2016. However, it has outgrown what the duo could maintain and support alone. After the transition period in which the new owners take over, the two will step away from the project.

In essence, WPComplete is a “course completion” plugin. Site owners can create online courses while allowing students/users to mark their work as completed. It also gives students a way to track their progress through courses, which can often boost the potential for them to finish.

“Paul and Jack believe a key to their success has been their ability to keep their team small and manageable,” wrote Matt Danner, the COO at iThemes, in the announcement. “The growth of WPComplete has presented a number of challenges for a team of two people, so the decision was made to start looking towards alternative ownership solutions that could continue to grow WPComplete and provide it with a stable team. iThemes is a perfect fit.”

iThemes customers who have a Plugin Suite or Toolkit membership will get automatic access to the pro version of the WPComplete plugin. For current WPComplete users, Danner said everything should be “business as usual.” However, iThemes has assigned a few of its team members to work on the product and site, so customers should see some new faces.

RCP and WPComplete are obviously complementary products. RCP is a membership plugin that allows site owners to restrict content based on that membership. WPComplete allows site members to mark lessons or coursework as completed. “We’ll be rolling out a new bundle later this month that combines both RCP and WPComplete for course and membership creators to take advantage of these two plugins,” said AJ Morris, the Product Innovation and Marketing Manager at iThemes.

WPComplete is still a young product. The free version of the plugin currently has 2,000+ active installs and a solid 4.7 rating on WordPress.org. If marketed as an extension of the RCP plugin, it automatically puts it in front of the eyes of 1,000s of more potential customers. It should be much easier to grow the plugin as part of a membership bundle.

iThemes is making some bold moves in the membership space. It will be interesting to see if the company makes any other acquisitions that could strengthen its product line and help it become more dominant. There is still a ton of room for growth in the membership segment of the market. There is also the potential for integrations with other major plugins.

“Adding WPComplete to the iThemes product lineup also allows us to move more quickly on some plans we have for Restrict Content Pro,” said Danner in the initial announcement. He also vaguely mentioned a couple of ideas the team had in the works but did not go into detail.

With a little prodding, Morris provided some insight into what they are planning for the immediate future. The biggest first step is tackling integration with the block editor. Currently, WPComplete uses shortcodes. The team’s next step is likely to begin with creating block equivalents for those shortcodes.

“After that, we’ve touched on a few deeper integrations with Restrict Content Pro, like the possibility to restrict courses to memberships,” said Morris.

The iThemes team does not plan to stop with WPComplete as part of its product lineup. One of the goals is to use the plugin for the iThemes website itself.

“We always try to eat our own dogfood when we can,” said Morris. “You’ll see that with RCP and WPComplete early next year as we look to integrate them into our iThemes Training membership.”

Posted on

iThemes Enters the WordPress Membership Plugin Market, Acquires Restrict Content Pro

Last Tuesday, iThemes announced it had acquired the Restrict Content Pro plugin from Sandhills Development. iThemes is part of the Liquid Web family of brands. Pippin Williamson, Managing Director at Sandhills, said the company had no intention of selling the plugin last October when talks of the acquisition began. However, moving forward has created some opportunities for his company and narrowed its focus to its existing products.

Restrict Content Pro will remain an independent product with its own website. However, iThemes will include it as part of its Plugin Suite and Toolkit product bundles from the iThemes website. The Plugin Suite bundle runs at $249 per year, which is the same as the regular Restrict Content Pro price. However, the bundle includes other products such as the company’s popular BackupBuddy plugin. The Toolkit bundle runs between $700 and $997 per year. It includes the Plugin Suite, a themes package, training, and more.

This structuring of product sites falls directly within the company’s long-term plans. “Earlier this year we actually started down a number of avenues experimenting with moving some of our products off ithemes.com and over to their own sites,” said AJ Morris, the Product Innovation and Marketing Manager at iThemes. “When COVID became a pandemic, we paused a lot of those projects to provide relief and help to the WordPress community. Now that things have calmed down for us a bit, we’re going to continue on that path.”

Outside of the change of ownership, end-users should not see much change with the plugin or the site. Users should expect some admin-side changes in the future as the new development team refreshes the plugin.

The Membership Plugin Space

Membership plugins represent a slice of the overall WordPress market that still has no true dominant player. There are several solutions out there, but it is still an emerging area that any company can dive into and see returns on with a solid product. It is a niche that will undoubtedly continue growing along with WordPress and has plenty of untrodden ground just waiting for the right people to take their first steps across. There will always be a need for more fine-tuned control over users and permissions than what WordPress offers out of the box.

“We are always in the market looking at other plugins that make sense for our business,” said Morris of why they made the acquisition. “Our audience is primarily freelance developers that are building a wide range of sites for clients. Over the years, we’ve focused on a number of non-utility products (like iThemes Exchange) and we learned a lot during that time. We’ve also learned a lot over the years of running our own membership site. For us looking at a membership plugin played with into the iThemes strategy and really the Liquid Web strategy as a whole.”

I spent nine years developing and maintaining a membership-related plugin but sold it in 2019. If there is one lesson I learned during that time, it’s that no two sites have the exact same membership needs. There is always room for individual companies to build a product that meets specific user needs in the membership space.

“What I feel like is everyone is currently trying to create the best Swiss Army knife,” said Morris. “I don’t think that anyone sets out saying I want to be good at all things, but when you’re developing a plugin that has so much possibilities for the market it serves, you have to feel out where you want to play and claim stake to that area. You become the best you can in that area and work at making sure you succeed there. Then you can start to properly branch out to other segments of the space that are within close proximity to where your core is.”

iThemes is stepping into the game at an ideal time. Restrict Content Pro is currently a $500,000+ per year product, according to Williamson. In the right hands and with continued growth, it could become the go-to solution for memberships in the WordPress ecosystem. iThemes has a solid history in the plugin space. This is a good opportunity to see where they take the project.

The Future of Restrict Content Pro

Morris said that Sandhills Dev already had a solid short to mid-term plan for the plugin. These plans are providing iThemes with a head-start on features and ideas, some of which are already in progress. The team’s plan is to continue down this path, which matches some of the areas the company wanted to address.

“After that, we’ve got some ideas, but we also want to get to know the community around Restrict Content Pro,” said Morris. “[Matt Danner] has mentioned in several places that the RCP community is more developer-centric while the iThemes community is historically not. Right now we’re in listening mode. We’re starting conversations all over the web with RCP customers to get a sense of what they are looking at and apply those learnings with where we want to take RCP in the membership space. Right now, I think it’s a bit premature to talk about specific features we’re including or what direction we’re fully going.”

The one area that is currently lacking is the free Restrict Content plugin. Its user base is still relatively small (10,000 active installs). Its average 3.7 star-rating from end-users does not spell confidence, but it could be brought up with some active work.

Restrict Content Pro has long had the benefit of being associated with Williamson and Sandhills Development’s other products like Easy Digital Downloads and AffiliateWP. All of these projects fit well together — often a user of one plugin needs at least one of the others. The pro plugin has likely not relied on the traffic from WordPress.org for success. However, it would not hurt to bring those numbers up. While the install count from the free version does not always directly correlate to success with commercial versions, it is usually a good indicator. Putting some resources behind beefing up the free plugin could translate to better returns in the long term.

Morris said that iThemes will be sharing news about the free Restrict Content plugin soon. However, he is remaining tight-lipped about what those plans are for now.