Popular WordPress Plugins Compromised

If you use popular WordPress plugins such as AddThis, WPtouch or W3 Total Cache and upgraded it in the last 1 or 2 days, read this.

Matt Mullenwag of Automattic has published a blog post saying that they noticed suspicious commits to the WordPress plugin repository for several popular plugins. In fact, their suspicions were confirmed when they found cleverly disguised backdoors in those plugins.

When the compromised plugins are installed by unsuspecting bloggers, they leave their site open to hackers through that backdoor. This is seriously bad!

Here’s what the blog post says

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

We’re still investigating what happened, but as a prophylactic measure we’ve decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (Same for bbPress.org and BuddyPress.org.)

As a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one.

Second, if you use AddThis, WPtouch, or W3 Total Cache and there’s a possibility you could have updated in the past day, make sure to visit your updates page and upgrade each to the latest version.

So, make sure you upgrade to the latest version of these plugins to clear out any malicious code you installed in the past few days. Also, make sure you reset your WordPress.org password.

There doesn’t seem to be a day going by without someone or some major site getting hacked. With WordPress 3.2 coming out very soon, this is bad press for WordPress team.

{ via WordPress }