Many sites across the blogosphere are reporting a fake website that is distributing a backdoored version of WordPress. Though these are few and far between, it behooves all users to be careful when downloading any kind of code to run on their blog. The Register report contains an update from Peter Westwood (a WordPress lead dev) about the code being distributed and his suggestions on how to avoid being duped. Though the fake site is down now and If you believe that you might have been the victim of this site, please download a fresh copy of WordPress from WordPress.org and upgrade your blog to be safe.
I personally follow a few simple rules to make sure that I never fall for a social engineering or covert code trap on my blogs.
- Always download core WordPress code from http://WordPress.org. Type the link into your browser address bar rather than following a link from another blog or site. This includes updates and security fixes. If your web host offers one click installs or upgrades through their control panel, they are probably safe (they are safe if they are on a current version). I still suggest either installing a fresh copy from WordPress.org or using WordPress.com, but I do understand that one click installs are convenient.
- Try to download plugins and themes only from the official WordPress Extend. There are way too many themes and plugins (though much less plugins) that contain convert code and new WordPress theme download sites seem to be popping up everyday. We have covered shady themes many times on this blog.
- Never download “hacks” or “patches” to WordPress from anywhere. If you are unfamiliar with PHP, I would suggest that you ask people in the WordPress forums for help or contact us through our form on this blog for help. Always download official patches, updates and installs from the WordPress.org site.
- If you find a cool new trick, theme, plugin or hack for WordPress via a Google search, please be careful. I know the following is a cliche’, but if it looks too good to be true, it probably is.
Do you have any suggestions for our other readers? Have you found strange code on your blog or theme?
I agree with everything EXCEPT the call to download themes from WordPress.org/extend/themes … not only is the selection limited, but some of the best themes are available elsewhere because of the fact that the WP.org demo site is only suitable for standard blog themes.
If I were looking for a theme, it would be to your benefit to research the author before downloading, never download themes from sites that don’t actually make the themes themselves (except WP.org), and only download themes from people you trust.
If anyone has questions about a particular theme author, please feel free to contact me at http://www.nathanrice.net/ and I can tell you whether or not that theme author or website is trustworthy.
Nathan
Ouch. This is why it is imperative that people upgrade ASAP when a security fix is released.
Regarding the bad plugins and themes, WordPress should have system to compare certified plugins and themes hash (SHA-1 checksum). That would prevent any files from being tempered by third party. Just my 2&0162;
generating and comparing checksums is trivial but certification process is not. How do you suppose WordPress guys can certify all that code that is there in wordpress extend. I remember that recently one of the adsense plugins in extend was found by a few users to be running the plugin author’s own ads without disclosing this to anyone. And I don’t think anything was done about it.
If you guys take a list to Episode 46 of the WordPress podcast, http://tinyurl.com/6fpopm you’ll hear Charles ask Matt that very question regarding the plugin repository and the possibility of needing a validation team in the future. Long story short, they have an automated system in place which takes care of most of the code checking.
Thanks for the link, Jeff. I’d go through it. But I think that from static/automatic analysis they can find out some “vulnerabilities” but it might be difficult to find out the situations as i described in my comment. I guess a hybrid of the two approaches (with bulk of manual checking coming from the community) could solve this issue.
Yeah, Matt was thinking of creating a mailing list specifically for this purpose. But in that interview, he said the plugin repository gets thousands of commits. Do we have enough people to validate those?
I’d think of 2 things in this regard:
1. Some checking is always better than no checking.
2. We don’t need to check everything. As a plugin gets more popular, it will go thru more eyeballs and automatically damage limitation will be done because bugs/security issues will be found. Lesser used plugins will anyways cause lesser damage (and atleast ppl will have a place to list down whatever security hole they find, otherwise in the support forum such requests get lost)
Interesting discussion,
I like these points: “Some security checking is better then none” and the more popular the plugin/theme is the more chances it will be reviewed.
To mind mind, the security system for third party add-ons should be multilevel.
1. WordPress code should minimize possible damages that malicious/buggy add-ons can incur (sandbox as much as possible)
2. The should be a system of trusted add-ons: i.e. WordPress.org/extend, community reviews etc, maybe some signatures and check sums.
3. There should be an out-of-the-site online service[s] that could check live wordpress blogs for unwanted inclusions or misbehavior.
Because of the open source nature of WordPress, hackers can easily modify/eliminate/work around any built-in security system (think checksums, sandbox) once they have access to the system (compromised password, etc.). So anything installed on the server (plugins/scanners) can’t be 100% trusted.
On the other hand, the must be an easy way for non-tech people to check new themes and plugins, not included in official repositories and not yet reviewed by the community.
In this case, some out-of-the-site service[s] could be used to check whether the site is free from hidden illicit content.
I.e. like many WordPress themes have links to XHTML and CSS validators, there could be a link to some trusted “Security Validators”.
As an example, I have an online service Unamsk Parasites that reveals hidden links and iframes, malicious scripts and redirects.
(I created it to check my own WP blog when there was a hidden spam links epidemic)
4. Common sense. Webmasters should keep their sites secure. Strong passwords, regular upgrades, restrictive, minimal permissions, etc.
I think, only the combination of the above will work.
Well if its not trivial it would be something useless. Hashing could be done in subversion or via submission process (wont need to hash all the files, just the archive), then its a matter where to stored these hash and retrive it at some point. Plugin/theme activation would require checksum comparison (verify file integrity in the process). Also there should be an option for installing non-sign plugins and themes. Phase two would depend on How WP defined plugin and theme standard (if there is any). It would be a naught if WP-extend and WP-theme is just a pool of derivative works than only do minor tweaks and break-apart every milestone reach.
I have to second Nathan’s comments about theme downloads. There are some amazing theme designers out there, offering themes through their own sites that cannot be adequately displayed through the WP Extend. Justin Tadlock comes to mind immediately—I believe his very popular Options and Structure themes are not available through WP Extend.
The bottom line is, downloading themes from the WordPress theme repository is an end users safest bet. Downloading them from anywhere else is downloading themes at their own risk. Plain and simple.
WordPress Extend would be enough for wp users needs.
It’s a shame that someone did something like this, and it is fair to warn people to be very careful what they download and where it comes from; however, there are a lot of fabulous tutorials/themes/plugins out by reputable WordPress users that might be overlooked since they aren’t hosted on wordpress.org if these rules are followed “to the letter”.
I just published a tutorial a couple of days ago on allowing/limiting client access in WordPress, and I included code examples and the completed code available for download for anyone interested in implementing it. Nothing malicious – just one happy WordPress user wanting to help out anyone else who’s looking for a similar solution. I’ve learned so much from other WordPress users, both at wordpress.org and at the authors’ websites, and wanted to give something back to the community.
Here’s a suggestion, maybe it already exists if not I’d be willing to take on scripting it, WordPress itself already notifies site owners there is a new version released.. if updating where as simple as “click here to update your site”, fetch the newest version, unzip it to the proper destination, then open the upgrade script in the browser window. Sounds simple enough to me. Maybe add in a few extra bells and whistles like an option to backup all existing files and grab an export of the database just in case….
Already exists or is it a dumb idea?
See comment #22 – the plugin (WPAU) exists already. I use it on around 20 sites, and no problems yet. I’m sure everyone appreciates your kind offer though 🙂
That’s likely a good thing, helps keep the net a more asthetically pleasing place by not having to see my ugly code 🙂 I can get PHP to do just about anything, but have no idea how to make it a plugin.
I’ll have to look for the WPAU script, must have missed it along the way.
Assuming this comment doesn’t get spammed, then you can grab the plugin here.
Actually, scrap that, click my name (in THIS comment) for the plugin.
i think people using a fake wordpress is someone who new to blog, and never search a new information about wordpress, and this post make world know Dont use Fake WordPress because its very dangerous 😀
I guess success = brings the evil of society.
I am picky on the themes I use on my sites (All of them are wordpress based). I find a perfect one and I see the footer with some strange code that says “it is illegal to reverse engineer”….A real coder (plugins/themes) will not force people to keep the links.
I hate any themes/plugins that FORCE you to add a link to the author’s website…hey guess what? a true fan will give you a link…I do not like to put links on footers…I have a credits page for a reason. Also your site may show advertising that is not appropriate for MY site to be linked into. I always give credit where credit is due.
Things like this will always happen. I saw WordPress (some older versions) on some nulled scripts websites, calling it WordPress nulled. How could you null an open-source software?
It’s definitely a scam around.
WordPress 2.7 will have automatic site upgrade 🙂 However, a backdoored version will be able to make sure it stays backdoored.
Might I add a suggestion: get your WordPress direct from the Repository if you have svn/shell access.
Well good, save the world from reading my UGLY code!
It might destroy one of your illusions, but plugins from WP Extend do not have to pass ANY quality control or safety checks AT ALL.
It is NOT SAFE to assume that plugins from WP Extend are any better than those downloaded from anywhere else.
Robert. Except on WP Extend pepole will notice that and warn/report much faster than on other sites.
Robert, have you found any offending plugins on WordPress Extend? Have you had any bad experiences with plugins you downloaded from there?
Well, somebody has already mentioned the Adsense plugin that ran the _author’s_ ads. Sounds kind of “offending” to me….
I’m considering writing a bit about this, as I have got my themes modified to make them appear as ad-filled sponsored themes by someone who was completely unknown to me. Normally, I would not care too much about that since it is impossible for theme designers (and for plugin makers) to stop other people from abusing the code if they really want to. But in my situation, it was not a person who wanted to turn themes into hacking tools. It was a person who wanted to damage my reputation and make me look as a disrespectful and greedy scammer.
I got my themes modified, re-distributed and promoted – and sites that loaded the themes got strange errors and massive amounts of affiliate links included at various places in the design. Appearantly, to have the ads removed the user would have to pay for a “premium upgrade” – which would basically be the same theme but without the ads. The same theme of mine, that users can download from WordPress.org for free. But at a high price…
Users who complained about the ads got an e-mail from “Andreas Viklund” who went very rude on them because they did not appreciate the free work. Users were also encouraged to get themes from some other designer if they did not like “the Andreas Viklund model”. Two recommendations for such designers were given – both were affiliate links.
Luckily, I found out about this very early, and I followed the development in silence for a few days to learn more about it and also to exchange a few e-mails with the scammer under another name than my own. Once I revealed who I was, it all ended in a good and friendly way – and I am confident that it will not happen again. But I still want to warn others, both theme designers and plugin coders and ask if someone has experienced anything like this.
I realized that it doesn’t matter if you look for trusted names. It is important to download from a trusted location as well – and there are never any guarantees. Most important of all would be: Think twice before using any kind of auto-update/upgrade feature. And also, although it can be embarrasing to admit that you want to do this, don’t be afraid to Google your own name to see if someone is abusing it. It can save you from a lot of worries.
Sorry for the long comment, I’ve had this on my mind for quite some time without writing any of it down…
i use WPAU plugin to upgrade i guess it is safer too? right ?
Yes you should be careful even on your Operating system, but that is the beside the point. I saw this yesterday and posted it Fake WordPress update 2.6.4 steals data! it seemed to me that people weren’t watching where they went.
This is so annoying how people love to mess up a good thing..but here is my thing. why have a fake wordpress site? What can they get out of it except for trying to hack people’s affiliates accounts or google adsense codes.
Well…I think it’s going a bit far saying not to download themes elsewhere. There are so many additional and many times better themes available outside of wordpress extend. People need to make sure they reach the correct website for upgrading! Or use Fantastico!
Never trust third-parties for downloadig WP; as simple as that. Moreover; searching over the internet reveals some posts for to hack” the core files in order to deactivate some features. It’s important not to manipulate the code unless it’s something mentioned over the “Codex” documentation. Other than this, simply don’t!
Fantastico all the way, never take risk
This is a scary though. The scammers are always trying new angles.