The WordPress team noticed some suspicious changes made to the AddThis, WPtouch, and W3 Total Cache plugins in the official plugin directory. The three plugins have been updated to remove the suspicious code, and all account passwords on WordPress.org have been reset as a precautionary measure. If you have an account on WordPress.org, you’ll need to reset your password.
To avoid future problems, or at the very least notice such activity sooner, the WordPress team has enabled notification emails for all plugin developers for whenever their plugin files are changed.
If you have a WordPress.com account or a self-hosted WordPress blog, this reset did not affect your own user account, but you should probably immediately upgrade your copies of AddThis, WPtouch, and W3 Total Cache, if you’re using them of course.
I’ve been a bit disappointed at the lack of communication about what happened. While I appreciate the (seemingly) very quick response of the WordPress team, I did install a hacked version of a plugin and there has been no communication as to what the code was and whether or not I could still have a security hole open. The communication has simply been, “Update to the newest version of the plugin and you’ll be fine”. I would like to know more.
In this I agree, there has been little or no further information forthcoming and gives the sense that they just don’t know.
Whilst I applaud WordPress’s quick response the follow up has definitely been lacking, same with the developers. In situations like this you need the information as soon as possible to mitigate the risks, Microsoft learned this the hard way.
The exploits added to the plugins were described as a “backdoor,” which means that it would have allowed the individual who knew of the backdoor to gain access to the blog, usually the Dashboard.
Fortunately, plugins are quite self-contained. Updating a plugin replaces the entire file, so the files containing the backdoor are gone once you update.
Since the backdoor wasn’t “live” too long before updates were rolled out, and access is limited only to the person who knows how to use it, I don’t think you have anything to worry about as long as you’ve updated the plugins.
How about showing the code that was added? Or how the intruders got permissions to change plugin code? That’s the kind of information I want (and you’re response is almost along the same lines as those I was complaining about).
I’m still concerned that other backdoors might have been created. I’ve been hit before, and I’ve seen code left anywhere and everywhere across my WP install.
I’m not part of the WordPress.org team, so I don’t have any specifics.
What I do understand is that break-in itself was pretty trivial. More like someone’s password was guessed or discovered, hence the precautionary site-wide password reset, but that’s just hearsay.
I don’t recommend exposing the backdoor, as the method of the backdoor will probably be addressed in a future security update, and exposing it now would just jeopardize everyone else.
If you’re concerned at all, install and run the Exploit Scanner plugin.
I did some digging the day they did the password reset, the three plugins had code placed in them that would allow remote code execution. Not so much a backdoor, but you could do what ever you wanted through the remote code execution. See http://mtekk.us/archives/enemy.....evil-code/ for more details, and the actual snippets of code.
I run a fair number of plugins, and I admit it’s been about a week since I logged into the dashboard, but I have 12 plugins showing an update. That’s an unusually high number in my experience.
Do they believe they have caught all of the exploited plugins?
As far as we know, it’s just those three.
Well this couldn’t have come at a better time for me. I was about to go change my WP.org password anyway (it wasn’t very secure before).
Concerning that they wanted to push out a site wide password reset. That makes it seem they believe it could be a low level security breach rather than just those plugin developers passwords.
really curious about the suspicious code…if the code was not added by the original development team, who did it?
Perhaps someone can tell us how to tell the difference between the hacked plugins and their cleansed replacements. For instance, the latest version of AddThis in the WP.org repo is dated 6/20, the day before Matt’s post announcing the hack (6/21.)
They’ve prolly rolled them back to an earlier version.