Just in case you missed it, because I did, WordPress.org had a security breech this week. Several plugins were updated by a hacker (or hackers) who installed backdoor exploits into AddThis, WPTouch and W3 Total Cache that may have compromised self-hosted WordPress websites.
The official statement posted by Matt Mullenweg (founding developer of WordPress) at wordpress.org on the 21st July, explains:
“Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory…”
The announcement was also accessible from the dashboards of millions of WordPress websites under the very inspiring-to-click title of “Passwords Reset”. Unbelievable way to alert WordPress users to the attack, I know, but here’s your screenshot of proof:
Current advice is for anyone who updated any of the compromised plugins up to a few days prior to the 21st of July to immediately update them to their rolled back versions. As a precautionary measure, all user passwords should be changed (try this plugin) along with the cookie salts in wp-config.php (get new ones here).
To increase the security of WordPress plugin development, WordPress has implemented an email notification system that will advise plugin developers when commits are made to their plugins.
Let’s hope WordPress develops a better early warning system for users of the platform too.
Update
Detailed information about the exploits have been published by independent WordPress developer, Adam Harley, here.