Shhhh!!!! WordPress, Don’t Shout About your Break-in Then

Just in case you missed it, because I did, had a security breech this week. Several plugins were updated by a hacker (or hackers) who installed backdoor exploits into AddThis, WPTouch and W3 Total Cache that may have compromised self-hosted WordPress websites.

The official statement posted by Matt Mullenweg (founding developer of WordPress) at on the 21st July, explains:

“Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory…”

The announcement was also accessible from the dashboards of millions of WordPress websites under the very inspiring-to-click title of “Passwords Reset”. Unbelievable way to alert WordPress users to the attack, I know, but here’s your screenshot of proof:

WordPress Security Breech
Powerfully Inspiring People to Click..... Not!

Current advice is for anyone who updated any of the compromised plugins up to a few days prior to the 21st of July to immediately update them to their rolled back versions. As a precautionary measure, all user passwords should be changed (try this plugin) along with the cookie salts in wp-config.php (get new ones here).

To increase the security of WordPress plugin development, WordPress has implemented an email notification system that will advise plugin developers when commits are made to their plugins.

Let’s hope WordPress develops a better early warning system for users of the platform too.


Detailed information about the exploits have been published by independent WordPress developer, Adam Harley, here.

Sharing is caring!

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x