On June 21, 2011, Matt Mullenweg reported on WordPress.org that the popular WordPress plugins, AddThis, WPtouch and W3 Total Cache were found with cleverly disguised backdoors.
These security vulnerabilities were discovered inside the WordPress.org repository and it is at no fault of the plugin developers (authors) themselves.
However, it is unclear how the cyber attackers gained access to manipulated the code in the plugins repository.
You're probably saying to yourself, “OMG! Now WordPress.org got hacked.” It seems that everything on the Internet gets attacked these days. Don't panic! One of the things I love about WordPress is that their developers take immediate action and close vulnerabilities when they find them.
As a precaution, the WordPress Team took the following security measures:
- Shut down access to the plugin repository for your safety, while they checked for anything suspicious.
- Rolled back to previous versions of AddThis, WPtouch and W3 Total Cache plug-ins.
- Pushed safe updates to these affected plug-ins.
- Forced password resets for all accounts at WordPress.org.
- The WordPress developers are continuing their investigation and monitoring this situation.
If you are an account holder at WordPress.org to use the forums, trac, or an author of a plugin or theme included in their repository, it is now required that you reset your passwords. To reset your passwords click here. (This also includes accounts for bbPress.org and BuddyPress.org.)
Note: Be sure that you use very strong passwords! Use a minimum of 15 characters, which include a combination of upper and lower case letters, numbers and symbols. Do not use words in the dictionary or your name. And NEVER use the same password twice. Every site you log into Online should have it's own unique password.
If you use AddThis, WPtouch or W3 Total Cache plugins, what should you do now?
Have you installed or upgraded any of these plugins in the last couple of days? If so, you should visit your updates page inside your wp-admin Dashboard and upgrade them to the latest versions immediately.
Stable plugin versions as of June 22, 2011 at 8am CST:
- AddThis version 2.2.0 (last updated 6-20-2011)
- WPtouch version 1.9.29 (last updated 6-21-2011)
- W3 Total Cache version 0.9.2.3 (last updated 6-21-2011)
The backdoors (security vulnerabilities) have been removed in the versions listed above.
Again, I really want to stress for you not to panic. Just yesterday, I installed W3 Total Cache before this issue was announced. I just updated the plugin and feel confident it's a clean version.
To check that your site is malware free, be sure to get your site monitored at Sucuri. They automatically do our malware scans and check for unauthorized changes on all our websites. Signup with our discounted affiliate link here. And be sure that you're doing frequent backups of your server files and your database(s).
Leave Your Feedback
Did you install or upgrade the AddThis, WPtouch or W3 Total Cache plugin in the last couple of days? How safe do you feel running a self-hosted WordPress blog? I'd love to hear from you, leave your comments below.
Securely yours,
Regina Smola
WordPress Security Expert
Follow WPSecurityLock on Twitter
Become a Facebook Fan
Hmmmm maybe I’m missing something…When I go to the login page for WordPress.org to try and change my password…there is no option to do that.
It just says they’ve reset all passwords and that you must change your password. But I can’t access my account to make the change. If I click register…it just redirects back to the same page to telling me to change my password.
I tried clicking “recover” password to see if that would work…but I did not get an email.
Any thoughts? Or am I missing something here?
As always thanks for your help
Hi Shirley,
Thanks for your question. Looks like they made it a bit confusing over at wordpress.org.
Try going to http://wordpress.org/support/bb-login.php and see if that helps.
If you find an easier way or any steps to help guide users, please let us know.
Thanks,
Regina
Hi Regina,
Thanks for the quick reply…unfortunately that link you supplied is the same link I tried using before. Oh well..I guess they will figure it out eventually. In the meantime I’ve made the decision to remove WP Touch as I wasn’t able to update it. I wanted to do so manually but I cannot access the plug ins since they have the plug ins directory on lock down.
C’est la vie!
Hey Shirley,
Oh, interesting. The plugin is on lockdown now? According to Matt’s post they have been restored. Maybe they’re still working on them.
Did you try to do a “Password Recovery?”
Wait. I just upgraded my WPtouch and it worked. Can you try again.
Hi Regina,
I can now access the plugin directory…but the password thingy is still not working..and yes I tried using the “password recovery” but nothing. I will have to contact them directly I guess
Oh the joys of technology.
Sorry to hear you haven’t got your password reset yet. I got mine reset. Here’s what I did:
1. Opened http://wordpress.org/support/bb-login.php.
2. Under Password Recovery I entered in my “Username” in the form.
3. I clicked the “Recover Password” button.
4. Was forwarded to a web page that read: “An email has been sent to the address we have on file for you. If you don’t get anything within a few minutes, or your email has changed, you may want to get in touch with us – pw-reset-2011 (at) this domain.”
5. Checked my email and within a few minutes I received and email from WordPress.org, subject: WordPress.org Forums: Password Reset.
6. I clicked the link inside the email to reset my password.
The web page opened with the following message: “Your password has been reset and a new one has been mailed to you.”
Received another email from WordPress.org with subject: WordPress.org Forums: Password. This email contained my new password.
The password reset process did work. I was able to log-in to wordpress.org! Woohoo 🙂
is it possible to get more information / some
code to identify that backdoor-code, eg some lines
to grep for or strings to find in the db?
can you provide a diff of that backdoor’d code?
that would help us to identify possibly infected
installations, rather then “just udpate or revert”
regards,
markus
Hi Markus,
Thanks for your comment and question. The WP Team removed the compromised code and I did not see it. But.. I’ll see if I can find out for you.
By the way, I am writing a blog post and it will be up shortly about another plugin that has a vulnerability, WP-phpmyadmin. I’ll include the code in that one for you shortly.
Hi Regina,
thanx in advance.
markus
Thanks for the “heads up” Regina! Updates completed! You are doing a great job keeping us posted on the vulnerabilities.
Thank you Allen. I appreciate it.
Hey Regina,
Thanks for keeping us straight. I haven’t heard from anyone else what action to take much less that there was even a problem! I’ve got WPTouch on a few sites. Off to update them now.
Hi Regina – Just wanted to say thank you for once again keeping WP users like myself informed of security issues. I like that you included what the WordPress Team did when they discovered the problem as well as steps that affected users should take. Your posts are always very helpful and informative! – Thanks again! Kimberly
just knew bout this thing, just wanna clarify, if im using the w3total cache plugins with selfhosted for the website does this things will affected too? or do i need to worry the bout the vulnerability of choosing the right plugins for my site?
Hi icute,
Thanks for your question. If you’re using the W3 Total Cache plugin and you upgraded it recently, you should update it again just to be safe. WordPress.org has fixed it inside the repository.
Regarding plugins and vulnerabilities, it’s always good to review your plugins regularily to see if they are active on the WordPress.org Repository, have been updated recently, compatible with your current WP version, and check reviews.
thanks for your reply regina, actually i did update the plugin (without knowing the hacked issue) but i notice my website running too slow after the upgrade so i start doubting something is happening, thats the point when i found your site and the notice u make here. To resolve my problem i totally delete the plugin.
Note: i had contacted my hosting provider first to check whether their hosting have problems but the answer is positive(their server is ok), but the site still running slower than before so the decision to delete and not using the plugin would be my best bet.
Thanks for the heads-up. I don’t use these plugins, thank goodness.
Wondering if using addthis.com embed code NOT the plugin, but just the js code you can grab from the site could cause vulnerabilities as well on a website using wordpress as a cms. Please let me know 🙂
Hi Christian,
Thanks for your comment and question. I always like to use an embed code whenever possible to reduce the risk with yet one more plugin (and extra files). But there is always a risk when calling code from a third-party site. You have to ask yourself, is this company/developer concerned about security and do I trust that they have written safe (sanitized) code?