On June 21, 2011, Matt Mullenweg reported on WordPress.org that the popular WordPress plugins, AddThis, WPtouch and W3 Total Cache were found with cleverly disguised backdoors.
These security vulnerabilities were discovered inside the WordPress.org repository and it is at no fault of the plugin developers (authors) themselves.
However, it is unclear how the cyber attackers gained access to manipulated the code in the plugins repository.
You're probably saying to yourself, “OMG! Now WordPress.org got hacked.” It seems that everything on the Internet gets attacked these days. Don't panic! One of the things I love about WordPress is that their developers take immediate action and close vulnerabilities when they find them.
As a precaution, the WordPress Team took the following security measures:
- Shut down access to the plugin repository for your safety, while they checked for anything suspicious.
- Rolled back to previous versions of AddThis, WPtouch and W3 Total Cache plug-ins.
- Pushed safe updates to these affected plug-ins.
- Forced password resets for all accounts at WordPress.org.
- The WordPress developers are continuing their investigation and monitoring this situation.
If you are an account holder at WordPress.org to use the forums, trac, or an author of a plugin or theme included in their repository, it is now required that you reset your passwords. To reset your passwords click here. (This also includes accounts for bbPress.org and BuddyPress.org.)
Note: Be sure that you use very strong passwords! Use a minimum of 15 characters, which include a combination of upper and lower case letters, numbers and symbols. Do not use words in the dictionary or your name. And NEVER use the same password twice. Every site you log into Online should have it's own unique password.
If you use AddThis, WPtouch or W3 Total Cache plugins, what should you do now?
Have you installed or upgraded any of these plugins in the last couple of days? If so, you should visit your updates page inside your wp-admin Dashboard and upgrade them to the latest versions immediately.
Stable plugin versions as of June 22, 2011 at 8am CST:
- AddThis version 2.2.0 (last updated 6-20-2011)
- WPtouch version 1.9.29 (last updated 6-21-2011)
- W3 Total Cache version 0.9.2.3 (last updated 6-21-2011)
The backdoors (security vulnerabilities) have been removed in the versions listed above.
Again, I really want to stress for you not to panic. Just yesterday, I installed W3 Total Cache before this issue was announced. I just updated the plugin and feel confident it's a clean version.
To check that your site is malware free, be sure to get your site monitored at Sucuri. They automatically do our malware scans and check for unauthorized changes on all our websites. Signup with our discounted affiliate link here. And be sure that you're doing frequent backups of your server files and your database(s).
Leave Your Feedback
Did you install or upgrade the AddThis, WPtouch or W3 Total Cache plugin in the last couple of days? How safe do you feel running a self-hosted WordPress blog? I'd love to hear from you, leave your comments below.