Back doors were also discovered in 3 popular WordPress plugins. We wanted to get the word out to our clients, and all the WordPress users out there as quickly as possible, so you can protect your sites from any possible issues. We highly recommend you take a moment to read through this post, and keep your eyes on our Twitter stream as well to stay updated. At this point, the situation is unsettled, and information is still coming in, so there may be frequent updates throughout the day.
Currently, there are two areas of concern for WordPress users. First, because the plugin repository on the WordPress.org site was compromised, the admins are instituting a forced password reset. If you use any of the services associated with WordPress.org, we recommend logging in to change your password immediately. This includes users of the WordPress forums, uploading any plugins or themes, or obtaining an API key. The extent of the data breach hasn’t been fully disclosed to the public yet, but its better to be safe than sorry here.
The second, and potentially more serious data breach involves back door code being found in several popular WordPress blog plugins. If you use AddThis, WPtouch, or W3 Total Cache, and have recently updated the plugin, there is a chance you may have also installed the back door along with the plugin. If you are a user of any of these plugins, immediately visit the corresponding plugin page, then download and install the newest version of the software. These updated versions will set things straight by removing the corrupt version of the plugin, and replace it with a safe version.
This is where things currently stand, so if you are a WordPress user, please make implementing these changes your priority. This current attack constitutes a serious security threat, so the sooner you secure your site, the better off you’ll be. We expect that there will be further updates throughout the day as more information becomes available, so stay tuned here and on our Twitter feed. We’d also like to thank the WordPress team and community for doing a truly excellent job of discovering these devious security breaches, coming up with fixes at warp speed, and being completely transparent with the user community while sharing the relevant information. That isn’t an easy thing to pull off, but team WP is doing it well.
If you need assistance securing your site, or have any questions about how this security breach might effect your WordPress installation, please don’t hesitate to get in touch with us at The Blog Studio. Stay safe and secure out there people!