WordPress Hit With Backdoor Attack, Force Resetting User Passwords
By on June 21st, 2011

Looks like no one is safe on the internet today, with numerous services being hit with hack attacks and password thefts. Today, it looks like WordPress was also hit with a backdoor attack where users were able to gain access and update some plugins in the repository.

The hackers apparently added some backdoor code to the attack and committed them to the repository, this affected some popular plugins like AddThis, WPtouch and W3 Total Cache. WordPress has managed to rollback those updates, but have also reset passwords for all WordPress.org users. If you use any WordPress related service, you will have to reset your password.

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

We’re still investigating what happened, but as a prophylactic measure we’ve decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (Same for bbPress.org and BuddyPress.org.)

This is not the first time WordPress has been attacked. Earlier this year, WordPress.com was hacked and code was compromised. Sony has also been hit with several attacks recently where user’s passwords were leaked on the internet. If you have a WordPress.org account make sure to update your password. Also read our earlier article on why it is the right time to update all your passwords.

Also, if you have recently updated any of these plugins, go and re-update them immediately.

More updates to come…

Tags: , ,
Author: Keith Dsouza Google Profile for Keith Dsouza
I am the editor-in-chief and owner of Techie Buzz. I love coding and have contributed to several open source projects in the past. You can know more about me and my projects by visiting my Personal Website. I am also a social networking enthusiast and can be found active on twitter, you can follow Keith on twitter @keithdsouza. You can click on my name to visit my Google+ profile.

Keith Dsouza has written and can be contacted at keith@techie-buzz.com.
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN