WordPress Hit With Backdoor Attack, Force Resetting User Passwords

Looks like no one is safe on the internet today, with numerous services being hit with hack attacks and password thefts. Today, it looks like WordPress was also hit with a backdoor attack where users were able to gain access and update some plugins in the repository.

The hackers apparently added some backdoor code to the attack and committed them to the repository, this affected some popular plugins like AddThis, WPtouch and W3 Total Cache. WordPress has managed to rollback those updates, but have also reset passwords for all WordPress.org users. If you use any WordPress related service, you will have to reset your password.

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

We’re still investigating what happened, but as a prophylactic measure we’ve decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (Same for bbPress.org and BuddyPress.org.)

This is not the first time WordPress has been attacked. Earlier this year, WordPress.com was hacked and code was compromised. Sony has also been hit with several attacks recently where user’s passwords were leaked on the internet. If you have a WordPress.org account make sure to update your password. Also read our earlier article on why it is the right time to update all your passwords.

Also, if you have recently updated any of these plugins, go and re-update them immediately.

More updates to come…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>