WordPress plugins Trojanised, spotted, fixed

Filed Under: Data loss, Featured, Malware, Privacy, Social networks, Vulnerability

WordPress just announced that the source code of three plugins for its popular blog-hosting software was maliciously modified.

Plugins consist of add-in modules which you install on your WordPress server in order to implement additional functionality, instead of writing all the needed code yourself.

Where you might use a DLL with a Windows program - for example, to add a feature such as SSL support or an edit control into an existing application - you'd use a plugin with WordPress.

DLLs are usually written in a language such as C or C++ and compiled into native machine code; WordPress plugins are generally written in a mixture of JavaScript, PHP, HTML and CSS.

According to WordPress, the modified plugins were Trojanised to include backdoors.

Web-based backdoors can be extremely dangerous. If you're a WordPress user, you'll know that the WordPress platform includes a complete and powerful administration interface, password-protected, via a URL such as "site.example/wp-admin". A WordPress backdoor might offer something with similar functionality, but using a different, unexpected, URL, and using a password known to the hacker, instead of to you.

WordPress pluginsAs far as I can see, this attack doesn't affect you or your users unless:

* You run your own installation of the WordPress platform.

* You use one of these plugins: AddThis, WPtouch, or W3 Total Cache.

* You updated your installed copy of one of those plugins in the past 48 hours from wordpress.org.

(WordPress says "in the past day", but its post is dated simply 21 June 2011. So I've boosted that "day" to 48 hours to cover all reasonable interpretations of the WordPress statement. If you changed one of the abovementioned plugins inside a 48-hour window, why not check with WordPress exactly when the danger period was?)

The unwanted source changes have been reversed out, so the very latest versions of the affected plugins are now safe. If you installed a defective one, update it right away and you'll be safe again.

All wordpress.org passwords for the Support forums, WordPress Trac, and the repository have been force-reset. (This means you have to reset your password, just as you would if you forgot it.)

WordPress also temporarily blocked all access to the plugin repository and verified that no other plugins had been Trojanised.

A good response following criminal behaviour.

So, if you're a WordPress user, don't freak out when you're asked to reset your password on your next login. And please take WordPress's advice:

As a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one.

(Note. Naked Security runs on the WordPress platform, but we don't use wordpress.org. We're hosted by WordPress.com VIP on wordpress.com. We checked with Automattic, the people behind WordPress.com, and they've confirmed that no plugins in the WordPress.com VIP infrastructure were affected. No danger, Will Robinson.)

, , , , , , ,

You might like

7 Responses to WordPress plugins Trojanised, spotted, fixed

  1. Thanks for the heads up guys. I was wondering why the wordpress forum had a force reset. The article doesn't mention the source of the security breach or how many passwords/accounts were comprimised, I guess the nature of the issue made that number impossible to find.

  2. Boop · 1221 days ago

    Why is an Australian plug featured?

    • The author of the article does live in Sydney, Australia. That could be it.

    • Paul Ducklin · 1220 days ago

      The article's about plugins. You plug plugs in. So I used a picture of a plug.

      (What makes you think it's an Aussie plug? It could be from China, could it not?)

  3. rodonic · 1220 days ago

    I'm really glad the team involved in WordPress.org got on top of this as quickly as they did, thanks guys!

  4. Timber · 1162 days ago

    So, if understand correctly:
    1. I should trust the mail I just got from wordpress telling me to reset my password? To be safe though, I should go to wordpress, rather then trust the links in the email, right?
    2. And yes, I do have one of those plug-ins mentioned.

  5. paul · 1038 days ago

    wordpress blog is coming up with IFrame AS Trojan,connection terminated,quarantined.
    It will not let me login to change password.
    Any ideas please

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog