Last Tuesday, the WordPress team discovered some suspicious activity involving several popular WordPress plugins – AddThis, WPtouch and W3 Total Cache. Backdoors or malicious code were added to the plugins and the changes were done not by the author but someone who has gained access to the plugin author’s WordPress.org account.
As soon as these suspicous changes were discovered and confirming that the changes were not made by the authors, the WordPress team immediately rolled back the plugins, issued updates to the plugins and shut down the plugin repository. As another counter measure, they’ve also force-reset all WordPress.org passwords (same goes for bbPress.org and BuddyPress.org). So if you have a WordPress.org account and would want to access the forums, trac, plugin repository or commit to a plugin/theme, then you’ll have to reset your password and get a new one.
A lot of websites and services are getting hacked these days so to play safe, make sure you don’t or never use the same password for two different websites or online services. Also, if you’re gonna reset your WordPress.org password, make sure you use a new one and do not use the same old password.
For those who don’t know what “backdoors” are, these are exploits or lines of code that are added/inserted to plugins (or any other piece of software) and gives unauthorized users like hackers access to the blog or website. So if you’re using any of these plugins – AddThis, WPtouch or W3 Total Cache, make sure that you immediately update to the latest versions. Updating these plugins will remove the backdoors because the files and lines of code will all be replaced.
I’d like to share something with regards to this incident. A few days before this announcement was made, I noticed that there were a few available plugin updates. When I checked, WPtouch and W3 Total Cache were some of the plugins that had an update. Personally, I make it a habit to keep WordPress and all plugins up-to-date. In the past I would’ve immediately download and installed the updates but this time, I didn’t. I don’t know what it was but something inside of me kept me from updating the plugins. When I read about the incident, I was glad I listened to my gut feeling. In this case, it was good that I didn’t immediately update my WordPress plugins.
Just to make it clear, the password reset doesn’t affect WordPress.com or self-hosted WordPress.org accounts. The only account password you need to reset is the one used on the WordPress.org forums, plugin repository and trac.