Last Tuesday, the WordPress team discovered some suspicious activity involving several popular WordPress pluginsAddThis, WPtouch and W3 Total Cache. Backdoors or malicious code were added to the plugins and the changes were done not by the author but someone who has gained access to the plugin author’s WordPress.org account.

As soon as these suspicious changes were discovered and confirming that the changes were not made by the authors, the WordPress team immediately rolled back the plugins, issued updates to the plugins and shut down the plugin repository. As another countermeasure, they’ve also force-reset all WordPress.org passwords (same goes for bbPress.org and BuddyPress.org). So if you have a WordPress.org account and would want to access the forums, trac, plugin repository or commit to a plugin/theme, then you’ll have to reset your password and get a new one.

A lot of websites and services are getting hacked these days so to play safe, make sure you don’t or never use the same password for two different websites or online services. Also, if you’re gonna reset your WordPress.org password, make sure you use a new one and do not use the same old password.

For those who don’t know what “backdoors” are, these are exploits or lines of code that are added/inserted to plugins (or any other piece of software) and gives unauthorized users like hackers access to the blog or website. So if you’re using any of these plugins – AddThis, WPtouch or W3 Total Cache, make sure that you immediately update to the latest versions. Updating these plugins will remove the backdoors because the files and lines of code will all be replaced.

I’d like to share something with regard to this incident. A few days before this announcement was made, I noticed that there were a few available plugin updates. When I checked, WPtouch and W3 Total Cache were some of the plugins that had an update. Personally, I make it a habit to keep WordPress and all plugins up-to-date. In the past, I would’ve immediately downloaded and installed the updates but this time, I didn’t. I don’t know what it was but something inside of me kept me from updating the plugins. When I read about the incident, I was glad I listened to my gut feeling. In this case, it was good that I didn’t immediately update my WordPress plugins.

Just to make it clear, the password reset doesn’t affect WordPress.com or self-hosted WordPress.org accounts. The only account password you need to reset is the one used on the WordPress.org forums, plugin repository and trac.

JaypeeOnline is supported by its audience. When you click on the advertisements or purchase through links on our site, we may earn an affiliate commission. Learn more



Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Facebook or Twitter.

1 Comment

  • Sourish @ Iphone 4 jailbreak, July 1, 2011 @ 1:54 PM Reply

    there was no official annoucement on this . i cam to know this in another blog , and tehn have to re-install a fresh copy of w3cvache which i use on all my blogs

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.