WordPresz.org Fake WordPress Site

Just found out from Weblog Tools Collection about a certain website with the name WordPresz.org that pretended to be WordPress.org and tried to release a backdoored (trojanised) version of WordPress to unsuspecting users who are still using older versions of the popular blogging platform. Blogger Craig Murphy was the first to report about this issue and below is a summary of his report taken from Sophos.com.

“Craig talks about how when he logged in to his admin account in WordPress he received a “High Risk Vulnerability Warning” from a spoofed WordPress domain. (The last ’s’ in WordPress.org has been replaced by a ‘z’.) The Warning suggests upgrading to the ‘new’ version 2.6.4 of WordPress. Downloading this ‘new’ version of WordPress I found that of the 638 files in version 2.6.4, 637 were identical to the same files in the official 2.6.3. The only difference was in the file pluggable.php. The hacked version of the file pluggable appears to be stealing the content of cookies on larger installations of WordPress. Sophos are now detecting this file as Troj/WPHack-A.”

WordPresz.org, setup by malicious persons was designed to steal valuable information stored in cookies from users who install the compromised version of WordPress and could also potentially be used to hijack these WordPress installations for malicious purposes. WordPresz.org is no longer online but the site looks exactly the same as the real thing. Below is a screenshot of the fake site.

WordPresz.org Fake WordPress Site

If you can’t see the difference, below is a screenshot made by Craig pointing out the differences between the real and the fake WordPress site.

WordPresz.org Fake WordPress Site

1 – the download size is too round and is incorrect, it should be about 1.4mb in this case.

2 – these are randomised over at WordPress.org, but are static at WordPresz.org.

3 – The real WordPress.org has a “Showcase” link included.

It’s really hard to know the difference between the two sites and any WordPress user could be lead to believe that they’re visiting the real one.

Here’s Peter Westwood’s (one of WordPress’s lead developers) response to this incident:

It looks like sites which have not upgraded to 2.6.3 are being exploited in an interesting way whereby a hacker, probably using an automated script, is hacking into sites with the vulnerability and changing the settings of one of the dashboard modules to point to a different feed thereby encouraging people to go to a different site which is offering a dodgy upgrade.

“We recommend that people upgrade as soon as possible when we release a security release so as to ensure they are not vulnerable to issues which will likely have exploits in the wild.

Also in the upcoming 2.7 release of WordPress we are including a built-in upgrade mechanism within WordPress which will allow people to upgrade automatically with ease. I would however stress the need with any piece of software to check that an upgrade is real by visiting the website of the software provider manually rather than relying on a link that you have been provided. Otherwise, as with bank phishing scams there is the potential for someone to trick you into doing something you didn’t want to do.

This is not the first time hackers and fraudsters tried to released compromised version of WordPress. Early last year, I published WordPress 2.1.1 – Dangerous Download, which is about how crackers were able to upload a backdoored version of WordPress 2.1.1 into one of the servers powering WordPress.org. Other instances include websites trying to distribute WordPress themes containing malicious codes.

These is another good reminder for all of us WordPress users to practice safe computing. For those of you who are still using an old version of WordPress, please take the time to upgrade to the newest version. Make sure you update your WordPress installation to the most recent version especially if the newer version contains a security fix. Also, make sure that you download your next WordPress install ONLY from WordPress.org and not from any other site. Users should also be careful what themes and plugins you download/install and where you get it from. As much as possible download only from WordPress Extend or from reputable plugin and theme authors.

To those of you who think that you’ve been victimized by WordPresz.org and believe that your WordPress installation has been compromised, download the newest version or WordPress from WordPress.org and do a reinstall/upgrade.

To know more about the details of this story you can visit the following links:

Any of you guys were able to visit the actual fake WordPress site? Anyone had the same experience as Craig Murphy? What other security and safety measures can you suggest for other WordPress users to make sure they keep their blogs clean and safe? Please share your thoughts. Thanks for your time!

*images taken from The Social Programmer and ZDNet Blogs.

JaypeeOnline is supported by its audience. When you click on the advertisements or purchase through links on our site, we may earn an affiliate commission. Learn more

Share:

administrator

Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Facebook or Twitter.

18 Comments

  • JP Habaradas, November 16, 2008 @ 4:05 AM Reply

    @Tom – Very sneaky indeed! :D

  • Tom - EconomicCrisisBlog.com, November 16, 2008 @ 4:01 AM Reply

    That is so sneaky!

  • JP Habaradas, November 15, 2008 @ 10:10 PM Reply

    @Gachinpo – I’m not sure if anyone knows the identity of the persons behind this fake website. But whoever they were, they planned to use the site to install the backdoored version of WordPress to gather information from compromised blogs and maybe hijack it too. It could also be used to do other malicious activities without the blog owner knowing it.

    You’re welcome! Although this fake website is now offline, I posted about this so more WordPress users would be aware of these type of things and be more careful next time.

    Thanks for dropping by!

  • Gachinpo Feed, November 15, 2008 @ 10:05 PM Reply

    Who made this fake WordPress.org site?! What’s on his mind about doing this..
    Thanks for posting this one, many might have been fooled with this fake site.

  • JP Habaradas, November 14, 2008 @ 7:50 AM Reply

    @Jamie – You’re most welcome! The reason why I publish these posts is to help spread the word and make other WP users aware of these kind of things. It really helps to be cautious and playing it safe. :)

  • Jamie, November 14, 2008 @ 7:46 AM Reply

    Thank you for the heads up JayPee. I would have never thought about double checking a site where I thought it would be safe. Since you pointed out the “title” segment, I am a little bit more cautious with all the sites I upgrade.

  • JP Habaradas, November 13, 2008 @ 1:50 PM Reply

    @Ant – For me, it’s surprising but not shocking. This has to be expected as WordPress has become more and more popular and having millions of users. WordPress users have to be very careful and vigilant against these types of things.

    Yeah, it’s good that this was uncovered soon and the site was brought down quickly after that.

  • Ant Onaf, November 13, 2008 @ 1:49 PM Reply

    That’s shocking! I’ve never seen WordPress mimics being used in a phishing scheme such as how PayPal mimics are used. Glad the site is currently in a down state.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.