Account holders on WordPress.org have had their passwords reset after the discovery of contaminated code in a trio of plug-ins.Â “Cleverly disguised backdoors” were found in several popular plugins after suspicious commits were made to them.Â WordPress.org is the code repository for the popular open source WordPress blogging engine that literally powers millions of websites on the Internet, including my personal blog. WordPress plugins are used to extend functionality of a WordPress blog, and a major reason for the popularity of WordPress as a self-hosted blog tool.Â As reported by The Register, WordPress.com is unaffected.
Matt Mullenweg, founding developer of WordPress blogged about the matter on Tuesday, noting that: “We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.”Â Mullenweg went on to encourage users not to use the same passwords for different web services. He said investigations are still underway to determine what exactly happened.
For now, users who installed or updated AddThis, WPtouch and W3 Total Cache plugins early this week–and hence could have received the infected plugins–are asked to visit the update page in their WordPress blog and upgrade them to the latest, “clean” version.
WordPress.com hacked, source code potentially exposedÂ
WordPress.com bit by ‘extremely large’ DDoS attackÂ
WordPress 3.0 blogging software has been releasedÂ
WordPress outage takes down 10 million blogs