This article was published on June 22, 2011

WordPress.org forces password reset after suspicious plugin activity


WordPress.org forces password reset after suspicious plugin activity

After noticing some suspicious commits to popular WordPress plugins today in the main WordPress.org repository, passwords are being reset for all users of WordPress.org, bbPress.org and BuddyPress.org, Matt Mullenweg said on the WordPress blog.

The reset comes after suspicious commits to AddThis, wpTouch and W3 Total Cache that contained backdoors were spotted. The WordPress team promptly rolled back the changes and pushed updates to users who might have installed the plugins with the trojans, and shut down access to the repository.

The nature of the problem indicates that this was a small scale attack on specific plugin author’s WordPress.org accounts, but could have become a large scale problem that gave hackers access to millions of WordPress blogs, had the WordPress team not responded as quickly as they did.

The WordPress team is still looking into the situation to find out what happened, but to use the forums, trac, or commit plugins and themes you’ll need to reset your password before logging in.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

A fantastic job by the WordPress team in dealing with a security breach before it became a serious problem. Sony could learn a thing!

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with