WordPress, the popular blogging platform, is requiring users to change their account passwords after members of the company’s security team discovered cleverly disguised backdoors in some of the platforms most popular plug-ins.
AddThis, WPtouch, and W3 Total Cache caught the eye of team members following a series of suspicious commits that were found to contain backdoors. WordPress founder, Matt Mullenweg, claimed in a WordPress News post that his team determined that the commits were not user generated, and so they rolled them back, pushed updates to the affected plug-ins, and shut down access to the plug-in repository while they searched the network for anything “unsavory.”
As a precautionary measure, the blogging service has force reset all passwords on the platform, and users will need to reset their password before accessing forums, trac, committing to plug-ins or themes. Users of bbPress.org and BuddyPress.org are similarly affected. Authors making use of the mentioned plug-ins should visit their updates page and upgrade each of the plug-ins to its latest version.
Mullenweg advises users to never use the same password across multiple services, but more specifically, he directs user to make sure they don’t reinstate their old WordPress passwords when they reset.
This incident is the first real security issues since April, when Mullenweg said in a blog post that the company had a “low-level (root) break-in to several of our servers,” where “potentially anything on those servers could have been revealed.”