A Problem with the WP Plugin Directory
by c.bavota | Posted in Articles | 17 comments
Some of you may not be aware of this, but there was a small security breach in the WordPress.org plugin directory this week. Someone managed to commit malicious changes to some popular plugins by hacking into the SVN repository. The WP crew discovered the changes and managed to revert the affected plugins back to the last legitimate release. They have also shut down access to the repo to make sure no other plugins were affected.
You can read more about in the WP blog: http://wordpress.org/news/2011/06/passwords-reset/
Strange enough, the plugin we were going to review this week, BackWPup has been removed completely from the repo. After doing a bit of research it seems like there was a little issue with the plugin causing excessively long processes while backing up WP and the author is aware and working on a fix.
You can read more about that in the support forum: http://wordpress.org/support/topic/plugin-backwpup-run-away-backup-process
If the plugin is updated and works well enough, we will do another review and post about it, but for now, this weeks plugin review will be replaced with this article about the few plugins that were affected by the repo hack.
So if you are using WP Touch, W3 Total Cache or Add This make sure to update again to the most recent release which is the clean one. Also, if you are a member of WP.org, you will have to reset your password as a “prophylactic measure” to help heighten security.
Hello c.bavota,
Thanks for the heads up I’d not heard about this! I’ve got WPTouch installed, do you know if there is any way to know whether the version I’ve got has been affected (I’ve now disabled it to hopefully prevent any issues)?
Cheers,
Ian
If you update to the most current version you should be safe.
“If you update to the most current version you should be safe.”
Thanks – update done!
Hello,
Seems like there is a constant supply of bugs and security problems with WordPress.
Yes, it is an easy to use CMS, but difficult to lock down with all the themes, plugins, and components created by third party vendors.
Maybe its time to blow the dust off Dreamweaver again.
Thanks for the warning
Robert
Thanks c.bavota
Robert you may be interested in the feature in the new DW CS5 which offers a pretty decent link in now with the WP php sql database. I think it’s come a long way however I prefer to “manually” wallow in code it seems. Thanks for all your work Bavota. Keep it up!
I know I’m a GEEK now as I spent the majority of my day romancing HTML ;P Page is up & it validates … imagine that. http://www.ineffableweb.com/HTML_5/home/index.html
Having read this post I might have become a bit too worried (cause I use WPtouch). Therefore I updated and installed WP-Plugin Antivirus from Sergej Müller. After the plugin checked my themes (among which is MAGAZINE BASIC), it thought that the following code in MAGAZIN BASIC might be malicious:
/themes/magazine-basic/functions.php
Line 18: require_once( $locale_file );
Line 876: include(TEMPLATEPATH.’/widgets/widget_login.php’);
Line 877: include(TEMPLATEPATH.’/widgets/widget_feature.php’);
Could you possibly confirm, that the plugin is kinda overreacting?
That plugin is just listing every instance where a file is being included. The first instance is the language file and the other two are the included widgets. No worries there.
Thanx a lot for your answer!
I just started wit WP and i’m happy to see this article and also happy to see ppl are talking about it!
lots of thanks!
I would have expected them to have made a bit more effort in letting people know about it, it’s quite a serious issue after all! I have always wondered about the integrity of the plgins which make it onto the list, are they checked when a new updated version is released for example? there must be loads of them to go through after a major WordPress update.
Hi,
Thanks for the vital info, I think am still bugged, as if I install any plugin, my add new page doesn’t work, and after some time site goes unresponsive.
If you have any solution for this then please let me know.
Thanks
It seems every few months there is a security breach with wordpress. Thanks for the heads up.. That is why I always back up my sites with WP Twin the easiest fastest way to back up sites with very little technicial know how..
It’s hard to maintain a website especially if you are not that much acquainted with computers and software. It’s great to find a site like this where I can turn to for some information. WordPress is always suffering from breaches and glitches but the good things is that the support is quick to update and fix the problems. Thanks for this post, very helpful for internet marketers like me.
The post from WP wasnt very infomative and hasnt been updated to say what happened after they investigated? Does anyone know what the actual issues caused by the rogue plugins? We havent had issues from webhost but did notice page speed times worsen
A lot of people try to smuggle in hacks and malicious codes inside their WP Plugins. Get your plugins ONLY from WordPress, if that even matters. If you are experiencing slow loading time, it might be time for you to assess if you have a malicious plugin installed
Thanks for the Headsup!