On Tuesday 21st June WordPress.org found several popular WordPress plugins hacked in their popular WordPress plugin repository.
Almost every WordPress website uses plugins from this repository, so this attack could expose tens of thousands of websites, and all their website visitors, to an enormous security risk.
Hackers had modified several popular plugins to give them full access to any websites using the modified plugins, and have presumably gained access to the passwords of some, or possibly all, WordPress.org users.
If you have a WordPress website please read this post for advice on how to keep it secure, as well as referring to WordPress.org
What To Do If You Installed or Updated a WordPress Plugin Recently
If you installed or upgraded a WordPress plugin recently, certainly since Tuesday 21st June (inclusive) it may contain a ‘backdoor’ giving hackers full access to your WordPress website.
In this case, you must:
- Immediately disable the plugin (or downgrade to an earlier version) and then change all your admin level passwords. WordPress.org say that only three plugins are affected and you can simply update them to restore the safe versions (see “Latest Information” below for a link).
What Every WordPress Website Owner Must Do
If you have a WordPress website you probably have an account on WordPress.org, and if so, your WordPress.org password may now be known to hackers.
- If you use the same password anywhere else, you must change it on those services or systems, or they may be accessible to hackers.
Re-using passwords is a bad idea and unnecessary. For an easy way to have different easily remembered passwords for every website you use, see my advice on password security
Note, WordPress.org have forced a reset of all their passwords, so you will be forced to change it on WordPress.org.
Advertisement: WordPress website hosting from $1.99/month or $34/year inclusive. Perfect for freelancers & small business. Free domain name, one-click installer, cPanel and all the trimmings, plus expert 24×7 support. Get a 50% web hosting discount coupon here only from theWebalyst.com
Here’s the announcement from WordPress.org