WordPress.org user password reset required after suspicious plugin commit activity


Suspicous commits to popular plugins on the WordPress.org plugin directory led the WordPress.org team to shut down access to the plugin repository for a short time today, as well as to require users to reset their passwords.

Matt Mullenweg explained the nature of the problem on the WordPress news blog earlier this evening:

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

The teams behind AddThis and WPtouch have each responded by alerting their users to the insecurity as well.

The full nature of the issue has not been made clear just yet, though Mullenweg did emphasize on TechCrunch that the issue was not a WordPress.org insecurity, but plugin author accounts themselves. He said “There are 15k plugins so happens sometimes. We haven’t pissed of LulzSec yet. :)”

Have you reset your password on WordPress.org yet? Be sure to make sure your plugins are up to date as well.

5 thoughts on “WordPress.org user password reset required after suspicious plugin commit activity

    • There doesn’t seem to be any evidence of anything like that. Based on the reports from the .org team it sounds like just a few user accounts were jeopardized, allowing for some rogue plugin commits.

      And of course we’ll follow up as we learn more :).

  1. Can anyone tell me if the the June 21 release of W3 is the “safe” update in the WP plugin repository? I’ve read in a few places not to download any version issue on the 21st or 22nd, yet can’t believe WP or the plugin author would leave the “bad” version up. Thanks!

Comments are closed.