Suspicous commits to popular plugins on the WordPress.org plugin directory led the WordPress.org team to shut down access to the plugin repository for a short time today, as well as to require users to reset their passwords.
Matt Mullenweg explained the nature of the problem on the WordPress news blog earlier this evening:
Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.
The full nature of the issue has not been made clear just yet, though Mullenweg did emphasize on TechCrunch that the issue was not a WordPress.org insecurity, but plugin author accounts themselves. He said “There are 15k plugins so happens sometimes. We haven’t pissed of LulzSec yet. ”
Have you reset your password on WordPress.org yet? Be sure to make sure your plugins are up to date as well.