14 DAY TRIAL // The WordPress team has decided to reset everyone's password on WordPress.org, BudyPress.org, and bbPress.org websites, after discovering that several plugins were rigged with backdoors.
"Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors.
"We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory," WordPress founder and lead developer Matt Mullenweg, announced.
While the intrusion was detected quickly, it's not clear how many websites updated to the backdoored versions. The compromise might be serious, considering that all of the affected plugins are very popular.
AddThis has almost 450,000 downloads to date, W3 Total Cache has over 500,000, while WPtouch, a theme for iPhones, has been downloaded over 2 million times.
The WordPress team recommends all people who use these plugins and updated them in the past day to upgrade to the latest version immediately. They should probably also check their installations for integrity and review access logs.
Developers and users alike will have to change their passwords before using the forums, bug tracker, or to make commits to projects. "As a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one," Mullenweg writes.
It's not yet clear how attackers obtained the credentials used to trojanize the plugins, but people should probably take the precaution of changing their passwords on other websites as well, if they used the same one.
This is the second security breach involving WordPress in recent months. Back in April, WordPress.com owner Automattic, advised blog owners to change their passwords after hackers broke into some of its servers.