Slashdot Mirror
WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext
An anonymous reader writes that a WordPress plugin for managing custom post types has apparently been forcibly taken over by an Indian developer who has added a backdoor to the code which lets him install files on infected sites. "This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user's password is collected (in cleartext) and sent to his server. WordPress hasn't moved in to ban the plugin just yet, despite user complaints.
I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...
Herve S.
Seriously guys, I know it's the quick and lazy way to put together a website but it's obvious that this sort of thing is going to happen in that creaking pile of php intentional or otherwise.
So somebody did the needful?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Jesus man, RTFA once in a while. It's completely, 100%, malicious intent. It adds a admin user to the site with the devs name/group name, and in case he couldn't login he used the backdoor to upload custom php script onto the installation to modify the wp-options file.
When is the last time you've "accidentally" introduced a bug that send all user logins to a server in India in cleartext by mistake? Does the fact that this plugin was dead for a year and suddenly has this new superpower not worry you?
First rule of Wordpress: never use any plugins or themes
Second rule of Wordpress: never use stock wordpress without additional plugins to fix security
Make sure to follow both rules at all times or don't use Wordpress at all.
I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...
So; wordpress reacts to bad publicity not to threats to their users. That's actually worse than if they did nothing because if they did nothing we'd hear about it all the time whereas now the questions are, "What else did Wordpress manage to close down just before it got written about on Slashdot? What else is Wordpress hiding?"
Somewhere there are wordpress users who have installed this and either have not yet had their credentials stolen or have not yet had them used against them. Notifying their users should be the top priority. This should be front page on their site. This should be the top news on their blog. There is nothing there. Wordpress is still hiding things and letting down their users. This posting is not nearly aggressive enough.
Wordpress.com is very different than the community wordpress.org, one is a commercial entity that offers free and paid hosted wordpress services and the latter is the upstream/open source wordpress community that offers wordpress for self-hosting.
Neither of these entities are responsible for or have any control over 3rd party plugins like the one mentioned in the article. This would be like blaming Microsoft for someone releasing Win32 shareware that hijacked credentials.
Have a squat over at the hobo house.
First rule of Wordpress: never use
Here, FTFY: Your comment could have just stopped here. You could also omit the first three words without compromising it in any relevant way.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The developer should be extradited
Why? He didn't hack a movie studio or a music studio, nor did he hack the government. Extradited, hahahahahahahahaha oh wait you were serious...
Seven puppies were harmed during the making of this post.
What we need is more rigour on posting updates to stories where the facts change while the story is still fresh.
Like how The New York Times kept changing the content of an exclusive story on its website?
http://www.poynter.org/2015/new-york-times-changes-its-hillary-clinton-story-again/360545/
Wordpress can be made pretty safe, but the default install is subject to all sorts of mischief and malicious twiddling. And the plugins are the Achilles Heel of Wordpress, no doubt about it.
There are, however, several good plugins that can be used to harden Wordpress, most notably is one called 'Wordfence'. I don't do many WP installs but for me it's absolute must-have plugin; it has loads of options to harden the system.
Outside of that, do all the usual stuff- move the config file, make it read-only, don't use gobs of sketchy plugins, and exercise some restraint with what you do install. The fewer the plugins, the better. Use long, ugly passwords, no 'admin' user, etc etc etc.
There are actually quite a few things that can be done to secure Wordpress, although I'd be the first person to say that the end user shouldn't have to do those things- they should be baked in as defaults.
Just cruising through this digital world at 33 1/3 rpm...
Actually, as soon as we were notified of the issue, the plugin was closed and hidden on a temporary basis until we had time to evaluate the problem. Once we had done so, I personally created a new version of the plugin, without the malicious code, and pushed it to the repository in order to get the update out to the affected users. The existing committers were all removed, leaving the plugin entirely in the hands of the plugin team. The latest version is now safe and will not be otherwise until we determine the full details of what happened here.
Full disclosure is great, but some advance notice longer than a day or so helps a lot. We will always protect our users to the best of our ability, but sometimes, we get blind sided. It happens. Nobody posts about the dozens of other times we fix things before they get exploited. Not judging, just saying.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.