close
close

WordPress fends off plugin attacks

WordPress announced over the weekend that it is pausing plugin updates and initiating a forced reset of plugin authors’ passwords to prevent further website compromises due to the ongoing supply chain attack on WordPress plugins.

Attack on the supply chain

Hackers have been attacking plugins directly at the source, using passwords exposed in previous data breaches (not related to WordPress itself). The hackers are looking for compromised credentials of plugin authors who use the same passwords for multiple websites (including passwords exposed in a previous data breach).

WordPress takes measures to block attacks

Some plugins have been compromised, but the WordPress community has come together to prevent further plugin compromises by implementing forced password resets and encouraging plugin authors to use two-factor authentication.

WordPress also temporarily blocked all new plugin updates at source unless they received team approval to ensure a plugin is not updated with malicious backdoors. On Monday, WordPress updated its post to confirm that plugin releases are no longer paused.

The WordPress forced password reset announcement:

“We have begun forcing password resets for all plugin authors, as well as other users whose information was found by security researchers in data leaks. This will impact some users’ ability to interact with WordPress.org or make commits until their password is reset.

You will receive an email from the Plugin Directory when it is time to reset your password. You do not need to do anything before you are notified.”

From a discussion in the comments section between a WordPress community member and the author of the announcement, it emerged that WordPress did not directly contact the plugin authors identified as using “recycled” passwords because there was evidence that the users found in the data leak list whose credentials were actually safe (false positive). WordPress also found that some accounts that were thought to be safe were actually compromised (false negative). This led to the current action to reset passwords.

Francisco Torres from WordPress replied:

“You’re right, if we specifically contact these people and tell them that their data was found in data breaches, we will make them even more sensitive, but unfortunately, as I mentioned, that may be inaccurate for some users and others will be missing. What we have done since the beginning of this issue is to individually notify those users who we are sure have been compromised.”

Read the official WordPress announcement:

Password reset required for plugin authors

Featured image from Shutterstock/Aleutie