It was announced earlier today that that BuddyPress 1.5.5 is now available for download. This is considered a maintenance release which addresses 14 issues, some of which are security related. Congrats to the team and I hope you had a blast at WordCamp Netherlands Paul Gibbs.
WP Plugin Authors The Target Of A Phishing Scam
Plugin authors need to take serious notice of a recent phishing attack that is aimed specifically at plugin authors. Ipstenu, one of the volunteer WordPress.org support forum moderators has published a forum thread warning others that responding to the email wouldn’t be a good idea. The way in which this phishing attack works is pretty interesting. After clicking on the link within the email to check on your plugins status, you are then taken to a site that looks very similar to WordPress.org where you’re asked to provide your password. Passwords that are given can then be used to gain unauthorized access to the account and associated plugins attached to it.
Plugin authors are encouraged not to reply to the email as well as not entering your password on the fake WordPress.org website. It’s important to note that plugins have not been removed from the repo, and if they had, the email would have come from a wordpress.org account.
You might have to jog my memory but this is the first time that I can remember where WordPress.org plugin authors were the target of a phishing scam.
WordPress Not The Direct Cause Of Mass Site Attacks
Sucuri has published more information regarding the compromising of at least 30,000 domains. Based on their research, they are ruling out the possibility that the attacks are taking advantage of a new vulnerability within the core of WordPress.
The first question is how are these sites getting hacked? On all the cases we analyzed, they either had outdated versions of WordPress, or of a plugin. We can safely rule out any new vulnerability on WordPress itself.
To stay on top of the latest malware threats on the web, you should subscribe to their RSS feed. Perhaps the more people that realize this stuff is happening on a daily basis, the more it will persuade them to keep sites, plugins, and themes updated.
Sucuri Answers Your Malware Questions
In what I think is a great service to anyone who operates a website, the security service Sucuri has started to publish articles containing answers to user submitted questions. In their latest installment, they answer some general questions such as why anyone would want to hack your site, what they gain by attacking a website, and how to check if your site is infected, which is of course an advertisement for their free site scanner.
Speaking of their scanner, I checked WPTavern the other day and was relieved to see that the site came up clean. I’ve read too many horror stories from people who have had to try and save compromised websites to know that it’s nothing short of a giant pain in the rear to make sure everything is clean.
Absolute Privacy Plugin Back In The Repository
A few days ago, Sucuri mentioned that the Absolute Privacy plugin for WordPress contained a security vulnerability that would allow the ability to bypass the authentication mechanism and gain admin access to the application, that being WordPress. The plugin was subsequently pulled from the repository as there had not been any updates to fix the security issue for well over a year. Today however, the plugin can be found within the repository again as the security issue has now been fixed.
DreamHost Resets All FTP/Shell/VPS Account Passwords
Knowing that a lot of people use DreamHost for their WordPress powered websites, it’s a bit unsettling to see that suspicious activity was detected within one of their databases and thus, passwords have been reset across FTP/Shell and VPS customer accounts. If you use DreamHost and have not been able to log-in recently, this may explain why.
WordPress 3.3.1 Fixes Security Exploit
WordPress 3.3.1 was released last night and it addresses an important security issue discovered in WordPress 3.3. Along with the security fix, the release also fixes 15 issues that are outlined here. After I upgraded the Tavern website, I was a bit confused to see a number of things that were listed under the What’s New section. Most of the features outlined were introduced in WordPress 3.3, not 3.3.1.
When questioning this move on Twitter, Evansolomon responded with the following:
evansolomon @wptavern Full feature list is more useful for anyone using < 3.3. As 3.3 is still very new, good case that less accurate = more useful here
I guess that makes sense but it still throws me for a loop a little bit because it looks like those features were added with 3.3.1, not with 3.3. So the question I have for you is, do you think the What’s New section should be strict in only listing what’s new with that specific version or should other features from previous versions be shown as well?
Is Your WordPress Install Selling Handbags?
If you administer a WordPress powered website, you might want to check the directory structure, especially the WP-Content/Upgrade and WP-Content/Uploads to see if you notice a folder called Tall. According to the folks at WPMU.org, one of their co-workers websites became a victim to an attack that involved an entirely new WordPress installation being installed along with an e-commerce system. While Google is reporting a ton of results, most of them appear to be sub-pages within the hacked domains and not individual sites. I’ve checked my own installs and everything seems to be fine. It needs to be stated that this is not known to be an exploit specifically with the WordPress software although the project team is aware of the findings by WPMU.
Dre Armeda On WordPress End-User Security
From WordCamp Chicago 2011, Dre Armeda who is one of the guys behind the awesome security service/site Securi. His presentation contains a ton of information that all end users should take note of.
Naughty Plugins Caught And Removed From Repository
Siobhan McKeown has published a disturbing yet not out of the ordinary article that explains how a couple of plugins were recently added to the plugin repository that were using a version of J-Query from J-Query.org which after investigation proved to be a fake website. The purported J-Query file was actually propagating sites with CPA Infinity Affiliate Links. After the article was published, Otto responded in the comments to make note that the plugins were removed and the user who uploaded them has been banned. This is yet another reminder that the WordPress plugin repository is a powerful place to do naughty business for those that can get past a couple pair of eyeballs and not get noticed right away.
For the future, Otto recommends doing the following if you spot something malicious within a plugin on the repository:
Obviously malicious code doesn’t last long before somebody spots it (this one only lasted a week before somebody noticed, and it would have been removed that same day if anybody had reported it to us at plugins@wordpress.org), but unintended security holes can become widely propagated for a longer period of time, leading to issues when hackers find and exploit them. So they are of a somewhat higher priority to find.
Apparently, reporting offending plugins to that email address gets swifter action than anything else. Although not related specifically to this story, I think it’s good to be reminded of June 21, 2011 when a number of suspicious commits were made to popular plugins after hackers gained access to the plugin repository. Thankfully, those commits were caught in a short period of time but there is no guarantee that they would catch them in time again.