Plugin authors need to take serious notice of a recent phishing attack that is aimed specifically at plugin authors. Ipstenu, one of the volunteer WordPress.org support forum moderators has published a forum thread warning others that responding to the email wouldn’t be a good idea. The way in which this phishing attack works is pretty interesting. After clicking on the link within the email to check on your plugins status, you are then taken to a site that looks very similar to WordPress.org where you’re asked to provide your password. Passwords that are given can then be used to gain unauthorized access to the account and associated plugins attached to it.
Plugin authors are encouraged not to reply to the email as well as not entering your password on the fake WordPress.org website. It’s important to note that plugins have not been removed from the repo, and if they had, the email would have come from a wordpress.org account.
You might have to jog my memory but this is the first time that I can remember where WordPress.org plugin authors were the target of a phishing scam.
I never received an email along those lines. I am shocked, though, that plugin developers wouldn’t notice a funky URL…
Unfortunately I did. And bone head that I am, I hurriedly logged in to see why my plugin violated the terms of service. (In my defense, I did it from my iPhone, where email headers aren’t obvious).
The very next morning my plugin had an update that crashed a user’s site.
And I’m shocked at myself too.