Despite increased security in versions 3.1.4 and 3.2, there are still risks in running WordPress – as there are to running any CMS, particularly those that are open-source. WordPress recently warned users to watch out for three malicious plug-ins that were available from the WordPress site for more than 24 hours.
WordPress users often depend on plug-ins to extend the functionality of the platform, and, in fact, there are scores of great choices that allow you to do everything from optimize for mobile to analyze search behaviors. It is impossible to harness the potential of WordPress without trying plug-ins, but caution is essential. WordPress recently required all of its users to change their passwords after three popular plug-ins, AddThis, WPtouch, and W3 Total Cache, were discovered to contain “cleverly disguised backdoors.” Hackers could then access accounts, according to WordPress developer Matt Mullenweg.
“We determined the [suspicious] com,mitts were not from the authors, rolled them back, pushed updates to the plug-ins, and shut down access to the plug-in repository while we looked for anything else unsavory,” Mullenweg told users in a blog post. Each of the three affected plug-ins was very popular: AddThis and W3 Total Cache were downloaded about 500,000 times each, and WPtouch, which was free, was downloaded more than 2 million times.
There is no evidence that hackers were able to compromise the WordPress site, but Mullenweg and staff were taking all possible precautions. According to HP DVLabs, 80 percent of all WordPress-related vulnerabilities are due to plug-ins. One of the culprits is weak or reused passwords. Mullenweg says, “make sure to never use the same password for two different services.”
Paul Ducklin, head of technology for Sophos-Asia Pacific, says, “If you're a WordPress user, you'll know that the WordPress platform includes a complete and powerful administration interface, password-protected, via a URL such as ‘site.example/wp-admin.’ A WordPress backdoor might offer something with similar functionality, but using a different, unexpected, URL, and using a password known to the hacker, instead of to you." Use caution and always scrutinize plug-ins for suspicious behavior.