WordPress Takes Bite Out Of Plugin Attacks via @sejournal, @martinibuster

2 days ago 8

ARTICLE AD BOX

WordPress took important steps to combat proviso concatenation attacks by pausing plugin updates and resetting passwords

WordPress announced implicit the play that they were pausing plugin updates and initiating a unit reset connected plugin writer passwords successful bid to forestall further website compromises owed to the ongoing Supply Chain Attack connected WordPress plugins.

Supply Chain Attack

Hackers person been attacking plugins straight astatine the root utilizing password credentials exposed successful erstwhile information breaches (unrelated to WordPress itself). The hackers are looking for compromised credentials utilized by plugin authors who usage the aforesaid passwords crossed aggregate websites (including passwords exposed successful a erstwhile information breach).

WordPress Takes Action To Block Attacks

Some plugins person been compromised by the WordPress assemblage has rallied to clamp down connected further plugin compromises by instituting a forced password reset and encouraging plugin authors to usage 2 origin authentication.

WordPress besides temporarily blocked each caller plugin updates astatine the root unless they received squad support successful bid to marque definite that a plugin is not being updated with malicious backdoors. By Monday WordPress updated their station to corroborate that plugin releases are nary longer paused.

The WordPress announcement connected the forced password reset:

“We person begun to unit reset passwords for each plugin authors, arsenic good arsenic different users whose accusation was recovered by information researchers successful information breaches. This volition impact immoderate users’ quality to interact with WordPress.org oregon execute commits until their password is reset.

You volition person an email from the Plugin Directory erstwhile it is clip for you to reset your password. There is nary request to instrumentality enactment earlier you’re notified.”

A discussion successful the comments conception betwixt a WordPress assemblage subordinate and the writer of the announcement revealed that WordPress did not straight interaction plugin authors who were identified arsenic utilizing “recycled” passwords due to the fact that determination was grounds that the database of users recovered successful the information breach database whose credentials were successful information harmless (false positives). WordPress besides discovered that immoderate accounts that were assumed to beryllium harmless were successful information compromised (false negatives). That is what led to to the existent enactment of forcing password resets.

Francisco Torres of WordPress answered:

“You’re close that specifically reaching retired to those individuals mentioning that their information has been recovered successful information breaches volition marque them adjacent much sensitive, but unluckily arsenic I’ve already mentioned that mightiness beryllium inaccurate for immoderate users and determination volition beryllium others that are missing. What we’ve done since the opening of this contented is to individually notify those users that we’re definite person been compromised.”

Read the authoritative WordPress announcement:

Password Reset Required for Plugin Authors

SEJ STAFF Roger Montti Owner - Martinibuster.com astatine Martinibuster.com

I person 25 years hands-on acquisition successful SEO and person kept on apical of the improvement of hunt each measurement ...