Free WordPress Security Mini Course

Comments   |   WordPress Security

AddThis, WPtouch, and W3 Total Cache Plugins Hacked

There’s never a lack of news on the Internet regarding hacks and WordPress. You’d think that it would be wise to stay away from WordPress with all the bad news, but I believe the truth is actually quite opposite. Here’s why…

  • WordPress is one of the most popular CMS in the world, so they are undoubtedly going to have a large target on their systems
  • WordPress has teams of professionals that monitor their systems for security breaches
  • They also have highly talented individuals that update their systems on a regular basis to keep everything secure
  • Do you stop using Microsoft Windows just because it gets hacked? (Some people might say Yes, that’s why they have gone to Mac, but I have been hacked on a Mac before too… so no system is 100% safe)

It’s the unfortunate truth that hackers continuously probe and hack anything related to WordPress because they know there are millions of websites using WordPress. Most of these hacks are actually quite harmless as far as securing your customers’ information, because most hacks are simple black hat SEO link insertions trying to increase their sites’ search engine rankings. But spam is still spam nonetheless, and you should do everything you can to stay updated and secure from these nasty hackers.

3 WordPress Plugins were hacked this week

According to an official WordPress news release, the 3 plugins AddThis, WPtouch, and W3 Total Cache, were hacked. Here’s the official statement:

The WordPress team noticed suspicious commits to several popular plugins containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

If you use these plugins, please read this information!

If you use AddThis, WPtouch, or W3 Total Cache and there’s a possibility you could have updated in the past day, make sure to visit your updates page and upgrade each to the latest version. WordPress has rolled back the plugins to a version prior to the hacked update, so you should immediately update those plugins.

Go reset your passwords

As a common security measure against these sorts of hacks, WordPress has now forced all users to reset their passwords. These password resets do NOT affect your self-hosted website; they only affect your WordPress.org accounts. So if you have a profile on WordPress.org, you use the forums, or you have a website hosted at WordPress.org (instead of on your own server), you will be asked to reset your password. You can reset your password here.

Leave a Reply