A security breach at WordPress.org - the open-source arm of Automattic's popular blogging platform WordPress - has led to a forced password reset after backdoor Trojans were found in several popular plug-ins.
While the precise method of intrusion is not yet known, malicious changes to the code of the AddThis, WPtouch, and W3 Total Cache plug-ins were spotted and rolled back. The code commits, which were not made by the authors of the plug-ins, contained backdoors that would allow unauthorised access to the inner workings of any blog with the affected code installed.
"We’re still investigating what happened," admitted Automattic's Matt Mullenweg in a statement, "but as a prophylactic measure we’ve decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one."
The change also comes with a warning to ensure that the password used on WordPress.org is unique to that service, and an exhortation not to simply reset the password back to its original value prior to the intrusion.
The availability of powerful plug-ins that extend the functionality and capabilities is one of WordPress's biggest strengths, but as this case shows can also represent a security weakness. With WordPress powering more sites than any other content management system, the company's servers represent a tempting target for ne'er-do-wells who want to have the biggest impact possible.
Users are advised to make use of the password reset function on WordPress.org, and to upgrade AddThis, WPtouch, and W3 Total Cache to the latest versions through their dashboards to ensure the backdoor code isn't present on their systems.