WordPress Passwords Reset

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WP-Touch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory. We're still investigating what happened, but as a prophylactic measure we've decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you'll need to reset your password to a new one. (Same for bbPress.org and BuddyPress.org.) As a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one. Second, if you use AddThis, WP-Touch, or W3 Total Cache and there's a possibility you could have updated in the past day, make sure to visit your updates page and upgrade [...]

7 saat önce, WordPress.org ile ·  ·  · Share

• 202 kişi bunu beğendi.
• • 

    David Markey Nasty..

    7 saat önce ·  ·  1 kişi
  • 

    Rob Friedman ouch

    7 saat önce · 
  • 

    Maura Knowles thanks for sharing!

    7 saat önce ·  ·  1 kişi
  • 

    Brett Lewis Not good. At least you are on top of it.

    7 saat önce · 
  • 

    Sopyan Nc Ok mr wordpress

    7 saat önce · 
  • 

    David Riley is this also for self hosted wordpress sites?

    7 saat önce · 
  • 

    WordPress The password reset only applies to the WordPress.org site itself. Individual WordPress installations are NOT affected. If you have one of the three affected plugins, please update it as detailed in the post.

    7 saat önce ·  ·  8 kişi
  • 

    Didot Adot ‎:)

    7 saat önce ·  ·  1 kişi
  • 

    Jane Anderson Thanks for being proactive and for communicating!

    7 saat önce ·  ·  4 kişi
  • 

    Arief Bayu Purwanto On self hosted, you just have to make sure to update plugins mentioned in article, to the latest version.

    7 saat önce ·  ·  1 kişi
  • 

    Dan Davies Dear Sony, take notes.

    7 saat önce ·  ·  10 kişi
  • 

    Joe Hana ‎@Arief "Individual WordPress installations are NOT affected."

    7 saat önce · 
  • 

    Andrew Mytyś I can't wait to use that "prophylactic measure" phrase in the next security message I author. :)

    7 saat önce ·  ·  4 kişi
  • 

    Capunk Kecil hahaha.. i thought must take password reset immediately for my WP :)

    7 saat önce · 
  • 

    Claudia James Thanks for sharing!!!!!

    7 saat önce · 
  • 

    Doolz Mcdoolz Oh wow, I'm impressed! Nice work ladies and gentlemen.
    Jeez, I hope I don't have an infected WP-Touch...

    7 saat önce ·  ·  1 kişi
  • 

    Ilsa Bartlett ouch!

    7 saat önce · 
  • 

    David Poindexter Bloody hell! There goes my argument for " Wordpress security has come a long way" to the higher ups in enterprise.

    7 saat önce · 
  • 

    Kim Parsell David, it is for your wordpress.org account (forums, Codex, etc.), not your individual WordPress install on your server.

    7 saat önce · 
  • 

    Luy T The reset is for wordpress.org but the affected plugins affect all wordpress installs. If you self host and installed an update to those plugins in the last day or so then you need to update again (and you should change your passwords JIC)

    6 saat önce · 
  • 

    Tim Browne Bastards

    6 saat önce · 
  • 

    Jeremy Thomas I was recently hacked by Abdosa replacing my nice site with scary black screen with big red Turkish flag. Luckily rescued by nerdy mates but it's a lesson to keep backed up...

    6 saat önce · 
  • 

    Seth Albaum That explains what my users were complaining about, but those weren't the widgets we found the offending files in..so maybe it was a different 'backdoor' exploit on my self hosted site..very scary experience with very bad timing

    6 saat önce · 
  • 

    Scott M Collingwood Yes of course Wordpress would stave off any lizards, I had no doubts in you chaps whatsoever.

    6 saat önce · 
  • 

    Scott M Collingwood After all, when people do something bevause they love it, you can trust them. Conversely.....

    6 saat önce · 
  • 

    Jason Schwarzenberger fffuu just reset my password a few days ago coz of mtgox account had the same pass... not that i did anything with mtgox, just signed up to see what the behind-the-login was like :P

    6 saat önce · 
  • 

    Owen Jj Oh no!! Thanks

    6 saat önce · 
  • 

    Rodney Parsons Iv had thiS issue last 4 weeks still can't get it to work

    5 saat önce · 
  • 

    Rodney Parsons is this the same word press pass word rest set thats on my blog cause it sure dont work at all

    5 saat önce · 
  • 

    Ruth E. Thaler-Carter What are commits?

    4 saat önce · 
  • 

    Kang Syimen WTF
    I have those plugins installed almost in all of my sites, including my clients!!!!!!!!!

    4 saat önce · 
  • 

    Nathaniel Stott Security is always a key area to watch for Online! From server settings to the source of files, themes and plugins used. WordPress is obviously on top of this too—thanks for the tip!

    2 saat önce · 
  • 

    Melodie Licht Good question Ruth. I can't find a definition online - nor any information on how these commits affect your site. Clarification would be helpful toward understanding the implications -

    2 saat önce · 
  • 

    Nina Khoury Commit is a term used by developers even uploading or updating files in a repository. Like when we release a new version of one of our plugins, it's kinda the final step to make it available to the users.

    2 saat önce · 
  • 

    Nina Khoury I meant when uploading, not even..

    2 saat önce · 
  • 

    Stephen Atty This is of course also an argument for NOT blindly using the update plugins option

    27 dakika önce ·  ·  1 kişi