Dozens of plug-ins used on the popular open source web blogging software WordPress are now offline due to a backdoor discovered in them, which allowed malicious code to be pushed to websites that relied on the plug-ins. The backdoor was added to the plug-in maker Essential Plugin's source code last year after a new corporate owner took over. The affected plug-ins had over 400,000 installs and more than 15,000 customers according to Essential Plugin's website.
The backdoor went dormant until earlier this month when it activated and began distributing malicious code to any website with the plug-ins installed. WordPress' plug-in install page shows that the affected plug-ins are in over 20,000 active WordPress installations. Security researchers have long warned of the risks of malicious actors buying software and changing its code to compromise a large number of computers.
Anchor Hosting founder Austin Ginder sounded the alarm about the security threat after discovering the backdoor in Essential Plugin's source code. He warned that WordPress users are not notified of any plug-ins' change in ownership, exposing them to potential takeover attacks by their new owners. This is the second hijack of a WordPress plug-in discovered in as many weeks.
Ginder has listed the affected plug-ins on his blog and advised WordPress owners to check if they still have one of the malicious plug-ins installed and remove it. Essential Plugin representatives did not respond to requests for comment.
