Update your WordPress plugins

The latest security breach at WordPress.org where someone (most likely) have guessed or used brute force to find out the passwords for some of the plugin authors and insert malicious code into their plugins, shows that using the same password for multiple services could be really dangerous for both you and your customers/partners.

What happened at WordPress.org (due to the lack of information here, I’m just guessing) is that someone updated three really popular plugins with malicious code containing a backdoor, making it possible for the hacker to access your WordPress blogs (if you used any of the affected plugins). The plugins that where target for this attack where AddThis, WPTouch and W3 Total Cache. If you have updated any of these plugins in the last few days you should update again to get a clean version without the malicious code.

As a precaution WordPress.org changed all passwords on WordPress.org, Buddypress.org and bbpress.org, so if you have an account with any of these sites you need to update your password before you can access the accounts again. WordPress is also recommending everyone, not to change the passwords back to the old password but instead choose a new password (since if the hackers used bruteforce to guess the passwords, and you change it back to the old passwords they would still have access to your account).

As mentioned in the beginning of this post it’s dangerous to use the same password for all sites where you have an account. And the Sony hack is also a good (or bad, depending on how you look on it 😉 ) example of how bad it can be if you use the same password on multiple sites. In the Sony example the hackers published a list of emails and passwords and also encouraged people to test the email/passwords on sites like Facebook.

So, the conclusion here is to always use an updated version of your software, never use the same password on two sites, and use a hard to guess password.