Comments on: Malicious WordPress plugin steals your admin password, and you didn’t even know ?

By: teratips

teratips — Sun, 12 Jul 2009 18:20:49 +0000

its best but also its naughty tool

By: Tech @ InkAPoint

Tech @ InkAPoint — Fri, 10 Jul 2009 20:23:35 +0000

You are right Mani. Sometimes plugins will work like upward compatible versions. But what’s the problem is not all plugins are working as 100% compatible to newer versions of WP.

We can’t say that plugins will not work if it is developed for earlier versions of wp.

By: Tech @ InkAPoint

Tech @ InkAPoint — Fri, 10 Jul 2009 20:20:34 +0000

Yes. You can. Just open the plugin’s zip file and see the php files.

By: marcelomuraro (marcelo muraro)

marcelomuraro (marcelo muraro) — Thu, 09 Jul 2009 22:48:26 +0000

Malicious WordPress plugin steals your admin password, and you didn’t even know? http://tinyurl.com/machfl

By: Sarah Lewis

Sarah Lewis — Thu, 09 Jul 2009 18:04:38 +0000

@Nihar: until Sven’s post, that particular plugin was in the WordPress directory.

However, I think the title of this post is (unintentionally) misleading. If you read Sven’s post again, you’ll see that the plugin did not do anything with the WordPress admin password, only some basic SMS request data (that included the username and password for the SMS service, but nothing as sensitive as the WordPress admin password).

Don’t get me wrong; it’s still a security issue. After all, the plugin was doing something without the user’s permission.

But I’m pretty sure that your admin password is actually very safe, even from malicious plugin authors, because it is not stored clear text (even in the database). There’s no way that I know of for a plugin to ever access the unencrypted version of the password.

All that said, it is definitely best to be cautious with any plugins. I think your tips are good ones. Perhaps some enterprising security pro will start a plugin-review blog and do us all a favor.

By: Nihar

Nihar — Thu, 09 Jul 2009 16:59:12 +0000

I think one should always use a plugin which is there on wordpress directory.

DOn’t use plugins from the the authors site.

What do you think?

By: Anish K.S

Anish K.S — Thu, 09 Jul 2009 01:51:17 +0000

Thanks mani for the advise.

By: Kurtis Taylor

Kurtis Taylor — Wed, 08 Jul 2009 19:23:50 +0000

I would have thought that Wordpress’s approval process would be a little more careful about the kind of code placed in these plugins but I guess not.

By: Mani Karthik

Mani Karthik — Wed, 08 Jul 2009 16:45:19 +0000

I completely agree Yael. In fact, I hadn’t taken it seriously to this time. If the plugin works fine even after an upgrade, then I’d keep it. But I think this is a mistake I’ve been making and am seriously considering pulling them off with minimum user exp problems.

By: Yael K. Miller

Yael K. Miller — Wed, 08 Jul 2009 16:37:45 +0000

I have to disagree with #4 completely.

I’ve installed WordPress 2.8 (not on my main site, I admit) and since a lot of plugin creators seem to have ignored the release of 2.8, I’ve had to test myself whether the plugins will work.

DailySEOBlog seems to have ignored #4 itself.

I can’t say positively but I’m pretty sure that the “Notify me of follow-up comments via e-mail” is the Subscribe to Comments plugin. If you look at the Subscribe to Comments page (wordpress.org/extend/plugins/subscribe-to-comments) you will notice that is listed as officially only “Compatible up to: 2.3.1″ That hasn’t stopped the thousands of people who download it weekly.