[wp-hackers] Malware plugin

Otto otto at ottodestruct.com
Fri Sep 9 16:03:40 UTC 2011


On Fri, Sep 9, 2011 at 10:26 AM, John Blackbourn
<johnbillion+wp at gmail.com> wrote:
> Is there a procedure in place to proactively remove malicious or
> unwanted code like that found in this plugin? I know this was done
> back in June to W3 Total Cache and the other couple of plugins that
> were compromised. I ask because even though this plugin is no longer
> shown in the directory, any installations with the plugin installed
> will still contain the code.

If it's an obviously popular plugin, then sometimes we'll go in and
patch the code and force an upgrade. This doesn't actually need to
happen all that often.

Most of the time, the plugin is either a) new and intentionally
malicious or b) just buggy. For the malicious intent case, we just
kill the sucker outright and ban the author. For the buggy case, we
email the plugin author, sometimes suggesting a patch, and close the
plugin to prevent further installs. Usually the author patches it,
emails us back, and we reopen the plugin, allowing the upgrade to go
through.

99% of the time, the number of installs of a problem plugin is fairly
small and insignificant. That other 1%, the author is actively
responsive and patches their plugin quickly. It's really just a truism
that popular plugins tend to be well-maintained and have active
authors behind them.

Note that the download counter isn't a real good indicator of the
number of sites actually running the plugin.

-Otto


More information about the wp-hackers mailing list