WordPress Security Exploit Found: Upgrade WPTouch, AddThis and W3 Total Cache

Notice that you can’t get access to the forums or trac? Can’t commit a plugin or theme? Yesterday Matt announced that WordPress had force reset all WordPress passwords due to a security breach. Three popular plugins – WPTouch, AddThis and W3 Total Cache - were found to contain backdoor trojans. These were not added by the plugin developers themselves whose own WordPress accounts were compromised and new versions of the plugins were uploaded.

Let’s Look at The Scale of the Problem

A quick look at the stats in the WordPress repository gives an indication of quite how big the potential problem is:

Aaron at AddThis has said on his blog that the offending plugin is 2.1.3 if it was downloaded on 20th or 21st June. It was downloaded 3,583 times yesterday. Here’s how many people are currently using 2.1.3:

AddThis 2.1.3 with 14.3% share of active plugins

The affected versions of WPTouch are 1.9.27 and 1.9.28 – again only if you updated in the past few days. It was downloaded 14,670 times yesterday. Here’s how many people are using those versions:

WPTouch 1.9.27 used by 15.3% active users

I can’t find which version of W3 Total Cache is affected but from the uploads on it’s trac page it looks like (please correct me if that’s wrong!). Again check your dates. It was downloaded 3,442 times yesterday.

W3Total Cache stats showing 28.6% os users using

Again, I really want to stress that the real issue is with plugins updated or downloaded on 20th or 21st June. Personally I struggle to remember what I’ve done over the past few days so to be safe I would update these plugins – it’s always good to be up-to-date anyway.

What Should I Do?

  • Don’t panic or fire off angry emails
  • Upgrade these plugins immediately- they all have new versions which will fix the exploit
  • Change all of your passwords

To keep up to date you can watch out on the WordPress News blog which tends to have all of the latest, most important, WordPress happenings.