Let me start by saying that I hope that the attack that is discussed in this article we’re linking from is resolved, and the company has figured out what caused the supply chain attack.
The rticle that I’ve been contemplating writing on as well as being delayed for this coming week’s show is Supply chain attack used legitimate WordPress add-ons to backdoor sites.
Dan Goodin talks about the challenge, the fact that the company didn’t comment, and what the researchers at Jetpack found.
Dozens of legitimate WordPress add-ons downloaded from their original sources have been found backdoored through a supply chain attack, researchers said. The backdoor has been found on “quite a few” sites running the open source content management system.
The backdoor was discovered by security researchers from JetPack, the maker of security software owned by Automatic, provider of the WordPress.com hosting service and a major contributor to the development of WordPress. In all, Jetpack found that 40 AccessPress themes and 53 plugins were affected.
Let me say that the plugins we have installed on the blog come by way of instlaling them through the WordPress interface itself. You can get a zip file and unpack the zip and install it in the plugins directory and that’ll get a plugin installed. It is usually safe to do this, but it seems like there was a coordinated attack that was launched at the same time updates were pushed out. WordPress.org’s repository was never compromised, says the article. That doesn’t mean that it couldn’t have happened, and millions of sites were affected.
The article talks about a script called initial.php which was used to drop other things.
I highlight this in the discussion points for the podcast, and of course the company didn’t comment. I hope they’ve gotten this fixed.
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.
I kno we use official sources, and this is definitely something that happened. It isn’t common for this to happen, but peruse the article so you know what’s going on. Stay safe!
Which is why I only use wordpress plugins via wordpress itself.
I did I think in the past use an xml plugin to generate a xml file once but thats a bit ago.
Wordpress is not immune so people just have to watch out but yeah when a dev gets hacked well.
At the same time you don’t want to keep everything on 1 source.
Often I use official and nonofficial sites for things.
It doesn’t mean its all bad, especially if you are testing betas etc thats one time when its probably ok but yeah one hopes this stuff doesn’t happen often.