WordPress.org

Welcome to the official blog for the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review Team.

The review team acts as gate-keepers and fresh eyes on newly submitted plugins, as well as reviewing any reported security or guideline violations.

Quick Links

As a follow-up on the Andrew Wilder (NerdPress) and Chloe Chamberland (WordFence) reports that uncovered a limited number of compromised plugins, the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review team would like to provide more details about the case.

We identified that some plugin authors were reusing passwords exposed in data breaches elsewhere. The compromised accounts were not the result of an exploit on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/. Instead, the attackers used recycled passwords to add malicious code to a few plugins on the WordPress.org Plugin Directory.

First, out of an abundance of caution, additional plugin releases have been paused, and all new plugin commits temporarily need approval by the team. This way, we have the opportunity to confirm that the attackers cannot add malicious code to more plugins.

Update: Plugin releases are no longer paused. The SVNSVN Short for "SubVersioN", it's the code management system used to maintain the plugins hosted on WordPress.org. It's similar to git. repository works as usual.

We have begun to force reset passwords for all plugin authors, as well as other users whose information was found by security researchers in data breaches. This will affect some users’ ability to interact with WordPress.org or perform commits until their password is reset.

Information about password deactivations

You will receive an email from the Plugin Directory when it is time for you to reset your password. There is no need to take action before you’re notified.

Your password was deactivated if you are a plugin author or committer. If you have an existing open session on WordPress.org, you will be logged out and need to reset your password.

To reset your password and regain access to your account, follow these steps:

Go to login.wordpress.org
Click on the link “Lost password?”
Enter your WordPress.org username
Click the “Get new password” button
Open your email and click the link to set a new password

Once you have reset your password, we encourage you to enable 2FA for your accounts and follow the recently outlined best practices. If you encounter any issues, please contact forum-password-resets@wordpress.org. We will never ask you for your password via email.

Rene Hermenau 7:38 am on June 29, 2024

Howdy Francisco,
Some other users whose information was found by security researchers in data breaches.

Will you inform the “other” users if their passwords were actually found in a data breach? Hopefully, this will make them more sensitive to this issue. I am sure that I did not use a recycled password, but of course, I had to reset my account as well.

By the way, after my first login, I got the message that an email was sent to our WordPress account to reset the password, but it never arrived. I explicitly had to click on the password reset link below the login form and it immediately arrived. So looks like a bug.

Cheers
- Francisco Torres 1:37 pm on June 29, 2024
  
  Hi Rene thanks for your questions.
  
  Among that list of users found in data breaches there are false positives (users that are in the reports but whose credentials are safe) and false negatives (users whose credentials were taken but are not in those reports), that’s why we extended the reset of passwords to all pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party authors and we are extending the same recommendations to all users. We would like to make everyone sensitive about this issue.
  
  You’re right that specifically reaching out to those individuals mentioning that their data has been found in data breaches will make them even more sensitive, but unfortunately as I’ve already mentioned that might be inaccurate for some users and there will be others that are missing. What we’ve done since the beginning of this issue is to individually notify those users that we’re certain have been compromised.
  
  About your second question, I’m aware that a colleague from the MetaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. team is looking at it right now, thanks for notifying.
NerdPress 3:26 pm on June 29, 2024
Thank you, Francisco! I’m sure that deciding to reset everyone’s passwords was not an easy call to make, but I think it was definitely the right move.

Deeply appreciate your and the entire Plugins team’s work on this (and everything else you do)! 😊🙏
- Andrew
- Francisco Torres 7:01 pm on June 30, 2024
  
  Thanks to you, and to the other members of the community who also spotted this issue and communicated with the PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party Review Team. You were essential in helping the team reactReact React is a JavaScript library that makes it easy to reason about, construct, and maintain stateless and stateful user interfaces. https://reactjs.org/. to the incident as quickly as possible. So thank you!
Pascal Casier 11:26 am on June 30, 2024

@frantorres I’m using 2FA with my wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ account since last year. I did not follow if it was in betaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. or fully deployedDeploy Launching code from a local development environment to the production web server, so that it's available to visitors., but for sure it’s doing its job. https://make.wordpress.org/meta/2023/09/26/set-up-two-factor-authentication-wordpress-org/
- Jeroen Rotty 4:12 pm on June 30, 2024
  
  Yeah same, was betaBeta A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process. when I opted in, but this should be a must for all those users …
- Francisco Torres 6:46 pm on June 30, 2024
  
  I’m also using it since last year, no issues so far 😀
FARAZFRANK 8:15 am on July 1, 2024

All set. Thanks
leadsflow180 12:53 pm on July 9, 2024

For pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party authors, remember to reset your passwords if you receive an email from WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/. Follow the steps provided to regain access and consider enabling two-factor authentication for added security!

Hope So Issue Will Resolve!

Communication

Password Reset Required for Plugin Authors

Information about password deactivations

Communication

Information about password deactivations

Share this: