Malicious Developer Actions at WordPress

As reported by  Wordfence, there has been backdoor added to the Custom Content Type Manager plugin.

The backdoor was added by a malicious coder who gained access to the plugin code in the official WordPress plugin repository.

Web Promotions in Vermont

It’s unclear whether the plugin author’s credentials were stolen or whether the malicious actor was granted access. The WordPress security team removed the malicious user account that added the backdoor to the plugin. They have also removed all malicious code that was added to the plugin and updated the version number so that users running this plugin will be prompted to upgrade.

If you are using Custom Content Type Manager, you will need to take the following steps to remove any infection and install the updated non-backdoored version of the plugin.

  1. Update to version of Custom Content Type Manager
  2. The malicious code in this plugin installed a backdoor in WordPress core files. So run aWordfence scan on your site to check the integrity of your core files. The free version of Wordfence will do this.  Make sure the option to compare your core files against the official WordPress versions is enabled. In the scan results, make sure that the following three files are not modified.
    • wp-login.php
    • wp-admin/user-edit.php
    • wp-admin/user-new.php
  3. If any of the above files are modified, you can use Wordfence to repair them.
  4. Change the passwords of all your users.
  5. Delete any user accounts you don’t recognize. Check admin accounts in particular.
  6. If a file called wp-options.php exists in your home directory, remove it.