WordPress.org is forcing users to reset their passwords after several popular plugins were compromised by hackers.
“Earlier today the WordPress team noticed suspicious commits to several popular plugins containing cleverly disguised backdoors,” Automattic founder Matt Mullenweg said in a blog post. “We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.”
Mullenweg says that AddThis, WPtouch and W3 Total Cache were the plugins that were compromised in the attacks.
As a precautionary measure, WordPress.org is force-resetting all passwords on WordPress.org. This doesn’t affect WordPress-powered blogs, but does affect WordPress.org forums, trac and code commits to plugins or themes.