back to article WordPress captcha plugin on 300,000 sites had a sneaky backdoor

WordFence is warning that the WordPress Captcha plugin, popular enough to get around 300,000 installations, should be replaced with the latest official WordPress version (4.4.5). To help admins, WordFence worked with the WordPress plugin team to patch pre-4.4.5 versions of the software; the code's developer has been blocked …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by a moderator

    1. This post has been deleted by a moderator

  2. Ken Moorhouse Silver badge

    The plugin's authors are rebranding...

    ...the new name will be Captcha Gotcha.

    1. Anonymous Coward
      Anonymous Coward

      Re: The plugin's authors are rebranding...

      More like Rectachya!

  3. This post has been deleted by a moderator

  4. g00se
    WTF?

    Checking

    Genuine question: who is responsible for checking that WP plugins contain no malware?

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Checking

      Turing?

  5. This post has been deleted by a moderator

  6. Anonymous Coward
    Anonymous Coward

    So, the "rebranding" excuse was BS...

    The Wordfence plugin notified me that "Captcha" had been withdrawn from the Wordpress repository a week or so back, which got my attention. However, the plugin page claimed that this was because the name they'd been using- "SimplyWordpress"- was against WP's rules (i.e. suggesting some nonexistent affiliation with Wordpress itself) and it would be back shortly, after they'd rebranded.

    As excuses go, this was rather too plausible, and not- it now appears- the real reason.

    1. This post has been deleted by a moderator

    2. PluginVulnerabilities

      Re: So, the "rebranding" excuse was BS...

      We had put out a post warning about the plugin due to the change of ownership and other security issues in the plugin on the day it was removed from the Plugin Directory, https://www.pluginvulnerabilities.com/2017/12/08/it-would-probably-be-a-good-idea-to-be-moving-off-of-the-captcha-wordpress-plugin/, which we had noticed before the plugin was removed. So it would be a good idea to look around if a plugin is removed or use a service that warns you if you are using plugins with known vulnerabilities.

      1. This post has been deleted by a moderator

    3. Alan Brown Silver badge

      Re: So, the "rebranding" excuse was BS...

      "As excuses go, this was rather too plausible, and not- it now appears- the real reason."

      And unlike you, most people who use the plugin don't read The Register.

  7. This post has been deleted by its author

  8. Anonymous Coward
    Anonymous Coward

    Just move on

    WordPress itself looks like a fairly well-written app. But behind the scenes contains a lot of spaghetti php code. But it's php, right? The plugin market is full of awful, horrible, broken code though. There are plugins whose enabling will bring a moderately busy site to its knees, or so bollox up the MySQL db that a nuke and pave is the only solution. Conflicts between plugins, or between plugins and even the stock official themes, are so common that its clear very few authors do very much testing. Automattic (WP's publisher) is up front about the fact that they don't vet plugins published by 3rd parties over on wordpress.org.

    The best advice to those on WP is to just move on. There are alternatives, although none singing the "so easy to install, easy to use, even techologically clueless man-children of all ages can do it" siren's song.

  9. jonfr

    Installed confirmed on my webstie, but disabled

    I had this plug-in installed on my websites (I guess most of them). I had some time ago disabled it due to how problematic it was. This was before it was compromised. I'll just go now and delete it.

  10. This post has been deleted by a moderator

  11. FlamingDeath Bronze badge

    httpd logs

    A quick glance at the logs should be a glaring indication that you should not be using a content management system that is so heavily targeted. I'm sure Wordpress take security very seriously and lots of the bad press they get is due to 3rd party plugins, but it still doesn't stop you, the user from having a massive target on your forehead.

    It is the simple reason why javascript gets blocked by default on a domain level granularity at the browser

  12. This post has been deleted by a moderator

    1. This post has been deleted by a moderator

  13. Anonymous Coward
    Anonymous Coward

    very interesting read! sounds as if they are making tons of dollar$$$

    Problem is in the UK they are far behind the rest of the world in understanding this type of crime. Something should really be done as if no example is set, more people will carry out this sort of stuff due to there being no repercussions. If they get away with it why shouldn't anyone else try it?

    An example should set, where does it stop if not?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019