This is a concerning development, as a malicious user somehow gained access to the plugin’s source code on the WordPress plugin repository and added the malware. They then bumped the plugin’s version number and anyone who installed the update was unwittingly infected by the backdoor exploit. Ouch.
Impressively, once WordPress were notified they swiftly removed the malware code, bumped the version number and pushed out the update to all users.
The lesson here is to choose your WordPress plugins carefully — try and use plugins with large numbers of existing users and regular updates. Prior to this malware being added, the Custom Content Type Manager plugin hadn’t been updated for almost a year. Whilst this doesn’t guarantee you safety, it something you should always factor in to your decisions when choosing plugins for your WordPress site.
WP NET Has Your Back
We have scanned all our servers and discovered only one user who uses this plugin.
Using the details provided by Sucuri we carefully scanned all our servers (just to be sure) for any of the known malicious files — none were found. We then checked the WP Admin Users on the one site that uses the plugin, but there had been no new users added. As an additional precaution we reset the WP Admin passwords for all users on that site. We also contacted the site owner directly.
We take security very seriously at WP NET and this is another example of the work we do to help protect our customers from these kinds of risks.
Out of interest, we conducted a search of .nz domains to find any reference to this issue — wondering if any other hosts might have published anything about it, or whether any sites in NZ might be discussing it — we found none.
In fact, what we did find was a number of sites that use the Custom Content Type Manager plugin whose wp-content directories were directly accessible in the browser, some even had AWStats data files accessible — both of which are serious security risks.
In this day and age, you cannot afford be complacent when it comes to web security — ensuring that your web developer and hosting company know what they’re doing and take all necessary security precautions is absolutely vital.