Be careful installing WordPress plugins
Today we detected that one of our customers had installed a WordPress plugin on his blog that did something malicious: when the plugin was activated, it sent a stranger an e-mail message allowing full administrator access to the blog.
How did this happen? Well, our customer simply searched the WordPress plugin directory for “Contact Form”, saw the popular “Contact Form 7” plugin listed, then clicked “Install Now”. That all sounds reasonable.
Unfortunately, what he installed wasn’t the real Contact Form 7 plugin. Instead, it was a malicious copy of that plugin that contains extra files designed to give attackers full access to a blog. The malicious copy ranks higher than the real copy in the search results. (Hopefully the link to the malicious copy will stop working soon; we’ve notified the WordPress folks about this.)
The lesson here is “be careful what you install”. The WordPress Plugin Directory is not guaranteed to be safe, and WordPress plugins are no different than any other scripts you put on your site. While we can’t suggest a way to guarantee that a plugin is safe, be wary of plugins that have been recently updated, or that don’t have large numbers of downloads. If you’re not confident about it, do a separate Internet search for the name of the plugin. You’ll find the real home page for it, and that page will have a link to the real plugin page you should use.
The WordPress Plugin Directory site could be improved to offer some protection against this problem, too. A few “off the top of our head” suggestions:
- The site should flag newly created plugins. Something on the page should indicate that the malicious “contact-form-73” plugin is only a few days old.
- The site should allow authors to prove they own a plugin. In this case, the malicious plugin says “Author: takayukister”, but that’s the author of the real plugin, who almost certainly didn’t upload this one. WordPress has that author’s e-mail address on file and should send a message to verify that he really uploaded it. Plugins from newly created authors should also be flagged.
- Two plugins with the same human-readable name should not be allowed in the directory.
- Newly created plugins with a small number of downloads should not appear in the results before long-established plugins with millions of downloads, because people choose the first thing they see with a reasonable name.
- The plugin directory needs a way for people to flag malicious plugins. I posted on the WordPress support forums and sent a message to the recommended firstname.lastname@example.org address more than three hours ago, but it’s still there, and dozens of people have downloaded it since then.
Ultimately, though, it’s up to you to be careful about what you install. Be skeptical. Some people on the Internet really are out to get you.