This article is to bring to the attention of those WordPress users who are unaware of a recent security alert by Matt Mullenweg on June 21, 2011. Basically, the alert involves the recommendation of a compulsory password reset for all users particularly those who use the same password for two or more services following the observation of suspicious commits containing cleverly disguised backdoors affecting some popular WordPress plugins by the WordPress team.
The affected WordPress plugins that have raised the security alert include AddThis, WPtouch and W3 Total Cache. Due to the suspicion that the commits were not from the affected plugins’ authors, there were rolled back, pushed to update, while access to their repository were shut down to make room for proper investigation. As a result of the ensuing investigation, the WordPress team decided to force-reset all passwords on WordPress.org. Therefore, users who intent to use the forums, trac, or commit to a plugin or theme, will now have to reset their passwords to a new one.
In addition to the password reset, users of the AddThis, WPtouch and/or W3 Total Cache plugines should check to confirm that they have upgraded to the latest versions from the updates page. Thus, the general advice is to always remember to reset your password occasionally and do not ignore updates whenever there are available.