While I was catching some much needed rest after WordCamp MSP, Joost de Valk did something cleaver. He setup a BlogPress SEO plugin on WordPress.org. The initial release consists of just a readme.txt and a php file with only the plugin comment header, no actual code. Since he set this release as 2.0, all users of the malicious 1.1 and 1.2 versions will receive “Plugin update is available” notices.
Note, while cleaver, this is not a permanent fix. There are some inherent problems we face when confronting those with malicious intentions. And then, there are other aspects to ponder.
The badguys (folks that wrote the original BlogPress SEO plugin), could start peddling a 2.1, 3.0, or even a 9999 version. While some users may have been saved, users who download the 2.1/3.0/9999 version of the plugin will not. This version progression will force Joost to release a new version on WordPress.org to keep ahead of the bad guys. This is what we call a version escalation war.
Truth be told, version escalation probably will not happen. The original plugin did not have its own update mechanism, which makes it difficult for there to be to much of a fight in this arena. Plus, with the limited userbase, and the fact that we can now track that userbase and it’s versions (thanks to the autoupdate mechanism in WordPress, more on that later).
Depending on how dedicated the BlogPress SEO folks are, they may give up in a version escalation war and rename the plugin. While they may abandon their initial user base, they don not really care about that. The point of malware is to infect computers/sites, not necessarily brand recognition. After looking at the code, the intents of the BlogPress SEO folks are obvious. And, their actions speak louder than their code, especially when looking at the big picture.
It is quite appalling that the BlogPress SEO people would email someone such as Joost requesting a review of software that would allow them to hijack his website. Sure sending it to someone such as myself is stupid, as I always look into the code before activating. But, attempting to hijack the website of a well known, and well respected person in the field of SEO is insane.
A SEO plugin may have been just a ploy to get people to install a backdoor. This may pop up again as some other plugin trying to get into a different, but equally popular field. So name changing does not just cover changing from BlogPress SEO to PlogBress SEO but also to PlogBress Social. As they jump from name to name and field to field, if the solution is to do what Joost did in every occasion, we will have hundreds of faux plugins in the repository to combat the bad apples out there.
Disable Update Checks
Yes, plugin authors can disable update checks in their code. Mark Jaquith covered this a while back, and a plugin exists to do this. Had the folks at BlogPress SEO used these methods, Joost’s efforts would not have worked. We can not assume other malicious individuals will forget this. Truth be told, this was not as ugly of a plugin as it could have been. What is does show is the author of it did not know WordPress very well, which is not much of a surprise.
Cleaning Up the Mess
Until a script is built to remove the options BlogPress SEO created in the wp_options table of affected users, there are three steps to perform to clean this mess up:
- Deactivate and delete the BlogPress SEO plugin
- Change the blog admin email address set in Settings > General (not necessary but you may want to do this)
- Manually delete anything BlogPress SEO installed in your wp_options table
As a final note, do not assume that every plugin in the WordPress.org repository is not malicious. While installing plugins that are not in the repository does come with increased risk, not every plugin out there is necessarily bad. However, regardless of a plugin’s source, do some research on a plugin before installing it. It will save everyone time and headaches.
Update: Looks like the BlogPress SEO folks are at it again, read the third post in this series.
[end of transmission, stay tuned]