WordPress is a hugely popular website platform. One of the things that makes it popular is the number of free plugins that can easily add advanced features and functionality to sites. One of those plugins was designed to act as a backdoor to the estimated 200,000 websites using it.
The plugin in question is called Display Widgets. Between June and September, it was removed and replaced several times. Here’s a timeline.
- Display Widgets was a legitimate, popular plugin and was sold to a new developer on June 21.
- The new owner released version 2.6.0 right away. It was reported pretty quickly that the plugin has started adding extra code and downloading data from users’ servers.
- WordPress removed the plugin from its repository on June 23.
- Version 2.6.1 was released a week later and included a file called geolocation.php. The plugin was able to post content to websites that had it again, but now it also blocked logged-in users from seeing the new spam content, making it harder to discover or edit.
- WordPress removed it from the repository again on July 1.
- Five days later, version 2.6.2 was released. This version included a switch to turn it off and was on the WordPress plugin repository for most of the month, until July 24, when it was reported to have been spamming websites again.
- Version 2.6.3 was released over a month later on September 2. This version still had bad code in it and even updated some issues in geolocation.php, which the Powers That Be at WordPress to determine the developer was purposely publishing a malicious plugin.
- It was removed again on September 8.
- Version 2.7 was released on September 12, by WordPress’s plugin team, although it’s not available in the repository. An announcement states that version 2.7 is the same as version 2.0.5 and that it’s clean. It goes on to say “This plugin is done. It’s not supported, it’s not worked on, nothing. So if you have it, upgrade. Otherwise, find something else to use.”