Industry News

Angry ex-employee blamed for hack of WordPress plugin developer, and email to customers warning of security hole

This weekend, users of the popular WordPress translation plugin WPML (also known as WordPress MultiLingual) received an email from a hacker claiming to expose serious security vulnerabilities in the software that allegedly put the customers’ own websites at risk.

In the mass email, sent from WPML’s own servers, the hacker claimed that two of his own websites had been breached due to “a bunch of ridiculous security holes” in WPML’s code. He went on to warn recipients that their own websites could be at risk.

I’m able to write this here because of the very same WPML flaws as this plugin is used on too.

Please take this with the warm recommendation of triple-enforcing your security on websites where you use WPML if you must use it. Make frequent backups and monitor your websites closely. Do not leave sensible information laying around in the database or on the server. Use only WPML components and features that you really need. Or ask for your money back.

In a statement on its website, WPML acknowledged that it had been hacked and that it believed the perpetrator to be a former employee.

However, the company disputed the hacker’s claim that there were security holes in the WPML WordPress plugin, and instead claimed that the attacker had accessed its infrastructure by using an old SSH password and backdoor that he had left for himself whilst he worked for the firm.

Even if that’s true, there’s still cause for some concern. After all, if a hacker was able to mass-mail up to 600,000 customers from WPML’s own systems, it’s easy to imagine how a more maliciously-minded attacker might use the same capabilities to send out a phishing campaign or malicious links designed to infect users’ computers.

Another nightmare scenario would be if the widely-used plugin’s code was tampered with by an attacker, potentially putting thousands of other websites at risk of exploitation. WPML says that it has verified its plugin’s code has not been compromised.

However, WPML does admit that the alleged ex-employee did manage to steal the names and email addresses of customers, send an unauthorised email on WPML’s behalf, deface WPML’s online store, and publish a bogus blog post containing the same content as the email.

The company says that in response to the attack it has rebuilt its website and ensured that access to administrator accounts is now controlled by two-factor authentication (2FA). Furthermore, WPML says that it has “minimized the access that the web server has to the file system.”

WPML further underlined in its advisory that no payment information had been compromised, and that the popular WordPress plugin does not contain a vulnerability. Customers have been advised to reset their passwords.

From the sound of things, WPML may have a pretty strong idea of the identity of its hacker. One would anticipate, therefore, it is going to share their information with law enforcement so a proper investigation into the data breach can take place.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment
  • I like the way that everything is hunky dory and then all of a sudden something bad happens, so within a very short time "The company says that in response to the attack it has rebuilt its website and ensured that access to administrator accounts is now controlled by two-factor authentication (2FA)" – why don't companies do threat and risk analysis and just do this anyway? A lesson for us all. standing still never gets you anywhere!