The plugin's authors are rebranding...
...the new name will be Captcha Gotcha.
WordPress captcha plugin on 300,000 sites had a sneaky backdoor
WordFence is warning that the WordPress Captcha plugin, popular enough to get around 300,000 installations, should be replaced with the latest official WordPress version (4.4.5). To help admins, WordFence worked with the WordPress plugin team to patch pre-4.4.5 versions of the software; the code's developer has been blocked …
-
-
Wednesday 20th December 2017 11:37 GMT Anonymous Coward
So, the "rebranding" excuse was BS...
The Wordfence plugin notified me that "Captcha" had been withdrawn from the Wordpress repository a week or so back, which got my attention. However, the plugin page claimed that this was because the name they'd been using- "SimplyWordpress"- was against WP's rules (i.e. suggesting some nonexistent affiliation with Wordpress itself) and it would be back shortly, after they'd rebranded.
As excuses go, this was rather too plausible, and not- it now appears- the real reason.
-
Wednesday 20th December 2017 20:19 GMT PluginVulnerabilities
Re: So, the "rebranding" excuse was BS...
We had put out a post warning about the plugin due to the change of ownership and other security issues in the plugin on the day it was removed from the Plugin Directory, https://www.pluginvulnerabilities.com/2017/12/08/it-would-probably-be-a-good-idea-to-be-moving-off-of-the-captcha-wordpress-plugin/, which we had noticed before the plugin was removed. So it would be a good idea to look around if a plugin is removed or use a service that warns you if you are using plugins with known vulnerabilities.
-
-
This post has been deleted by its author
-
Wednesday 20th December 2017 14:02 GMT Anonymous Coward
Just move on
WordPress itself looks like a fairly well-written app. But behind the scenes contains a lot of spaghetti php code. But it's php, right? The plugin market is full of awful, horrible, broken code though. There are plugins whose enabling will bring a moderately busy site to its knees, or so bollox up the MySQL db that a nuke and pave is the only solution. Conflicts between plugins, or between plugins and even the stock official themes, are so common that its clear very few authors do very much testing. Automattic (WP's publisher) is up front about the fact that they don't vet plugins published by 3rd parties over on wordpress.org.
The best advice to those on WP is to just move on. There are alternatives, although none singing the "so easy to install, easy to use, even techologically clueless man-children of all ages can do it" siren's song.
-
Saturday 30th December 2017 12:21 GMT FlamingDeath
httpd logs
A quick glance at the logs should be a glaring indication that you should not be using a content management system that is so heavily targeted. I'm sure Wordpress take security very seriously and lots of the bad press they get is due to 3rd party plugins, but it still doesn't stop you, the user from having a massive target on your forehead.
It is the simple reason why javascript gets blocked by default on a domain level granularity at the browser
-
Thursday 22nd February 2018 00:59 GMT Anonymous Coward
very interesting read! sounds as if they are making tons of dollar$$$
Problem is in the UK they are far behind the rest of the world in understanding this type of crime. Something should really be done as if no example is set, more people will carry out this sort of stuff due to there being no repercussions. If they get away with it why shouldn't anyone else try it?
An example should set, where does it stop if not?
This topic is closed for new posts.
Biting the hand that feeds IT
