Following only a couple months on the heels of a server-level security breech at the WordPress.com servers… WordPress.org has taken preventative measures to contain malicious behavior on their servers.
Whether this is truly a hacking no one seems to know for sure yet and computer investigation and forensics takes time to sort out. However, WordPress made keen moves to protect users as soon as the concern was raised.
From the official WordPress.org site: http://wordpress.org/news/2011/06/passwords-reset/
“The WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.
We’re still investigating what happened, but as a prophylactic measure we’ve decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (Same for bbPress.org and BuddyPress.org.)”
Assuming you have been using good password management and not reusing passwords, I feel there is little danger from this long term but it serves as a strong reminder of how pro-active we must be online.
This exploit does NOT impact your individual blog installations that you have self hosted UNLESS they shared a password with your wp.org login OR unless you picked up an infected copy of a plugin.
If, in the last week, you have installed updates for the WPTouch, AddThis or W3TotalCache I would be on the lookout for a compromised copy and be planning to get a new copy direct from the repository (or plugin search) ASAP.
I think a question for many users is why are we seeing this spike in attempts to compromise the server and that honestly comes down to a numbers game. Leaders in the industry – which WordPress without a doubt is – will always come under fire as they make a “great” high-profile target. The same goes for Windows and now Mac being hit by quite a few infections of late.
There are risks associated with doing business and many of them you can mitigate through good password management, seeking assistance with site security, choosing a great web host, installing a plugin or two, keeping your site up to date, making frequent off-site backups, etc. All businesses have risks associated from catastrophes – some of which can be mitigated and some of which can’t.
All you need to do in this particular case – assuming you’ve been using good password management and not over-using passwords – is to follow the link above and change your password. While you’re on the site, be sure to head out to http://wordpress.org/extend/plugins and search for your current plugins, ensure they all support the current version of wordpress (or you know they are stable regardless) and to make them as “working” with your current version. This little 2 click process can save a lot of people a lot of pain from conflicting plugins.
Your Partner In Online Success
PS: This comes on the heels of a major security vulnerability with Dropbox.com as well. They broke their authentication and for several hours people could read, upload and mess with anyone else’s files. Dropbox is fantastic for team collaboration but please understand it has KNOWN weak security and that is unlikely to ever change.