Information is Wealth.

For the past two and a half months, a WordPress plugin named Display Widgets has been used to install a backdoor on WordPress sites across the Internet. The backdoor code was found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2). The WordPress.org team has intervened and removed the plugin from the official WordPress Plugins repository. At the time it was removed, the plugin was installed on more than 200,00 sites, albeit we cannot be sure how many of these were updated to a version that included the malicious behavior. More surprising is that WordPress.org staff members removed the plugin three times before for similar violations. A history of events is compiled below, put together with data aggregated from three different investigations by  David Law ,  White Fir Design , and  Wordfence . Plugin sold to new developer in May The original Display Widgets is a plugin that allowed WordPress site owners to control which...

the person behind the Display Widgets plugin spam and spam from other plugins. If you have a plugin called “Display Widgets” on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor. The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin. During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times. The plugin is used by approximately 200,000 WordPress websites, according to WordPress repository. (See below) Wordfence  warns you if you are using a plugin that has been removed from the repository. During the past months you would have been warned several times that this plugin has been removed with a ‘critical’ level warning that looks like this: It turns out that this plugin did have “unknown secu...