Wordfence Backdoor Warning

Yes, I wish WordPress would make a public statement on it. Nothing but crickets so far…

From Wordfence…

What We’ve Done So Far

As of this writing, we’ve created three firewall rules in total to protect our users’ sites from the backdoor installation. Premium customers received the first two rules on December 8th and the third one on the 14th. These rules also protect against the backdoor itself executing in Captcha as well as in the five other plugins available for download on simplywordpress.net. Free users will receive these rules 30 days from the original publish date via the community version of the Threat Defense Feed.

We have also been working with the WordPress.org plugins team to get out a patched version of Captcha (4.4.5) that is backdoor-free. The plugins team has used the automatic update to upgrade all backdoored versions (4.3.6 – 4.4.4) up to the new 4.4.5 version. Over the course of the weekend over 100,000 sites running versions 4.3.6 – 4.4.4 were upgraded to 4.4.5. They have also blocked the author from publishing updates to the plugin without their review.

Our Recommendations

We recommend that you uninstall the Captcha plugin immediately from your site. Based on the public data we’ve gathered, this developer does not have user safety in mind and is very likely a criminal actor attempting yet another supply chain attack. You should also ensure that you’ve enabled automatic updates within WordPress – that’s still one of the best ways to keep your site secure before disclosures like this take place. We also recommend using the Premium version of Wordfence, to proactively defend your site against threats like this one.

—

The most viable alternative seems: ‘Really Simple CAPTCHA‘ (By Takayuki Miyoshi, creator of ‘Contact Form 7’ and compatible with it)

Greetings!