Three WordPress Plugins Backdoored In Supply Chain Attack

In the last two weeks, the WordPress.org repository has closed three plugins because they contained content-injection backdoors.

“Closing” a plugin means that it is no longer available for download from the repository, and will not show up in WordPress.org search results. Each of them had been purchased in the previous six months as part of the same supply chain attack, with the goal of injecting SEO spam into the sites running the plugins.

Duplicate Page and Post

URL: https://wordpress.org/plugins/duplicate-page-and-post/
Active Installs: 50,000+
Current Owner: pluginsforwp (joined WordPress.org July 10, 2017)
Sold Date: August 2017
Removed from WordPress.org date: December 14, 2017

No Follow All External Links

URL: https://wordpress.org/plugins/nofollow-all-external-links/
Active Installs: 9,000+
Current Owner: gearpressstudio (joined WordPress.org March 17, 2017)
Sold Date: April 2017
Removed from WordPress.org date: December 19, 2017

WP No External Links

URL: https://wordpress.org/plugins/wp-noexternallinks/
Active Installs: 30,000+
Current Owner: steamerdevelopment (joined WordPress.org June 29, 2017)
Sold Date: July 12, 2017
Removed from WordPress.org date: December 22, 2017 (we’re assuming this based on the date of the last update note, from a member of the WordPress.org plugins team)

If you have any of these plugins running on your site, we recommend that you remove them immediately and that you make sure that SEO spam hasn’t been injected into your site.