If you’re contributing to the WordPress community you’ve maybe realized that even if it’s a great place to share your knowledge and learn from others, it’s also a place where script kiddies and posers try to steal accounts in order to gain access to the repository.
This is a serious issue because it can affect a lot of users indirectly, imagine for a moment that someone got access to your repository, make some changes and all the users who have downloaded your plugin receive an update notification, after the update they can’t access anymore to their blogs and all their user data has been stolen. Now you get it right?
So, what could you possibly do to stop these thieves?, I will give you some hints but first I’ll show you how a phishing message looks like:
From: WordPress.org <firstname.lastname@example.org>
Subject: [WordPress.org Plugins] Urgent: Your Plugin Has Been Removed
Dear WordPress Plugin Developer,
Unfortunately, a plugin you are hosting has been temporarily removed from the WordPress repository. We are going to manually review your plugin because it has been reported for violating our Terms of Service. If your plugin does not get approved then it will be permanently removed from the WordPress repository.
You can check if your plugin has been approved or rejected at
Look that the email address is not an official one, all official WordPress email addresses use the @wordpress.org or @wordpress.com domain. Then, they mask the link to the fake website pretending to be an official WordPress address but this link takes you to this address http://wordpresss.horizon-host.com/bb-login.php which looks like the real one:
You just need to put your user and password and you’re done, they got your login information. If it happens you got caught by this attack, you have to change your password immediately! using this link (this is the real one) http://wordpress.org/support/ once you’re logged in go to your profile and change your password.
Now some things you can do:
- Report the email address for phishing attempt: in this case it’s a gmail address so what I did was using the Gmail option Report Phishing, you can also check this page http://support.google.com/mail/bin/request.py?&contact_type=abuse
- Find out who’s behind the attack and report them: I used whois to find out who was behind the main domain; I found out that the horizon-host was registered through Godaddy Inc, then I used their form for Reporting Abuses and I explained them why I was reporting the domain and sent also a copy of the phishing message.
- CHANGE YOUR PASSWORD: I know I already said so but seriously it’s mandatory.
- Spread the word: read [WordPress.org Plugins] Urgent: Your Plugin Has Been Removed [PHISHING] and [sticky] [closed] WARNING: PHISHING ATTEMPT