When a WordPress Plugin Goes Bad
Found on Sucuri on Saturday, 05 March 2016
Custom Content Type Manager (CCTM) is a relatively popular plugin with three years of development, 10,000+ active installs, and a satisfaction rating of 4.8. It helps create custom post types. Website owners find the classical “blog format” too restrictive, use the plugin to add custom elements to their posts.
All we know is that the plugin hadn’t been updated before that for ten months. Perhaps its developer lost interest in it and accepted an offer from wooranker. On the other hand, taking into account the malicious plugin update and the fact that fireproofsocks was inactive for nearly a year, we can suspect that wooranker could have hacked into the fireproofsocks account and added themselves as a new owner.
Wordpress is used by millions of people who do really understand how things work, and who tend to install every plugin another random blogpost suggests. In the end, dozens of plugins live in the shadows, and the webmaster in almost every case does not bother to keep an eye on them, even though it is 3rd party code. This mix makes Wordpress one of the worst choices for websites.