WordPress Plugin CCTM Compromised

A WordPress plugin called Custom Content Type Manager has been revealed to contain a backdoor which its owner was using to access core files and steal user credentials. The plugin has been installed on over 10,000 sites in the three years it has been available, offering services for creating custom post types.

However, in the past month the plugin abruptly changed owner and released a new version, after having had no updates for the previous ten months. This new version was riddled with problematic changes, including the auto-update.php file which could download files from the server on the infiltrated website and CCTM_Communicator.php file which alerted the owner’s server when a new site became compromised.

The plugin gathered information on the infected site, recorded encrypted usernames and passwords, and sent the data to the core server, giving the owner full access as administrator to any of the infiltrated websites.

Those who have downloaded this plugin are advised to remove it immediately, downgrade core files to the standard version, and either get rid of the CCTM plugin or use the last confirmed stable version (0.9.8.6). Even if you have installed the plugin at some point but never updated it, you may have been automatically updated to this malicious version.

Optimal Password Security

downloadCreating a strong password is essential for basic website security, whether it is for your email, your bank, or your website’s account. This security step is one of the simplest ones to take toward optimal protection against hackers and viruses. Don’t put it off! Use this list of tips for strong passwords to double-check that your password can stand against a hacking program.

  • Your main strategy should be to create a unique combination of words, numbers, symbols, and upper-case and lower-case letters. This can sound initially unappealing as it will be harder for you to remember, but it will be worth it in how much harder it will be for a hacking program to break through.
  • Stay far away from obvious passwords such as “password,” “admin,” or “user.”
  • Never use your username as part of your password.
  • Adjacent keyboard combinations may seem creative (“qwerty” or “asdf”), but they are used almost as commonly as “password” etc. and are simple to hack.
  • Avoid using details that you assume are confidential, like a birth date, phone number, Social Security number, or anniversary.
  • Ideally, stay away from words found in the dictionary. Password-hacking tools usually come with dictionary lists to run thousands of words and passwords. If you do use a word found in the dictionary, be sure to add a number, symbol, punctuation, and/or capitalized letters.
  • Try using a string of words such as part of the refrain from your favorite song, the title of a book, or a phrase/idiom you find amusing. It will be easier to remember as well as harder to guess.  The longer the password, the better.

After looking over these tips, understandably your first reaction might be that once you find a strong password, you will immediately forget it, and then what use will it be? Here are a few useful websites that help with just that problem.

KeePass is an open-source, free, light-weight service for storing usernames, passwords, and other information you might need to remember. It is stored in an encrypted file, which is protected by a master password or a key file. That way you only have to remember one password in order to access all of them. The database is stored on the local file system. The system is primarily designed for Microsoft Windows, but can support other systems through an add on.

Keychain is a password management system developed by Apple. It is synced via iCloud for iOS and OS X. Also free and open-sourced, it can store passwords, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, private keys, certificates, and security notes. Additionally the service can help you generate unique passwords.

Password Vault Manager offers storage for passwords, credit card information, bank accounts, and other sensitive information. It is a paid service, but offers a free 30-day trial. The system uses an AES algorithm to keep all your information totally secure.

LastPass, as well as storing your passwords and sensitive information, offers automatic sign-ins for all of your online accounts from any location or device. You are the only person in possession of the master password, preventing even LastPass from accessing your information. It offers several different levels of security and features so that you can decide if your needs merit a free account, premium, or enterprise level.