Last week, the biggest multilingual plugin provider WPML had their website hacked resulting in their entire customer base receiving the following potentially malware email:
It just goes to show that even one of the largest players in the WordPress ecosphere is vulnerable to having their website hacked.
This time it wasn’t from outdated plugins, themes or WordPress core, but rather a lapse of internal security and processes for staff leaving the company.
WPML allege that an ex-employee installed a backdoor to the main website and at some point after they had left the company, accessed and used this backdoor to send out the misleading email to customer email addresses. Summed up in the following tweet.
We're very sorry to report that our WEBSITE got hacked. Looks like an ex-employee backdoor. There is NO exploit in the WPML plugin we doublechecked. Payment information was NOT compromised as we don't store this information. We strongly advise changing your WPML account password.
— WPML (@wpml) January 20, 2019
Having your website hacked is bad enough, but having it compromised by an ex-employee who managed to get access to customer data is pretty devastating.
Although the company claims that the WPLM plugin itself was not tampered with, the hack will surely plant seeds of doubt for existing users and definitely those considering which multilingual plugin to install with future WordPress sites.
WPML mentions in their tweet that they strongly advise customers to change their WPML account login password, however, I think they should have changed them all as a mandatory precaution.
Users can easily obtain a new password through WordPress’ forgotten password link.
Want to make sure your website is up-to-date and secure?
Have a look at our WordPress Site Care packages.