I’ve written a new plugin for WordPress called Paul’s Latest Posts. This sidebar widget pulls your latest posts and displays them with an excerpt. I’ve just gotten confirmation from WordPress Plugins that it’s been approved for hosting on the official WordPress Plugins page. It’s not showing yet, but when it is I’ll provide the link and you can tell me what you think.
Over the last few days I’ve been noticing quite a few hits on my blog for various, non-existant pages. Each of these hits takes the form of:
bkpwp_plugin_path=URL of a text file on an another website
Checking the URL in the page request returns a text file containing PHP code that attempts to launch a remote shell.
The first part of the page request is a reference to a plugin for WordPress called BackUpWordPress This plugin automatically backs up your WordPress database and files. According to Security Focus, the plugin does not properly check user provided input, thereby allowing remote users to possibly access your hosting providers server.
At this point in time there is no update available to resolve this issue. If you’re using this plugin, then until a fix is made available, the safest option is to deactivate and remove the plugin.
Update: Since I wrote this piece, the BackUpWordPress plugin has been updated to fix this issue. Kudos to the developer for releasing a fix so quickly. More details in this comment.