On May 27, Jetpack for WordPress announced that they were…
Less than three days since we reported about Jetpack’s gaping security hole, today we have learned about another WordPress plugin, WP Mobile Detector, that is being actively exploited. And unlike Jetpack, the developer appears to be MIA and the plugin has been removed from the WordPress plugin repository.
According to Sucuri’s Douglas Santos:
The vulnerability is very easy to exploit, all the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL. This vulnerability was publicly disclosed May 31st, but according to our firewall logs, the attack has been going since May 27th. The good news is that all our customers have been protected via the Sucuri Firewall virtual hardening engine.
Responsive Web Design
One of my first impressions when I read this was a little disbelief that there are so many active WordPress installs that are still using the 5+ year old technology for mobile detection. The absolute best way to handle mobile devices is by using responsive layouts. If you were looking for some motivation to do so, well here it is.
How to Completely Delete WP Mobile Detector
The obvious course of action would be to completely remove this plugin from your website. Here is how you can do that right now:
- In your WordPress Dashboard, go to the Plugins page.
- In your list of active (or inactive) plugins, look for WP Mobile Detector.
- If it is currently active, click Deactivate then go over to the Inactive list, look for the plugin and click Delete. Follow the prompts to completely remove from your website.
- If it is currently inactive, then go over to the Inactive list, look for the plugin and click Delete. Follow the prompts to completely remove from your website.
UPDATE June 3: It appears the plugin has been patched and WordPress has allowed pubic access to it again. If you must use this plugin, you can download it from here or update it from the Plugins page in your WordPress Dashboard.
Feel free to contact us with any questions or you can request a quote to convert your site to responsive layout, which will remove the necessity to use a mobile detection plugin. You can also call us at +63 44 769 4023 or Skype us at dcgws_internet_solutions.