Disgruntled ex-employee defaced WPML website and sent out mass warning email to users

WPML, a popular WordPress language and translation plugin, has rebuilt its web server and improved the security of its site after a disgruntled former employee caused chaos over the weekend.

On Saturday (January 19), users of the plugin received an alarming “warning” email from noreply@wpml.org, an official email account associated with the technology.

The email was purportedly written by an unhappy user, who said they had downloaded the plugin “only to get myself into a whole lot of troubles [sic]”.

The multitude of spelling mistakes and grammatical errors within the email immediately raised suspicions about its authenticity.

For those still paying attention, the message went on to detail various allegations against the security of the WPML plugin.

“WPML came with a bunch of security holes which, despite my efforts to keep everything up to date, allowed the most important two of my websites to be hacked,” the email read.

“WPML exposed sensitive information to someone with very little coding skills, but merely with access to the WPML code and some interest in seeing how easy is [sic] to break it.”

In addition to the warning email, the WPML website was defaced to include the same message, as shown in an archived version of the site from Saturday.

‘Complete fabrication’

Developed by OnTheGoSystems of Hong Kong, WPML is a popular, paid-for plugin that allows web admins to translate their web content into different languages and provide multilingual support. The technology has racked up more than 600,000 installs worldwide.

After being alerted to the email and site defacement, the plugin developers were quick to debunk the messages as “complete fabrication”, attributing them to the work of a disgruntled former worker.

“We’re very sorry to report that our website got hacked,” WPML said yesterday. “Looks like an ex-employee backdoor.

“There is NO exploit in the WPML plugin – we double checked. Payment information was NOT compromised as we don’t store this information. We strongly advise changing your WPML account password.”

According to an additional update from the company this morning, WPML had finished rebuilding its server from scratch, resetting all passwords, and “locking down everything”.

“This email was sent from an intruder who got into our site and used our mailer,” the company said. “Obviously, that message was not sent from us. If you received such an email, please delete it. Following links in hacked emails can cause additional problems.”

“Our data shows that the hacker used inside information (an old SSH password) and a hole that he left for himself while he was our employee.”

WPML said it would be taking legal action against those involved.

The Daily Swig has reached out to the developers for additional comment. We’ll update this story as and when more information comes to hand.

RELATED WordPress plugin flaw leaves 1m sites open to remote takeover