Since this morning I have been waiting for the moment when I can share with you the information about the "interesting" event that happened yesterday: 28 March 2021. It was only in the evening that I found a moment to sit down to write, but fortunately the topic is short, so I won't sleep at night, and worth mentioning so I won't let go 🙂 What happened yesterday?

A major PHP developer has reported two unauthorised and approved changes to the repository git php-src. These two changes are backdoors that allow for an effective attack via PHP-based sites, an attack that can even result in a server takeover.

Wickets Thrown into the repository allow you to execute server-side commands, so you can create and delete files, steal data stored on the server and its pages, basically it gives you huge opportunities to sow and flourish havoc on a large scale.

What is PHP

PHP is one of the most popular languages for creating various web applications, including most popular CMS systems such as WordPress. Like him, PHP is also an OpenSource project, which means that the source code is available to everyone, and any interested programmer who is accepted into the group contributing to the language can work on its development.

How it was compromised

Until now, a group of PHP developers had been working on their own hosted git server, which apparently someone had hacked into and thus allowed and approved seemingly minor changes like a supposed typo fix that was actually a backdoor.

The hacker described the modifications in such a way that other programmers would think that the accounts of two of PHP's most respected contributors were behind them: Nikita Popov and Rasmus Lerdorf. Both have vehemently denied, as has the entire group, that their accounts were used in the attack. They claim that someone simply hacked into the git infrastructure and did what they did by allowing malicious code into the PHP repository.

A note was found in the comments inside the files, which was also meant to put the spotlight on Zerodium, the company from which the data was allegedly leaked, which ultimately resulted in the hack: "REMOVETHIS: sold to Zerodium, mid 2017". Chaouki Bekrar, CEO of Zerodium, quickly released a statement denying any involvement in the incident.

PHP Group has announced that they will be abandoning their own git and moving to GitHub. They will also require two-factor authentication on all accounts to combat breaches that can lead to unauthorised approvals like yesterday's.

Will this have negative consequences for sites running on WordPress?

What you have read above may scare you, right? Fortunately, the whole action was detected immediately, which means that your PHP websites as well as you and your clients do not have to worry about anything.

Nikita Popov stated in a statement that:

The changes related to the development branch of PHP 8.1, which is due to be released at the end of the year.

Simply put, the malicious code has not been uploaded to the production version of PHP, so you can rest assured that it will not reach your server. Besides, in most cases WordPress is running on PHP version 7.4 and older anyway due to the fact that version 8 is not yet supported by some WordPress themes and plugins.


Why have I chosen to mention this event, despite the fact that it did not actually threaten any of your sites? First of all, to make you aware of the variety of threats. It's not just a possible vulnerability in WordPress, a plugin or a theme, it's also server-side tool bugs that you don't really have control over until they are discovered and patched.

In the title I wrote, similarly to WordFence, about the compromise of PHP. In a way, that's how it can be described, but let's not exaggerate. Let's not make a big fuss about it, because unfortunately, we often tend to heap criticism on someone who makes a mistake, as if we had never made one. Who among us is free from mistakes? There isn't anyone, so let's spare ourselves any heat on PHP developers who are doing a great job for us.

Fortunately, within hours the malicious code was detected and removed, which speaks well of the people responsible for the development of the language.

Mistakes happen everywhere and can surprise us when we least expect it, so be aware of them and try to protect your property properly. You will not protect it in 100%, because there are no such safeguards, but you can do a lot in this field. I invite you to read the text How to secure WordPress where you will find all the basic things you should and must do.


See also

Free information on JZS news

I invite you to become a subscriber! Thousands of readers already subscribe to news from JZS.

You can unsubscribe at any time. Your address is safe here.

Featured LifeTime Offers!


Use WebPush notifications to increase traffic and sales

Scalify LTD

Create ads, publish them and increase conversions for Facebook campaigns,...

Qwary LifeTime Offer

Create compelling surveys with Qwara and collect feedback on...

Leave a Reply

Your email address will not be published. Required fields are marked *