I just discovered that the Custom Content Type Manager plugin has an apparent “back door”, meaning it is a gaping security vulnerability. As a result, I have deleted the plugin and all supporting files. I will check to see if the “back door” was utilized (early signs indicate no, but now I’ll have to check the entire server to make sure).

Over the years of running UCalgaryBlogs, I’ve added many plugins in response to requests from people using it to publish websites. That’s great – but this is the risk of adding and using non-core WordPress functionality. Every plugin that’s added exposes the server to a little more risk. One of my summer projects is to go through the server and give it some love. Hopefully, I’ll be able to hire a student to set UCalgaryBlogs up so that it’s safe and reliable for another decade…

Update: It looks like the back door was not used, as the signature files are not anywhere on the UCalgaryBlogs server. That’s not confirmation that the back door wasn’t used and then cleaned up afterward. I’m going to have to treat the entire server as vulnerable until I can prove otherwise.