WordPress Servers Hacked At Root Level
Source code exposed, putting passwords for WordPress.com-hosted blogs at risk of being cracked.
"Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed," said Matt Mullenweg, the founding developer of WordPress, on the official WordPress blog.
More Security Insights
- The Untapped Potential of Mobile Apps for Commercial Customers
- Get Actionable Insight with Security Intelligence for Mainframe Environments
- The 451 Group Impact Report: Skybox Enters Vulnerability Management Space
- Securing and Controlling Data in the Cloud
Confidential information relating to the WordPress code base was likely stolen. "We presume our source code was exposed and copied," he said. "While much of our code is open source, there are sensitive bits of our and our partners' code. Beyond that, however, it appears information disclosed was limited."
The breached servers also contain hosted WordPress sites, but these are distinct from the WordPress software itself, which anyone can download and install on their own site. "It's worth pointing out that the security incident only potentially affects blogs posted on WordPress.com, not sites which have decided to self-host their own WordPress blog using the software from WordPress.org," said Graham Cluley, senior technology consultant at Sophos, in a blog post.
Automattic has been working to clean up the breach and block similar attacks in the future. According to Mullenweg, "we have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access."
Fortunately, there's no evidence that attackers stole WordPress.com users' passwords. Even if they did, however, Automattic stores all passwords in hashed and salted format, using phpass, which would make them quite difficult to crack.
Cluley lauded WordPress for disclosing the breach in a clear and forthright manner. "To its credit, Automattic ... didn't mince its words or try to apply any spin to the incident," he said.
Nevertheless, he and Mullenweg alike recommend that everyone with a blog on WordPress.com immediately change their password.
"We don't know that the WordPress.com security breach gave the hackers access to bloggers' passwords, but we do know that many Internet users have chosen to use the same password on multiple websites," said Cluley. "If your password was stolen from one website, it could then be used to unlock many other online accounts--and potentially cause a bigger problem for you. So always use unique passwords."
In this Tech Center report, we explain why DB2 users need to focus on security, and how to meet essential vulnerability assessment and remediation, monitoring, and audit requirements using tools in the IBM portfolio. Download it now. (Free registration required.)