WordPress Hack Exposes Proprietary Source Code

Thursday, April 14, 2011



Automattic, the company that maintains WordPress, has revealed that the popular publishing platform was the victim of a successful hacking operation.

Few details are available on the nature and extent of the breach, but officials indicated the attack was conducted at the root level, and there is evidence that proprietary source code was likely stolen.

The company states that it believes that no usernames and passwords were compromised in the incident, but nonetheless is advising WordPress users to change their login credential.

Automattic issued the following alert Wednesday:

Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:

  • Use a strong password, meaning something random with numbers and punctuation.
  • Use different passwords for different sites.
  • If you have used the same password on different sites, switch it to something more secure.

(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)

Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.

WordPress is one of the most successful online publishing platforms in the marketplace, serving about eighteen million publishers which account for nearly twelve percent of all websites.

Aside from the possibility that WordPress user account login credentials may have been breached, there are also concerns about Twitter and Facebook passwords and API keys stored on the platform.

Possibly Related Articles:
Passwords Wordpress Headlines hackers breach Source Code username Automattic
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.