Automattic, the company that maintains WordPress, has revealed that the popular publishing platform was the victim of a successful hacking operation.
Few details are available on the nature and extent of the breach, but officials indicated the attack was conducted at the root level, and there is evidence that proprietary source code was likely stolen.
The company states that it believes that no usernames and passwords were compromised in the incident, but nonetheless is advising WordPress users to change their login credential.
Automattic issued the following alert Wednesday:
Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:
- Use a strong password, meaning something random with numbers and punctuation.
- Use different passwords for different sites.
- If you have used the same password on different sites, switch it to something more secure.
Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.
WordPress is one of the most successful online publishing platforms in the marketplace, serving about eighteen million publishers which account for nearly twelve percent of all websites.
Aside from the possibility that WordPress user account login credentials may have been breached, there are also concerns about Twitter and Facebook passwords and API keys stored on the platform.