On 4/13/11, WordPress announced it suffered a root-level hack of their servers and that “anything on those servers could have been revealed.”
Nothing is said about WHEN the hack occurred. From experience, I can tell you that you generally don’t announce a security incident until you’ve investigated it thoroughly, and that can take at least a day, sometimes more, depending on whether you have experts in-house or can get them in a hurry.
This attack directly affects only blogs or accounts hosted by WordPress (in other words, your blog URL ends with “wordpress.com”. If you host your own WordPress blog, you are indirectly affected. How? Since WordPress source code may have been compromised, attackers may be combing through it to find vulnerabilities that will allow them to attack any blog running WordPress, regardless of where it’s hosted.
If you have a blog or account that is hosted at wordpress.com, at least do the following immediately:
- Change your WordPress password. Include some uppercase letters, numbers, and punctuation. To change your password from your
blog, go your Dashboard, then Users (see icon at right), then Personal Settings. The password settings are at the bottom of the page. - If you link Twitter and Facebook to your blog, change those passwords as well. Use different passwords on each site.
- Backup your blog as described here.
- Keep a close eye your blog, Twitter, and Facebook sites.
Read the official announcement here.
The most interesting tidbits are found in the Comments that follow the announcement, made by Matt (the founding developer of WordPress), which I quote below. My responses follow some of the quotes in italics.
WordPress passwords are hashed and salted using phpass.
We don’t have evidence of passwords being taken, and even if they had they’d be difficult to crack. However it’s never a bad idea to update your password, especially if you used the same password in two places.
Even if the passwords are hashed or salted, you have to assume in a root-level compromise that the attackers got the encryption keys and anything else they might need to break the passwords. Remember, any password can be cracked, given enough time. The attackers have all the time in the world. Consider all passwords compromised.
This potentially affects several of Automattic’s services. Based on the information we have we don’t think user information was accessed, but it’s certainly possible, and so wanted to remind people of security best practices.
And you can bet WordPress has reminded itself of security best practices. Although hacks are usually preventable, not every hack is. But most companies don’t do enough. Most likely, it was a preventable attack, but that’s only my opinion based on my experience with many small and huge companies and all the research out there.
We have no reason to believe any personal info like phone numbers were revealed, and definitely not anything like credit card numbers.
That doesn’t match his earlier statement, “anything on those servers could have been revealed”. WordPress is trying to assure its users with the above statement and covering its butt with the “anything” statement. You can’t have it both ways, but that’s how it’s often spun, and here’s why: during an investigation, you can gain some comfort that certain things weren’t touched, but the lawyers (and good security folks who’ve been around) know better. Legally, you have to hang it all out.
I’m sorry, you should expect better from us and we’re trying our best to live up to those expectations.
Apologies are big with me. I always like to see them. Seldom do companies say it, and while this apology isn’t funny, some can be very effective with humor as noted in System Down + Humor – Calls = :)
Now go change your passwords and do a quick backup.
ITauditSecurity 