Hackers launched a root-level break-in on several WordPress.com servers and gained access to some "sensitive bits" of source code and related information.
An intruder broke into
WordPress.com and gained access to multiple servers and the source code that
powers blogs for its VIP customers, including CNN, CBS, Flickr and TED. This
attack follows a distributed-denial-of-service attack that knocked WP offline
The "low-level" break-in on
several WordPress.com servers gave the attacker the highest level of access to
all of the information stored on the systems, Matt Mullenweg, founder of
Automattic, wrote on the WordPress.com
on April 13. The root-level attack may have the biggest
impact on the VIP customers because the source code for VIP customers was
Most of the code that powers
the WordPress blogging platform is open source. However, there are "sensitive
bits of our and our partners' code," on WordPress.com that may have been
exposed and copied, Mullenweg said.
"Tough note to communicate
today," Mullenweg wrote.
Mullenweg did not say which
of the VIP sites were affected, but said, "The information disclosed was
is a VIP customer and the site reported that VIP customers "are all on -code
red'" as the company investigates the incident. Automattic is currently in the
process of changing all the passwords and API keys that were in the source
It seemed unlikely that
personally identifiable user information was exposed, but Automattic has yet to
complete its investigation. However, TechCrunch noted that as the site source
code includes API keys and passwords for Twitter and Facebook, the attacker can
potentially gain access to sensitive information and shut WordPress.com
customers out of their social-networking sites.
The company is reviewing its
data logs to determine the extent of the breach and what was stolen and
patching security holes to "prevent an incident like this from occurring
"Our investigation into this
matter is ongoing and will take time to complete," Mullenweg wrote.
When remediating these
incidents, it's critical that system administrators perform a full security
audit, Josh Shaul, CTO of Application Security, told eWEEK. If the
administrator is just closing the specific hole that the attackers used, it's
possible the attackers "just got locked inside with you," Shaul said. There is
no way to know whether or not the attacker created other backdoor mechanisms or
discovered other vulnerabilities during the time it was in the network. If the
administrator does not perform a full security audit, even if the actual attack
path had been closed off, the malfeasants have the inside knowledge to get back
in, Shaul said.
Mullenweg suggested that
WordPress customers make sure they are using strong passwords, and that they
aren't reusing them across multiple sites. He also suggested using password
managers like LastPass or KeePass to make it easier to track complicated
Attackers also broke into
WordPress in 2009 by exploiting a security vulnerability to create new "hidden"
administrator accounts. The site was also hit by an "extremely large"
distributed-denial-of-service attack on March 3, making it near impossible to
access blogs hosted on the platform for about two hours.
WordPress users hosting the
software on their own servers are not affected by this breach.