Security Incident

Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:

  • Use a strong password, meaning something random with numbers and punctuation.
  • Use different passwords for different sites.
  • If you have used the same password on different sites, switch it to something more secure.

(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)

Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.

Missing out on the latest developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

Join 16,435,135 other followers



Comments are closed.

  1. Andrew Rowley

    Thanks for the update team. Crap happens, but you’re always keeping us up to date. Much appreciated. Hopefully no one was exposed too badly.

  2. Sara

    Thank you for being transparent!

  3. aafke

    Thanks for the info. All the best!

  4. Andrew

    Thanks for all your hard work, guys!

  5. Pingback: details a “low-level” security breach - TNW Media
  6. Zen

    Thank you sir. :)

  7. biodork

    Thanks for keeping us in the loop.

  8. anenglishmaninoostende

    Thank you for your prompt and honest post.

  9. mrpatrickblog

    Yikes… Glad you guys are up front about it though. Much appreciated.

  10. P Banks

    Thanks for keeping us informed, much appreciated!! Such a shame that some people feel it necessary to break into a site as great as :-(

  11. Eric

    Thanks for being on this problem as quickly, WP IT team!

  12. twinklestar25

    My advice is to change your password once in a while. In school we do this to prevent security issues.

  13. missionsinmind

    Honesty and transparency are rare. Thank you for being upfront and so quick to let us know!

  14. sweetkari

    Thanks for the info. :)

  15. George

    Honesty is the best policy.

  16. Pranab

    This is what I find so great about It takes a lot of guts to admit a fault which may have otherwise been overlooked by the community. Thanks for the honesty and transparency.

  17. valzone

    Thank you, your advise is heeded.

  18. glebkhol

    My condolences.
    Were you storing passwords in plain-text or hashed?!

  19. Alycia Nichols

    Thank you for letting us know! Sorry it happened. Stupid hackers!

  20. nelson RN

    Thanks for telling us!

  21. juststart

    So should we be concerned about our password being taken? This post alludes to that but doesn’t confirm.

    • Matt

      We don’t have evidence of passwords being taken, and even if they had they’d be difficult to crack. However it’s never a bad idea to update your password, especially if you used the same password in two places.

  22. Stephen

    Thanks These things happen when you are the coolest kid on the block.

    Will roll out a new password sooner than the normal 30 days to be safe(r).

    Cheers, Stephen

  23. kimkircher

    Hopefully nothing too sensitive was breached. Thanks for keep us in the loop.

  24. Will Cookson

    It’s great that you have told us as soon as you knew. It makes it far easier to trust you.

  25. shuttlehall

    Security breaches are a fact of life in todays world. Honesty is the best policy for those that you serve. Eternal vigilance is the price of freedom.
    Those things that don’t kill us make us stronger… I guess that’s enough proverbs for the day. Thanks for informing us.

  26. E.C.

    Thanks for watching out for us. :)

  27. arierahayu

    Thanks for informing us, Matt. :D

  28. Pingback: One More Reason To Love Wordpress | Scepticemia
  29. nonprofitbrandingblog

    I trust you folks and your wonderful product. Knowing that you will stay on task and keep me informed, I find no reason to be seriously concerned.

  30. Nimelloth

    The fact that you informed us really makes you trustworthy, thank you very much.

  31. Michael

    Thanks for your hard work in keeping this site secure! Passwords should be complex, long, and changed every so often!

  32. Dzulqarnain

    Thanks for notifying us.

  33. The Teenage Taste

    Thanks for keeping us informed!

  34. Sharon

    Gyuh. Thanks for the heads up.

  35. genericthrowawayaccount

    So can you elaborate on what services were affected and whether any user data was likely to have been exposed? Are you reiterating those security fundamentals because users have some reason to be concerned, or just because?

    • Matt

      This potentially affects several of Automattic’s services. Based on the information we have we don’t think user information was accessed, but it’s certainly possible, and so wanted to remind people of security best practices.

  36. Pingback: Servers Broken Into
  37. Veronica/Mentale Godtepose

    Another thank you for the info. I haven’t really my changed password for a long while anyway, so I changed today. Can’t hurt. :)

  38. IslandEAT

    I really appreciate your letting us know, Matt and WP.

  39. floridapast

    What a thing for a brand new user (as of last evening) to hear. Not very promising, but at least the whistle blew. Good for you!

  40. West Annex News

    Wow, it’s been nothing but bad news from you guys lately. I’m disappointed that these attacks continually get the better of you.

    I’m not sure what drugs the rest of the commenters are on (or perhaps you just screen comments so only the perkiest, most upbeat get published, in which case, I worry about you guys even more) but I am distressed by the continual service interruptions and security breaches.

    • Matt

      I’m sorry, you should expect better from us and we’re trying our best to live up to those expectations.

  41. Mary

    Thanks for letting us know!

  42. YourNaturalHealthcarePlan

    Thank you for the warning, it’s greatly appreciated!

  43. Pingback: Suffers Security Breach | Arik Hesseldahl | NewEnterprise | AllThingsD
  44. David (1MereMortal)

    I appreciate the heads up.

  45. Pingback: WordPress Servers Hit in Security Breach | NexGen SEM
  46. dogs12

    Thank you for the 411. I know that your organization does everything it can to ensure that this won’t happen again. The world is full of individuals whose skills and knowledge in this area pose a constant challenge for you.

    I feel safe with, and I couldn’t be happier with the service.

  47. Richard Allen


    Eh at this point, I expect all of my data to be all over the internet. Not even government networks are safe anymore. I say if you put your data on any site, expect that it will probably at one time or another get stolen. I don’t blame WordPress at all, mind you. I am sure they did everything they could to avoid such an occurrence, but things happen. At least they let us know about it.

  48. ALIVEalways

    :@ tough break! I guess I’ll have to change my password. 8)

  49. the rufus

    Thanks for informing us. It shows that is very interesting.

  50. Steve Revill

    Thanks for the heads up. Keep the communication open, honest and timely, and you’ll stand head and shoulders above the rest of the recent victims. Good to know that my password is hashed and salted [?!], but this is a useful prompt to change it anyway.

  51. Josthy

    Thank you for the info!!!

  52. Hunter

    Appreciate the timely information, and your transparency.

  53. Sandy Collum Sandmeyer

    I appreciate your honesty in revealing this breach.

  54. metaglossia

    Thanks for letting us know. We trust WordPress.

  55. pltprincess

    The timely and honest update, as well as the security suggestions are much appreciated.

  56. Rob Haster

    Thanks for the information and good luck in your investigation. What a strange world we’re in. Keep up the good work!

  57. squeezedwords

    Glad there is someone willing to do the hard work at WordPress, so I can do easy stuff like blogging.

  58. Silicon Base

    Thanks for being open, I appreciate it. Gives a new meaning to kicking the bucket :)

  59. PiedType

    Thanks for the heads up, Matt. It’s only natural that when you’re Number One, everyone will be gunning for you. Consider it a compliment. :)

  60. Ray Joseph Cormier

    Thanks for the heads-up. Who knows what the hackers were looking for.

  61. dimigrigos1

    Thanks a lot for the Honesty and fast Notification. Just great Behavior!

  62. thefengshuidiva

    Wow! Thanks for letting us all know. Don’t those hackers have better things to do.

  63. carolynquinn

    Thank you for always being on top of everything! For the record, I’ve gotten about six different spam emails in the last half hour. I wonder if it’s related, since usually my email system doesn’t let any spam get past the spam filter.

    • Matt

      It is highly unlikely it’s related, but we will keep an eye out for other users reporting anything similar.

  64. Pingback: » Automattic and Security Incident.
  65. Pingback: Servers Hit in Security Breach
  66. doctorwhofan98

    Thanks for telling us. :-)


    Hey Matt, great job on updating us all. Don’t you dare feel guilty if problems occur. You guys are terrific, as is this site.

  68. greenlif3

    That sucks. Thanks for the advice.

  69. Game designer

    By ” potentially anything on those servers could have been revealed” do you mean that our credit cards numbers and other non public infos like personal phone and such may be available on the black market ?

    • Matt

      We have no reason to believe any personal info like phone numbers were revealed, and definitely not anything like credit card numbers.

  70. bwohack

    Thanx for sharing. My sites seem perfectly fine.

  71. Musicofourheart

    Thank you for being up front with us by communicating and protecting us and WordPress. I hope the forensic study leads you to the party who conducted this action.

  72. Valentine Bonnaire

    <3 you WP team of fabsters!

  73. brutug

    Security is all of our responsibility, thank you for the heads up as well as the untarnished presentation.

  74. VenueView

    All my WordPress installs are on private domains not — is this breach only of concern to users on the servers?

  75. urban molecule

    Thanks for being upfront and sharing the info right away. Your hard work is appreciated!

  76. ronankeatingfans

    Kudos for being so open about the incident. Many other websites would just deny that any data may have been revealed to make it sound like they are 100% secure when they really aren’t.

  77. Aidyl

    Thanks a lot for letting us know about this. It must have been hard to say! My dad was in IT security, and he was on me all the time for passwords, etc, since security is hard to keep these days.

  78. Confounding

    Thanks for the alert. I wonder what the hackers stand to gain from whatever they ‘got’.

    • Matt

      It is too early to say — it appears that the activity was largely exploratory, not targeted at a specific area, but we are still investigating.

  79. Ray Joseph Cormier

    Matt, thanks to you and everyone at WordPress for creating and maintaining such an excellent site that is always getting better.

  80. fosterdentalcare

    Thank you for letting us know! It is appreciated.

  81. heoni

    Thank you so much for being open and honest about the problem at hand. Continue the excellent work!

  82. Jennifer

    Thanks for letting us know, Matt. When we change our passwords, will we then have to reauthorize publicize services like twitter, etc.?

  83. onemom4rugrats

    Good thing I have nothing worth stealing. :) Thanks for saying what you did not have to say!

  84. johnmcgeeblog

    Thanks for the update, the disclosure, and your honesty. I appreciate that!

  85. flynn

    Thanks for the information!

  86. James Pat Guerréro


  87. devinbaker

    Thank you. A lot of companies won’t tell you when they have a problem like this. It’s nice to know you are honest and clear.

  88. sjames318

    Thanks for the information and your dedication to clearing this up.

  89. Charlousie

    Too many security incidents around the web. I am already using different passwords, but there is still a lot of uncertainty. Stupid stuff. :(
    Thanks for the update!

  90. Don in Mass

    Thank you for the update.

  91. screen_scribbla

    Thank you for conveying the tough news.

  92. The Hewitts

    I really appreciate you telling us about this. I actually feel more secure when companies I do business with, let me know that there’s a problem and that they’re working to hopefully prevent this in the future as well as protect my information. Why can’t we all admit a mistake or potentially damaging problem or issue??

    What I don’t like is when people sweep things under the rug as if nothing happened… “Let’s not say anything and maybe no one will find out.” It’s very important for a company to tell me when there’s a problem, because now I’m equipped to do what I need to do, on my end!

    Thanks again and Kudos!

  93. Pingback: Nerds In Stereo » Blog Archive » WordPress Servers Hacked, Code “Exposed and Copied” - Ramblings from the Dev and the Admin
  94. edagan

    Thanks for the update, Matt. Tough as it is, you guys always shine in letting everyone know – and transparency means trust – so kudos to you.

    One question though: is VaultPress hosted on the compromised servers, and if so are there any implications for sites using its plugin? My question relates to the access details and APIs used by VaultPress to access the blogs it backs up. If any of these were exposed by the hack, then presumably we’ll need to change them.

  95. wk

    Thanks for your honesty, and for your suggestions.

  96. Obed Betancourt

    Thanks for the announcement. Remember you have to beef up security, seeing as you host some very important VIP blogs and newspapers on your servers. Best of luck.

  97. lachicaorganica

    You guys are awesome!! I really appreciate you spilling the beans so quickly. Gob Bless your efforts and hoping you can find the people who did this.

  98. copperbeechhouse

    Have you been able consider any motivation, or particulars to any sites, political or otherwise?

  99. Mike

    Appreciate the update!

  100. nouvellecythere

    It’s quite strange to read “Security incident” near you’re big smile on your gravatar. Thank’s for the clear message.


Get every new post delivered to your Inbox.

Join 16,435,135 other followers

%d bloggers like this: