Security Incident

Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:

  • Use a strong password, meaning something random with numbers and punctuation.
  • Use different passwords for different sites.
  • If you have used the same password on different sites, switch it to something more secure.

(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)

Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.


Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

Join 14,988,960 other followers

Matt

396 Comments

Comments are closed.

  1. Angelica Rubio

    Thank you for the heads up!

  2. Soumen

    The transparency and the guts to speak the the truth is the strength of WordPress. Kudos to you, you spoke the truth. Thanks for the advice on changing and keeping complex password.

  3. Frenchie

    Thanks… Were personal info, especially email addresses, touched by this?

  4. phynedyning

    Thanks! Your team is much more on the ball than the e-retailer that didn’t bother to tell me their site was compromised until I complained about being spammed by their “secure” site.

  5. Squeeky Fromm - Girl Reporter

    Wow, this is good to know. Thanks!!!

  6. Salvatore Otoro

    Thanks for letting us know and keeping us up to date. :D

  7. appinptm

    Thanks for the suggestions, they’re really helpful!

  8. Martha

    Oh damn, I thought ‘security incident’ was a new theme and it sounded cool :P

    You guys do a great job, thanks for all your hard work.

  9. Rocket Dog (Ergo Proxy)

    dang. that’s rough. we’re glad to know about this incident.

  10. hinduawaken

    thanks for updates

  11. MNN5

    Guys, Thank You so much for the heads up. Even the best fall like the recent Epsilon breach. According to some reports Epsilon knew about a vulnerability on their side but they didn’t warn their users before like you did. I’m sure you will do in all your power to protect our data. I have a question though; I don’t understand when you said “Use different passwords for different sites”.

    • Matt

      That means that for every website you should have a different password, for example don’t use the same password for WordPress.com and Twitter.com.

  12. yakatz

    Do you know whether any code was changed? Could the person/people who broke in have modified the code to send an email back to them any time someone changes their password?

  13. 2embracethelight

    Thank you for informing, advising and helping us understand. This is unfortunate, but it seems like the way of the world.
    Thank you for letting us know.

  14. Treasureyourhealth

    Sadly, some folks haven’t figured out the way karma works, but will. Thanks for the update. I really appreciate your frankness and hope this is all resolved soon. Take good care, all of you!

  15. nzpilotguy

    Not good news, but great that you’re being upfront about it – appreciate the info.

  16. Takeru

    Thanks! I will change my password right away!

  17. antoinettevdberg

    Thank you for the info Matt, much appreciated!

  18. Pingback: Wordpress.com security breached, data potentially on the loose | RCR Unplugged
  19. airmaxfrance

    Thank you for sharing.

  20. waldonia

    Thank you for keeping us informed and for responding to people’s concerns quickly. Yay WordPress!

  21. Pingback: WordPress.com suffers hacker attack | Cyber Crimes Unit
  22. phoxis

    Thanks for sharing such an incident to the users (which most organizations would hide).

  23. veronica

    thank you so much.. all our blogs mean so much more to us and u just made us care for them all the more matt.. will be more cautious now =P

  24. peoplesgeek

    Thanks for the update – You’ve turned a negative into a positive by thinking to share some really good advice about using different passwords and how to manage them effectively. I use KeePass and will have a look at the others you mentioned for other clients. The other one to emphasise is the importance of backup and recovery procedures, that way if you loose everything you can at least get it back (or do a compare to help work out what may have been changed)

  25. Brett Jones

    Fight the good fight! Thanks for keeping us informed.

  26. Jessica

    Thanks for being clear on this.

  27. bookjunkie

    it’s great that WordPress is so personal and always keeps us informed :) thank you!

  28. ahmadblues

    Thanks for letting us know – luckily I was thinking about changing my set of passwords anyway.

  29. Ruth

    I love WP, and try to talk my Blogger friends into making the big switch. Hey, junk happens. Thank for giving us the heads up on the situation! Appreciate it!

  30. kenryoku

    Your transparency is very much appreciated. Will heed your advice now.

  31. Umoja

    We do appreciate, please update us for any new security incidents.

  32. Perennemente Sloggata

    In my bad english I’d like to say ‘thank yoiu’ for your honesty and transparency, which I didn’t find in any other platform.

  33. NiHAWmA

    Information dissemination is important. Thanks a lot and regards.

  34. Pingback: Break-in at WordPress.com
  35. Pingback: How to Choose a Strong Website Password
  36. Kemi

    Thanks for letting your customers know :). K

  37. Kathi

    Thanks for all you do! I love having this great free service for sharing thoughts and keeping track of friends. Your team does a great job, and I appreciate it!!

  38. Myra's papers

    Thanks for the heads up. “)

  39. Robert M Palmer

    Better we know than we don’t. New passwords are easy, so… done!
    Living on the web is like living in the city… lock the doors, look both ways before crossing and wash your hands!
    Thanks for the update!

  40. Hope4UsNow

    Thanks for the update! Sending hope you repair things soon. :)

  41. Pingback: WordPress.com security violated « Balau
  42. Pingback: Security Incident (via WordPress.com News) « Achugh's Blog
  43. Pingback: WordPress.com has been hacked! « Secure IT Foundation
  44. adnanomatic

    Thanks for letting us to make stronger passwords.

  45. sanhira

    Many thanks, I really appreciate your work and this frank attitude! Good luck, Matt!

  46. Eowyn

    Thank you, WordPress, for your generous hosting of our blogs! And a big “Thank you” to the wizards, WordPress’ Happiness Engineers!

  47. Pingback: WordPress Security Compromised
  48. Veridian Etoile

    Thanks for letting us know. Y’all work so hard on making WP a secure and safe place for all of us to blog and share with the world, all of your work is very appreciated by us members/bloggers. I do hope y’all catch the person/group who did this.

    Maybe it’s best that all of us change our passwords just in case? I know I’m going to be changing mine to be safe!!

  49. angelinlove82501

    Thank you for the update yes it is a tough one to announce however I have more respect for the fact that you were honest and told all of us rather than trying to cover it up like some other sites do and would.

  50. ThePlatoReport

    Very much appreciate the update. Good luck–we’ve got confidence in you.

  51. roberthopesworld

    Insecurity is my normal state :)

  52. Pingback: WordPress.com Hacked (Again) | Bill Mullins' Weblog – Tech Thoughts
  53. mestrebonsai

    Thanks for your honesty, good work.

  54. Pingback: Boot up: WordPress hit by ‘root-level’ attack, and more: Shark Hunting on Wall Street
  55. noir33

    Keep up the good work, guys….

  56. wookieeenroute

    Thank you for the quick and honest info!
    It’s much appreciated.

  57. Sandra Bell Kirchman

    How indicative all these comments are on the kind of service WP gives, i.e., the best. As an appreciative user, I rather resent the implication that I am on some sort of drugs because I applaud WP’s (and Matt’s) honesty and attempts at great service (as one commenter suggested above). “If you live by the sword, you die by the sword.” We users of the internet know that these things happen and that determined hackers are stopped only with intense effort. Now, here’s my contribution:

    I have so many internet accounts to various websites that, if I change my passwords, I am doomed.

    However, I use something that was recommended by my bank. It’s called Trusteer and not only protects my password, but protects any website I ask it to, including, of course, my online banking sites (and, now, WordPress). Once you install it, it is very easy to use. You can set it for weekly reports as well. I was appalled at how many various invasion attempts it is stopping, but very glad it was stopping them.

  58. lovemeraz

    Thank you so much for being so transparent.

  59. Ricardo Alamino

    Appreciate the transparency! We love companies with this kind of behaviour. Nobody is fully protected from incidents like that.

    Thank you WP team.

  60. Jimmy Daniels, Esq.

    Thank you. This motivated me to get LastPass.

  61. gothichydran126

    Creepy…Thanks for the head up!

  62. Lissa Rabon

    Thank you! Good to know you have our backs!!

  63. Robin

    Keep up the honesty and integrity, that’s what makes you guys #1 Thanks!

  64. Poppy

    What is with these fraudsters?! I found out someone or ‘something’ has been using my bank account as well today!! Ah well, at least we have honest people like you WordPress guys! Good luck in your investigations! Poppy :)

  65. SPREE

    Must say I was somewhat alarmed at seeing this title, but thanks goodness your team’s controlling it. This situation is becoming a contagious disease whew!!

  66. Pingback: Wordpress.com Hacked
  67. chazsm

    Thanks for keeping us up-to-date especially with this kind of issue. Highly appreciated!

  68. belle04tmnt

    Thank you so much for the info. I have to admit I’m new here and I know now what to do for my security. again thank you. XD

  69. geofftalbot

    Your honesty and openness are awesome… Hopefully no one has stolen my identity… Geoff

  70. workerbeetv

    Honesty is always the best policy. Thanks!

  71. John Boxall

    Thanks for being honest and keeping us in the loop. :)

  72. dglvran

    Thanks for all your hard work, guys!

  73. dibya

    Thanks for the update. Appreciate it.

  74. arigoldstein

    This kind of policy – to be transparent – is exactly what will grow your success. Thank you so much.

  75. Margaret

    We love you all for all that you do to keep us safe. Have a great day squaring things away.

  76. sanityisknocking

    Appreciate the honest update!

  77. skippyamrhein

    Thanks for that…suppose incidents like that go with the territory, no matter how secure we’re trying to make this. Awesome advice on passwords!

  78. Hans

    Thanks for the update. Good to hear that you are so open on these issues. Indeed, stuff happens. But it is not about the way that you fall, but about the way you get up your feet again. :) And you are doing just fine.

  79. Angela C. Soelzer Ragosa

    Thanks so much! Sincerely appreciate it!

  80. Angela

    Thanks for the notice and for working to figure things out!

  81. writewizard

    Appreciate the heads up guys, thanks! –Meg

  82. Moonmooring

    As usual, WordPress at its best. Thank you for the info.

  83. Rupertson

    Roger, over and out.

  84. CommentatorandPoet

    The WordPress Family: the Best Thing About the Internet.

  85. Jackie Paulson 1966

    Thanks for the update.

  86. Schamael

    See, this is what I respect about WordPress and other people who work similarly. You admit it when things happen, and there’s no covering-up or blaming. Just telling us what’s happened nice and clearly, and giving advice on what to do. Thanks :)

  87. Mia

    Aw sorry to hear and thanks for letting us know, I appreciate your open communication.

    I hope they’re caught! Good luck.

  88. walkaboutdoc

    I read of the security breach
    And the lessons in the life it would teach
    I won’t worry my head
    Or give into the dread,
    I’m going down to the beach.

  89. Paul Bishop

    As others have said, appreciate the honesty. Being upfront about security breaches endears your users more to WordPress and also motivates you guys to excel in keeping security higher so you don’t have to give us bad news.

    God bless and keep up the good work!!!

  90. lily1855

    Thank you for being open, honest, very much appreciated.

  91. SuperSparky

    Your competitors could learn a thing or two about customer service from you. Stuff happens, but be honest about it and consider your customers as assets instead of numbers on a spreadsheet. You guys rock!

  92. Vanessa

    Thanks for the tips!

  93. 4 ♥ 1 ♥ Love

    Thanks for the honesty. Standing behind you and your efforts. Keep the faith.

  94. siko

    Thanks for all your hard work, guys!

  95. jatiluhurdam

    I still use you as my media. Thanks for your honesty.

  96. Patricia

    Thank you for being transparent. Yeah, so crap happens, but at least you notify us and considering how many people use WordPress and how I have no idea how you get all the work done, I seriously don’t care. So what? Then we’re going to change our passwords. :)

    Still in love with WordPress.

  97. millersa

    Everyone’s so nice on WordPress!

  98. Maria

    Kudos for the heads-up.

  99. ariesulaeman

    Thanks, I really appreciate it.

  100. Lauren

    Thanks for the update. I appreciate it.

Follow

Get every new post delivered to your Inbox.

Join 14,988,960 other followers

%d bloggers like this: