Security Incident

Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:

  • Use a strong password, meaning something random with numbers and punctuation.
  • Use different passwords for different sites.
  • If you have used the same password on different sites, switch it to something more secure.

(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)

Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.


Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

Join 17,983,322 other followers

Matt

396 Comments

Comments are closed.

  1. Angelica Rubio

    Thank you for the heads up!

    Like

  2. Soumen

    The transparency and the guts to speak the the truth is the strength of WordPress. Kudos to you, you spoke the truth. Thanks for the advice on changing and keeping complex password.

    Like

  3. Frenchie

    Thanks… Were personal info, especially email addresses, touched by this?

    Like

  4. phynedyning

    Thanks! Your team is much more on the ball than the e-retailer that didn’t bother to tell me their site was compromised until I complained about being spammed by their “secure” site.

    Like

  5. Squeeky Fromm - Girl Reporter

    Wow, this is good to know. Thanks!!!

    Like

  6. Salvatore Otoro

    Thanks for letting us know and keeping us up to date. :D

    Like

  7. appinptm

    Thanks for the suggestions, they’re really helpful!

    Like

  8. Martha

    Oh damn, I thought ‘security incident’ was a new theme and it sounded cool :P

    You guys do a great job, thanks for all your hard work.

    Like

  9. Rocket Dog (Ergo Proxy)

    dang. that’s rough. we’re glad to know about this incident.

    Like

  10. hinduawaken

    thanks for updates

    Like

  11. MNN5

    Guys, Thank You so much for the heads up. Even the best fall like the recent Epsilon breach. According to some reports Epsilon knew about a vulnerability on their side but they didn’t warn their users before like you did. I’m sure you will do in all your power to protect our data. I have a question though; I don’t understand when you said “Use different passwords for different sites”.

    Like

    • Matt

      That means that for every website you should have a different password, for example don’t use the same password for WordPress.com and Twitter.com.

      Like

  12. yakatz

    Do you know whether any code was changed? Could the person/people who broke in have modified the code to send an email back to them any time someone changes their password?

    Like

  13. 2embracethelight

    Thank you for informing, advising and helping us understand. This is unfortunate, but it seems like the way of the world.
    Thank you for letting us know.

    Like

  14. Treasureyourhealth

    Sadly, some folks haven’t figured out the way karma works, but will. Thanks for the update. I really appreciate your frankness and hope this is all resolved soon. Take good care, all of you!

    Like

  15. nzpilotguy

    Not good news, but great that you’re being upfront about it – appreciate the info.

    Like

  16. Takeru

    Thanks! I will change my password right away!

    Like

  17. antoinettevdberg

    Thank you for the info Matt, much appreciated!

    Like

  18. Pingback: Wordpress.com security breached, data potentially on the loose | RCR Unplugged
  19. airmaxfrance

    Thank you for sharing.

    Like

  20. waldonia

    Thank you for keeping us informed and for responding to people’s concerns quickly. Yay WordPress!

    Like

  21. Pingback: WordPress.com suffers hacker attack | Cyber Crimes Unit
  22. phoxis

    Thanks for sharing such an incident to the users (which most organizations would hide).

    Like

  23. veronica

    thank you so much.. all our blogs mean so much more to us and u just made us care for them all the more matt.. will be more cautious now =P

    Like

  24. peoplesgeek

    Thanks for the update – You’ve turned a negative into a positive by thinking to share some really good advice about using different passwords and how to manage them effectively. I use KeePass and will have a look at the others you mentioned for other clients. The other one to emphasise is the importance of backup and recovery procedures, that way if you loose everything you can at least get it back (or do a compare to help work out what may have been changed)

    Like

  25. Brett Jones

    Fight the good fight! Thanks for keeping us informed.

    Like

  26. Jessica

    Thanks for being clear on this.

    Like

  27. bookjunkie

    it’s great that WordPress is so personal and always keeps us informed :) thank you!

    Like

  28. ahmadblues

    Thanks for letting us know – luckily I was thinking about changing my set of passwords anyway.

    Like

  29. Ruth

    I love WP, and try to talk my Blogger friends into making the big switch. Hey, junk happens. Thank for giving us the heads up on the situation! Appreciate it!

    Like

  30. kenryoku

    Your transparency is very much appreciated. Will heed your advice now.

    Like

  31. Umoja

    We do appreciate, please update us for any new security incidents.

    Like

  32. Perennemente Sloggata

    In my bad english I’d like to say ‘thank yoiu’ for your honesty and transparency, which I didn’t find in any other platform.

    Like

  33. NiHAWmA

    Information dissemination is important. Thanks a lot and regards.

    Like

  34. Pingback: Break-in at WordPress.com
  35. Pingback: How to Choose a Strong Website Password
  36. Kemi

    Thanks for letting your customers know :). K

    Like

  37. Kathi

    Thanks for all you do! I love having this great free service for sharing thoughts and keeping track of friends. Your team does a great job, and I appreciate it!!

    Like

  38. Myra's papers

    Thanks for the heads up. “)

    Like

  39. Robert M Palmer

    Better we know than we don’t. New passwords are easy, so… done!
    Living on the web is like living in the city… lock the doors, look both ways before crossing and wash your hands!
    Thanks for the update!

    Like

  40. Hope4UsNow

    Thanks for the update! Sending hope you repair things soon. :)

    Like

  41. Pingback: WordPress.com security violated « Balau
  42. Pingback: Security Incident (via WordPress.com News) « Achugh's Blog
  43. Pingback: WordPress.com has been hacked! « Secure IT Foundation
  44. adnanomatic

    Thanks for letting us to make stronger passwords.

    Like

  45. sanhira

    Many thanks, I really appreciate your work and this frank attitude! Good luck, Matt!

    Like

  46. Eowyn

    Thank you, WordPress, for your generous hosting of our blogs! And a big “Thank you” to the wizards, WordPress’ Happiness Engineers!

    Like

  47. Pingback: WordPress Security Compromised
  48. Veridian Etoile

    Thanks for letting us know. Y’all work so hard on making WP a secure and safe place for all of us to blog and share with the world, all of your work is very appreciated by us members/bloggers. I do hope y’all catch the person/group who did this.

    Maybe it’s best that all of us change our passwords just in case? I know I’m going to be changing mine to be safe!!

    Like

  49. angelinlove82501

    Thank you for the update yes it is a tough one to announce however I have more respect for the fact that you were honest and told all of us rather than trying to cover it up like some other sites do and would.

    Like

  50. ThePlatoReport

    Very much appreciate the update. Good luck–we’ve got confidence in you.

    Like

  51. roberthopesworld

    Insecurity is my normal state :)

    Like

  52. Pingback: WordPress.com Hacked (Again) | Bill Mullins' Weblog – Tech Thoughts
  53. mestrebonsai

    Thanks for your honesty, good work.

    Like

  54. Pingback: Boot up: WordPress hit by ‘root-level’ attack, and more: Shark Hunting on Wall Street
  55. noir33

    Keep up the good work, guys….

    Like

  56. wookieeenroute

    Thank you for the quick and honest info!
    It’s much appreciated.

    Like

  57. Sandra Bell Kirchman

    How indicative all these comments are on the kind of service WP gives, i.e., the best. As an appreciative user, I rather resent the implication that I am on some sort of drugs because I applaud WP’s (and Matt’s) honesty and attempts at great service (as one commenter suggested above). “If you live by the sword, you die by the sword.” We users of the internet know that these things happen and that determined hackers are stopped only with intense effort. Now, here’s my contribution:

    I have so many internet accounts to various websites that, if I change my passwords, I am doomed.

    However, I use something that was recommended by my bank. It’s called Trusteer and not only protects my password, but protects any website I ask it to, including, of course, my online banking sites (and, now, WordPress). Once you install it, it is very easy to use. You can set it for weekly reports as well. I was appalled at how many various invasion attempts it is stopping, but very glad it was stopping them.

    Like

  58. lovemeraz

    Thank you so much for being so transparent.

    Like

  59. Ricardo Alamino

    Appreciate the transparency! We love companies with this kind of behaviour. Nobody is fully protected from incidents like that.

    Thank you WP team.

    Like

  60. Jimmy Daniels, Esq.

    Thank you. This motivated me to get LastPass.

    Like

  61. gothichydran126

    Creepy…Thanks for the head up!

    Like

  62. Lissa Rabon

    Thank you! Good to know you have our backs!!

    Like

  63. Robin

    Keep up the honesty and integrity, that’s what makes you guys #1 Thanks!

    Like

  64. Poppy

    What is with these fraudsters?! I found out someone or ‘something’ has been using my bank account as well today!! Ah well, at least we have honest people like you WordPress guys! Good luck in your investigations! Poppy :)

    Like

  65. SPREE

    Must say I was somewhat alarmed at seeing this title, but thanks goodness your team’s controlling it. This situation is becoming a contagious disease whew!!

    Like

  66. Pingback: Wordpress.com Hacked
  67. chazsm

    Thanks for keeping us up-to-date especially with this kind of issue. Highly appreciated!

    Like

  68. belle04tmnt

    Thank you so much for the info. I have to admit I’m new here and I know now what to do for my security. again thank you. XD

    Like

  69. geofftalbot

    Your honesty and openness are awesome… Hopefully no one has stolen my identity… Geoff

    Like

  70. workerbeetv

    Honesty is always the best policy. Thanks!

    Like

  71. John Boxall

    Thanks for being honest and keeping us in the loop. :)

    Like

  72. dglvran

    Thanks for all your hard work, guys!

    Like

  73. dibya

    Thanks for the update. Appreciate it.

    Like

  74. arigoldstein

    This kind of policy – to be transparent – is exactly what will grow your success. Thank you so much.

    Like

  75. Margaret

    We love you all for all that you do to keep us safe. Have a great day squaring things away.

    Like

  76. sanityisknocking

    Appreciate the honest update!

    Like

  77. skippyamrhein

    Thanks for that…suppose incidents like that go with the territory, no matter how secure we’re trying to make this. Awesome advice on passwords!

    Like

  78. Hans

    Thanks for the update. Good to hear that you are so open on these issues. Indeed, stuff happens. But it is not about the way that you fall, but about the way you get up your feet again. :) And you are doing just fine.

    Like

  79. Angela C. Soelzer Ragosa

    Thanks so much! Sincerely appreciate it!

    Like

  80. Angela

    Thanks for the notice and for working to figure things out!

    Like

  81. writewizard

    Appreciate the heads up guys, thanks! –Meg

    Like

  82. Moonmooring

    As usual, WordPress at its best. Thank you for the info.

    Like

  83. Rupertson

    Roger, over and out.

    Like

  84. CommentatorandPoet

    The WordPress Family: the Best Thing About the Internet.

    Like

  85. Jackie Paulson 1966

    Thanks for the update.

    Like

  86. Schamael

    See, this is what I respect about WordPress and other people who work similarly. You admit it when things happen, and there’s no covering-up or blaming. Just telling us what’s happened nice and clearly, and giving advice on what to do. Thanks :)

    Like

  87. Mia

    Aw sorry to hear and thanks for letting us know, I appreciate your open communication.

    I hope they’re caught! Good luck.

    Like

  88. walkaboutdoc

    I read of the security breach
    And the lessons in the life it would teach
    I won’t worry my head
    Or give into the dread,
    I’m going down to the beach.

    Like

  89. Paul Bishop

    As others have said, appreciate the honesty. Being upfront about security breaches endears your users more to WordPress and also motivates you guys to excel in keeping security higher so you don’t have to give us bad news.

    God bless and keep up the good work!!!

    Like

  90. lily1855

    Thank you for being open, honest, very much appreciated.

    Like

  91. SuperSparky

    Your competitors could learn a thing or two about customer service from you. Stuff happens, but be honest about it and consider your customers as assets instead of numbers on a spreadsheet. You guys rock!

    Like

  92. Vanessa

    Thanks for the tips!

    Like

  93. 4 ♥ 1 ♥ Love

    Thanks for the honesty. Standing behind you and your efforts. Keep the faith.

    Like

  94. siko

    Thanks for all your hard work, guys!

    Like

  95. jatiluhurdam

    I still use you as my media. Thanks for your honesty.

    Like

  96. Patricia

    Thank you for being transparent. Yeah, so crap happens, but at least you notify us and considering how many people use WordPress and how I have no idea how you get all the work done, I seriously don’t care. So what? Then we’re going to change our passwords. :)

    Still in love with WordPress.

    Like

  97. millersa

    Everyone’s so nice on WordPress!

    Like

  98. Maria

    Kudos for the heads-up.

    Like

  99. ariesulaeman

    Thanks, I really appreciate it.

    Like

  100. Lauren

    Thanks for the update. I appreciate it.

    Like

Follow

Get every new post delivered to your Inbox.

Join 17,983,322 other followers

%d bloggers like this: