Heartbleed Security Update

WordPress.com has taken steps to deal with the Heartbleed vulnerability. Here’s what you need to know.

Last week, a very serious bug in OpenSSL was disclosed.  OpenSSL, a set of open source tools to handle secure communication, is used by most Internet websites.  This bug, nicknamed Heartbleed, allowed an attacker to read sensitive information from vulnerable servers and possibly steal things like passwords, cookies, and encryption keys.

Was WordPress.com vulnerable to Heartbleed?

Yes. WordPress.com servers were running the latest version of OpenSSL, which was vulnerable. We generally run the latest version of OpenSSL to enable performance enhancements, such as SPDY, for our users. The non-vulnerable versions of OpenSSL were over two years old.

Has WordPress.com fixed the issue?

Yes. We patched all of our servers within a few hours of the public disclosure.

Has WordPress.com replaced all SSL certificates and private keys?

Yes. Out of an abundance of caution, we have replaced all of our SSL certificates, along with regenerating all of the associated private keys. In addition, our servers support forward secrecy so that even if our private keys were compromised, they could not have been used to decrypt old encrypted communication.

Will you be forcing me to reset my WordPress.com password?

At this time, we will not be forcing you to change your password.

Should I change my WordPress.com password?

If you want to, you are welcome to change your password. If you are using the same password other places on the Internet, we urge you to change your password and remind you to use unique passwords wherever possible.


Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

Join 17,889,347 other followers

Barry

38 Comments

Comments are closed.

  1. Rii the Wordsmith

    Will we be okay to keep our password if we enable two-step verification? Even if someone potentially has our password?

    Like

    • Barry

      It’s always a good idea to enable two-step verification :) If you use the same password multiple places on the web, we recommend that you change it. Otherwise, it’s really up to you. Changing your password is pretty easy and if creates peace of mind, then it’s worth it.

      Like

  2. melissaslocum2014

    Thank you for the update! It’s always nice to hear info like this first hand rather than wondering if the lists of compromised companies popping up everywhere are truly accurate. I appreciate it!

    Like

  3. Admin

    Does “within a few hours” mean that if we changed our password the day after heartbleed was publicized last week, our accounts should be secure, or would it be prudent to change our WordPress password again?

    Like

    • Barry

      We don’t think you need to change your password again. But if you are concerned, it’s pretty easy to change, so I would just go for it.

      Like

  4. John Jr

    Thank you for the update Barry, and for letting us know that WordPress takes security seriously and that WordPress has taken steps to protect us from this bug and other threats. :)

    -John Jr

    Like

  5. bakdor

    Thanks to the technical personnel at wordpress.com. Your nimble response to the heartbleed crisis is much appreciated.

    Liked by 1 person

  6. Timothy D. Naegele

    Good article. Thanks so much as always. :-)

    Like

  7. beeseeker

    Thanks for this: very reassuring …
    er, assuming you are who you say you are
    ;-)

    Like

  8. the blogging disciple

    Thanks for the peace of mind! :;)

    Like

  9. pneumaoflife

    Thanks for the quick update and letting us know!

    Like

  10. Widdershins

    Thanks for taking care of us. :D

    Like

  11. rhian @melbs

    Thank you. May be a dumb question but if we did not change our password would we be vulnerable?

    Like

    • Barry

      If you use the same password on multiple sites and one of those sites failed to patch their servers in a timely manner then it’s possible you could be more vulnerable than if you use a unique password for each site. If you are concerned about it I would just go ahead and change your password – it can’t hurt.

      Like

  12. pixelednina

    Thank you for fixing this Issue. Indeed WordPress is awesome. :)

    Like

  13. bitpath

    Can I ask why people call this “untraceable” when there were clearly was to trace the attacks?

    I understand people saying it’s not in the apache logs, and the network logs do not likely go back 2 years, but not logging a particular thing, or having those logs rotate out seems a way different thing than saying a certain action is untraceable.

    EFF clearly posted references to heartbleed activity from IPs 193.104.110.12 and 193.104.110.20, obtained from 5 month old network logs specifically because the encrypted TCP signature was so distinctive and matched the proof of concept.

    https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013

    I completely understand most don’t keep network logs that long, and some don’t even log network and just rely on apache logs depending on their position in the team, but why use the word untraceable for a very traceable act if you happen to be logging or looking for it, and it has a clear TCP payload signature for the malformed request, even encrypted apparently? Is it to stop people from looking in recent network logs or even looking for such obvious activity right now?

    Like

    • Barry

      I think that while it might be possible to find possible uses of this exploit if you keep network captures, it’s also very likely that it was possible to exploit this issue without detection, depending on the level of sophistication and method used.

      Like

  14. fearlessanalyst

    Always right up there, ahead of the pack. Another friend asked me to show her how to create a blog, and it’s great to be able to confidently say, ‘Of course it has to be WordPress’. I have a tiny problem, though, with the idea of using new, unique passwords — especially with my memory! :-)

    Like

  15. Yurixy

    Okay, so… I’m totally newbie about this topic.. keys and SSL etc.. Should we change our password as soon as possible to avoid any problems? (I will probably change here, just for the sake of doubt)

    Like

  16. Robert Lee Murphy

    Thank you for the information. I have been working with my domain provider to see if I’m affected with using WordPress.org. They are confused, but trying to cooperate. Robert

    Like

  17. akeem54

    Thank you for taking the appropriate steps. It is well appreciated.

    Like

  18. Barry

    Indeed – I saw the report. I think sites that left their servers un-patched for days after the public disclosure are in the most trouble. It’s also possible that this vulnerability was widely exploited in the 2+ years the bug existed and we just don’t know yet. We will keep a close eye on things and make changes to our policies and recommendations if needed.

    Like

  19. Jemaima

    Thanks for the update. I’ve been a bit worried for quite sometime. In fact, I’ve changed passwords in some of my social networking accounts already. It’s a good thing I can really rely on WordPress to keep the security walls up. Thanks!

    Like

  20. marksshoesbyevamarks

    Great job, your efforts are appreciated! It is good to know that we are safe.Thank you WordPress for keeping security up and running.

    Like

  21. Carolyn Lane

    What a model of timely, clear, helpful information – and of course action! Thank you and congratulations

    Like

  22. Charlotte Ortega

    So Barry SIN numbers here in Canada have been stolen. Heart bleed has to be one of the worst breeches of security in internet history. Thanks to all at wordpress for patching things up! It is a nightmare!

    Like

  23. M-R

    Thank you very much for this: we actually take your intervention for granted, but to be informed of it is always good.

    Like

  24. jasonwarner1987

    Everyone needs to change their passwords everywhere! Better to be safe than sorry!

    Like

  25. thegonogradresident

    I just changed my password and I am feeling better now. I heard and read about the bug but never took steps to protect my online work. Glad I read your post. Thanks a bunch for the information.

    Like

  26. Pasduil

    I’m surprised that so far the only site or service that’s emailed me about changing passwords has been IFTTT. I’d have expected to hear something by email from most sites, incl WordPress.

    That said, would have appreciated something more informative than “You are welcome to change your passwords if you want to.” Presumably the way you’ve put it means that you don’t think it’s a critical thing to do.

    Like

  27. Tom

    Thanks for the tips. Do you have any protection against attacks like Heartbleed for the future?

    Like

  28. livingmeme

    Was HeartBleed affecting the sign-in-process or comment-approval adminstration on here at any point since it was discovered by WordPress staff?

    Like

  29. Mujeeb

    I’m changing my password straight away…. Thanks for this eye opener.

    Like

  30. maridis

    I’m so glad I use different passwords for everything.

    Like

  31. oldpoet56

    Thank you for this information, I appreciate it.

    Like

Follow

Get every new post delivered to your Inbox.

Join 17,889,347 other followers

%d bloggers like this: