WordPress.com has taken steps to deal with the Heartbleed vulnerability. Here’s what you need to know.
Heartbleed Security Update
Last week, a very serious bug in OpenSSL was disclosed. OpenSSL, a set of open source tools to handle secure communication, is used by most Internet websites. This bug, nicknamed Heartbleed, allowed an attacker to read sensitive information from vulnerable servers and possibly steal things like passwords, cookies, and encryption keys.
Was WordPress.com vulnerable to Heartbleed?
Yes. WordPress.com servers were running the latest version of OpenSSL, which was vulnerable. We generally run the latest version of OpenSSL to enable performance enhancements, such as SPDY, for our users. The non-vulnerable versions of OpenSSL were over two years old.
Has WordPress.com fixed the issue?
Yes. We patched all of our servers within a few hours of the public disclosure.
Has WordPress.com replaced all SSL certificates and private keys?
Yes. Out of an abundance of caution, we have replaced all of our SSL certificates, along with regenerating all of the associated private keys. In addition, our servers support forward secrecy so that even if our private keys were compromised, they could not have been used to decrypt old encrypted communication.
Will you be forcing me to reset my WordPress.com password?
At this time, we will not be forcing you to change your password.
Should I change my WordPress.com password?
If you want to, you are welcome to change your password. If you are using the same password other places on the Internet, we urge you to change your password and remind you to use unique passwords wherever possible.
- Apr 15, 2014 @ 8:02 pm
Thank you for the update! It’s always nice to hear info like this first hand rather than wondering if the lists of compromised companies popping up everywhere are truly accurate. I appreciate it!
Does “within a few hours” mean that if we changed our password the day after heartbleed was publicized last week, our accounts should be secure, or would it be prudent to change our WordPress password again?
Thank you for the update Barry, and for letting us know that WordPress takes security seriously and that WordPress has taken steps to protect us from this bug and other threats. :)
Thanks to the technical personnel at wordpress.com. Your nimble response to the heartbleed crisis is much appreciated.
Good article. Thanks so much as always. :-)
Thanks for this: very reassuring …
er, assuming you are who you say you are
Thanks for the peace of mind! :;)
Thanks for the quick update and letting us know!
Thanks for taking care of us. :D
Thank you. May be a dumb question but if we did not change our password would we be vulnerable?
Thank you for fixing this Issue. Indeed WordPress is awesome. :)
Can I ask why people call this “untraceable” when there were clearly was to trace the attacks?
I understand people saying it’s not in the apache logs, and the network logs do not likely go back 2 years, but not logging a particular thing, or having those logs rotate out seems a way different thing than saying a certain action is untraceable.
EFF clearly posted references to heartbleed activity from IPs 22.214.171.124 and 126.96.36.199, obtained from 5 month old network logs specifically because the encrypted TCP signature was so distinctive and matched the proof of concept.
I completely understand most don’t keep network logs that long, and some don’t even log network and just rely on apache logs depending on their position in the team, but why use the word untraceable for a very traceable act if you happen to be logging or looking for it, and it has a clear TCP payload signature for the malformed request, even encrypted apparently? Is it to stop people from looking in recent network logs or even looking for such obvious activity right now?
Always right up there, ahead of the pack. Another friend asked me to show her how to create a blog, and it’s great to be able to confidently say, ‘Of course it has to be WordPress’. I have a tiny problem, though, with the idea of using new, unique passwords — especially with my memory! :-)
Okay, so… I’m totally newbie about this topic.. keys and SSL etc.. Should we change our password as soon as possible to avoid any problems? (I will probably change here, just for the sake of doubt)
Thank you for the information. I have been working with my domain provider to see if I’m affected with using WordPress.org. They are confused, but trying to cooperate. Robert
Thank you for taking the appropriate steps. It is well appreciated.
Indeed – I saw the report. I think sites that left their servers un-patched for days after the public disclosure are in the most trouble. It’s also possible that this vulnerability was widely exploited in the 2+ years the bug existed and we just don’t know yet. We will keep a close eye on things and make changes to our policies and recommendations if needed.
Thanks for the update. I’ve been a bit worried for quite sometime. In fact, I’ve changed passwords in some of my social networking accounts already. It’s a good thing I can really rely on WordPress to keep the security walls up. Thanks!
Great job, your efforts are appreciated! It is good to know that we are safe.Thank you WordPress for keeping security up and running.
What a model of timely, clear, helpful information – and of course action! Thank you and congratulations
So Barry SIN numbers here in Canada have been stolen. Heart bleed has to be one of the worst breeches of security in internet history. Thanks to all at wordpress for patching things up! It is a nightmare!
Thank you very much for this: we actually take your intervention for granted, but to be informed of it is always good.
Everyone needs to change their passwords everywhere! Better to be safe than sorry!
I just changed my password and I am feeling better now. I heard and read about the bug but never took steps to protect my online work. Glad I read your post. Thanks a bunch for the information.
I’m surprised that so far the only site or service that’s emailed me about changing passwords has been IFTTT. I’d have expected to hear something by email from most sites, incl WordPress.
That said, would have appreciated something more informative than “You are welcome to change your passwords if you want to.” Presumably the way you’ve put it means that you don’t think it’s a critical thing to do.
Thanks for the tips. Do you have any protection against attacks like Heartbleed for the future?
Was HeartBleed affecting the sign-in-process or comment-approval adminstration on here at any point since it was discovered by WordPress staff?
I’m changing my password straight away…. Thanks for this eye opener.
I’m so glad I use different passwords for everything.
Thank you for this information, I appreciate it.