Security Incident

Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:

  • Use a strong password, meaning something random with numbers and punctuation.
  • Use different passwords for different sites.
  • If you have used the same password on different sites, switch it to something more secure.

(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)

Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.


Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

Join 37,401,622 other followers

396 Comments

Comments are closed.

  1. χαρη

    Thank you so much Matt for letting us know. 😀 So honest an attitude really makes my day.

    Like

  2. Ron Scubadiver

    Thank’s for the heads up. Nothing beats transparency.

    Like

  3. Om-Tat-Satire

    Straightforward and honest. That’s why we love you. Good luck with your investigation and finding solutions.

    Like

  4. philosophermouseofthehedge

    Thanks for your efforts. Happens to even the biggest organizations and companies. Looks like you still have everyone’s trust.

    Like

  5. rosaleengallagher

    Thank you for the update and great tip about the password tools – had never heard of them before but will definitely give them a go!

    Like

  6. Intelligent Challenge

    Thanks for the update.

    Like

  7. DH-Shredder

    From what you’ve said above, I presume that the exploit method is (was) specific to WP.com — but to clarify:
    Does this exploit concern the code in WP.org at all?

    Like

    • Matt

      It does concern WordPress.org-the-website but not WordPress-the-software that you likely host someplace else.

      Like

  8. {Alex,Sasha,Olek}

    Thanks for the heads up! As tough enough as this ordeal must have been. I thank you guys for being so upfront with us! *Changes password while writing this*

    Like

  9. Pingback: WordPress.com suffers hacker attack – how to change your password | Naked Security
  10. hallofrumors

    Almost every site has its challenges but like most individuals here I am truly grateful that there is a company dedicated to keeping others informed. Thanks for letting us know and hope things get worked out soon!

    Like

  11. redhawk500

    That’s what I love about you guys. Always open and upfront. I am not surprised by this given the situation in the world. Thanks for being so viligiant. With you all the way!

    Like

  12. kevinmorris101

    Thank you for your openness. I’ve been with you for 3 months now, and I am very impressed with the manner in which you keep me in the loop.

    Like

  13. Second Chance to Live

    Thank you for the heads-up.

    Like

  14. The Snickle

    Hey Matt,

    I have a wordpress.org site that was working perfect yesterday, and today when I log in, all my information is completely gone, I cannot even edit or add any new posts to my blog, all my tabs, stats, widget bars are all missing but my public site looks and operates normal. Was my site effected by this breach or is it an unrelated problem? I really appreciate you taking the time to respond to the posts on here. Thanks.

    Like

    • Matt

      That sounds unrelated — I would recommend contacting your host, and let us know if they’re unable to help you.

      Like

  15. Pingback: Online passwords: why don’t we have to change them periodically? « Champagne and Security
  16. The Snickle

    Thanks Matt, I opened a ticket with my host. Appreciate your quick reply.

    Like

  17. The Las Vegas Station

    Thanks for the update!

    Like

  18. CYN@CYNWORKS.COM

    tough times! thanks for the info. it is reassuring to know you’re paying attention to comments after the fact too.
    hopefully, this can result in some new fresh eyes on my blog! 😉

    Like

  19. Loup Kibiloki

    Thanks for transparency and keeping us informed, and for suggestions.

    Like

  20. allennz

    Thank you for keeping us informed. It also gave me the opportunity to install LastPass, which I had not heard of but which is an excellent product. Thank you

    Like

  21. salamandrine

    We would probably never even know it had happened. So, thank you for reassuring us this is the best place to be 🙂

    Like

  22. admin

    Funny, this happened the day I got the most hits I’ve ever gotten — like an absurd amount on a post about Chinese espionage via telecom infiltration.

    I also appreciate this breach being declared, but think members should receive an email as well.

    Like

  23. stylembe

    Would be great if you included the link in the email on the whereabouts to change password..

    Like

  24. katharinetrauger

    The drug we are on is called gratefulness. 🙂

    Although I really do not like Internet, I really am glad I go there via WordPress. And although I really could not understand word of the warning message, I am glad I could come here and realize I do not need to. Thanks for this discussion, and for welcoming our replies.

    I had planned to ask a question, today, when I got on, about a totally unrelated topic, but I think I will wait and let y’all catch up or whatever you have to do about this trouble. So will catch you later.

    Like

  25. Not A Breed

    Good for you guys for putting the information out there. From a Marketing and Communications standpoint, it’s better to be honest up front than to try to explain after it gets out. I’m happy to see that it looks like our personal information didn’t really get out. 😉

    Like

  26. outinfrontmarketing

    You are all doing a fine job. From what I can surmise, your organization could be one of the poster children for Eso-Merit Marketing. Excellent delivery of information with the intention of relationship. Well done.

    Like

  27. azi-ta

    Thanks for the heads up. Besides changing passwords any other steps you recommend taking?

    Like

  28. Chad Bronze

    I’m really scared for the safety of the blogs, but I appreciate that you let us know in advance. Let us know if there is anything else that we can do to protect our precious blogs! 😀

    Like

  29. rvincentp

    Many thanks for the notice. We hope you can fix the problem.

    Like

  30. Martini Maidens

    Thank you for the update. Honesty, promptly, is always appreciated!

    Like

  31. Scott LaPlant

    Thanks for letting us know Matt. Admire the transparency so much I’m signing up for a paid account.

    Like

  32. Paul D. Adams

    Thanks for this note. WP R-O-C-K-S! Shame (in the strongest sense of the term) on those who hacked. They have their reward in full.

    Like

  33. babolnart

    Just a thought. I’m thinking like a black hat. Have you tried to check if there was something inserted to your code. If I am going to risk being detected intruding your server, I’m going to make sure that I will have information about your next move. I know you guys have efficient IT experience but I just wanna throw my idea just in case.

    Thank you for informing us.

    Like

  34. Pastor Cathie Miller

    Thanks for the info!

    Like

  35. Piglet in Portugal

    That’s what I like about WordPress, your honesty. Sure you guys don’t want to run for President?

    Like

  36. wolfsrosebud

    Thanks so much.

    Like

  37. Roy Porter

    Thanks for being up front about the issue. You have earned my trust.

    I did notice that my post kept floating around – I don’t know if it had to do with the breach or my lousy skills.

    Since I’m not writing about national security or have a massive reader data base, I’m not too concerned and trust you’ll do the right things to prevent this break in stuff in the future!

    Keep up the good work,

    Like

  38. Pingback: Wordpress.com Hit Again: This Time Hacked
  39. xunixc

    Hello Matt. Have you considered that logs of your servers may have been tampered? With root access an intruder can erase all tracks.

    Like

  40. Disruptive Conversations

    WordPress.com Hacked – Time To Change Your Passwords – and the Positive Side of Transparency…

    In a blog post titled simply “Security Incident”, Matt Mullenweg stated: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. and We presume our source code was expo…

    Like

  41. dixiedeano

    Just reiterating all above posts, thanks for update.

    Like

  42. annisik51

    “Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

    We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.”

    I wonder how many WordPress users will understand much of the above? What is ‘Automattic’for instance?”

    It sounds perfectly horrifying for users. I hope WordPress will come up with information that’s understandable only by techies.

    Ann Isik

    Like

  43. Upasika

    Thanks for keeping us in the loop! WordPress is the best ! Better than any other blogging platform!

    Like

  44. aycaracha

    Is it possible to know or obtain a note in our blogs, from you people, with a specific warning that our pass or something else was stolen or an abusive access was carried out in our blogs….?

    Like

  45. DH-Shredder

    Thanks! I appreciate your time here commenting, and the clarification.

    Like

  46. trent

    I am not trying to get specific on detail, but just wondering something. Why do you think it was motivated for the source code on the servers and not the database information?

    Like

  47. The Writing Runner

    Crap happens. Thanks for being open and transparent about it. I wish other sites were!

    Like

  48. Dominik W

    Nearly a week ago someone pointed out a problem with our WP-hosted site (it returned 504 – http://bit.ly/g5fBOW).

    Was the beginning of the incident?

    Like

  49. practicalradical

    Thank you for this. Can you tell us a simple way to back-up our site data? I am on a mac.

    Like

  50. Brian

    Did the attackers get the /etc/passwd file or the password database hashes? If so, then everyone should be a lot more concerned than whether or not attackers can get into your wordpress account. They’ll work on breaking the hashes with wordlists, rainbow tables or brute force and then start trying out the username/passwords on other web sites that you might use.

    Like

    • Matt

      For servers it doesn’t matter since all the passwords were changed anyway. As for the database it doesn’t look like it, but even if they did the hash and salt method we use for passwords would make them difficult to reverse.

      Like

  51. cbcburke9

    How bad is this?

    Like

  52. laura

    Thanks for letting us know. Another reason to love WordPress. ❤

    Like

  53. FLYNN

    Thank you Matt for the trusted assurance. Our utmost confidence is with you and team Automattic. Y’all get two smiley faces! 🙂 🙂

    Like

  54. leslieholt

    Thanks for the Security Incident post. Perhaps of interest to WordPress, in case you’re not already aware, are the subscriber notices issued by McKinsey Quarterly and Air Miles, both reporting similar security incidents (with their relative service providers), both just a little earlier this month, and both advising that the breach appears benign …

    Like

  55. sssip

    Thank you very much for this news update, Matt!

    Like

  56. B.Joe

    It may not be the case but interestingly I am reading this just after Malaysiakini moved to WordPress.com when their servers is under attack in light of Sarawak State Elections. See http://malaysiakinicom.wordpress.com/2011/04/13/malaysiakini-moves-to-new-site-goes-free-3/

    Like

  57. mishari

    Sorry to hear about it but thanks for the heads-up. WordPress has a lot to teach other on-line presences: always transparent, helpful, flexible and evolving. I love WordPress.

    Like

  58. My Camera, My Friend

    Thank you for letting us know.

    Like

  59. Pingback: WordPress.com suffers hacker attack » Itwasntme Blogs
  60. William

    I would like to know why morons would hack into WordPress. What advantages do they hope to gain? Are they after WP technical details or trying to get personal details off web sites? If the latter, they must be hard up for entertainment. Did this happen in the last 12 hrs? Keep up the great work. William

    Like

  61. korn1699

    Could passwords from twitter accounts linked to wordpress accounts be stolen or do I just have to worry about my wordpress password?

    Like

  62. Gabriel...

    “Our investigation into this matter is ongoing and will take time to complete.”

    Well of course, take your time, China is a fairly large place after all, so it’ll probably take less time if you concentrate on searching for your hacker in the coastal cities first.

    Like

  63. musingsbymarsh

    Thanks for letting us know!

    Like

  64. Tale of My Heart

    Thanks for the info.

    Like

  65. Sibilla

    Thanks for the info.

    Like

  66. therage3k

    It was the space aliens. I know they have been eyeballing Automattic for quite some time wondering how such advanced technology could possibly. You should feel honored they bent space-time to hack in and retrieve it.

    Like

  67. jolynproject

    Thanks for the update. I actually did get a bunch of spam comments this weekend and some of them made it through to pending section. I deleted them all. Is that a sign that my account was hacked? Nothing has changed on my site.

    Like

  68. hiddendisabilities

    Q = what can happen if someone has broke in? does it mean there could be an identity theft problem?

    What will we see if someone has taken our info?

    Like

  69. shayna shenanigans

    I am brand new to blogging, only 2 days in haha. It makes me feel good that ya’ll are open about these types of things! The internet is a scary place because your info can go anywhere without you knowing!!

    Like

  70. Pingback: WordPress.com suffers hacker attack |
  71. drusillah

    I’m impressed that WordPress is so honest about this. It would have been very easy to try and hide it. Kudos!!!!!! That’s why I am a WordPress user 😀

    I do hope the passwords weren’t cracked though..

    Like

  72. sarahwendel

    Thank you for being honest!

    Like

  73. alrockey

    Thank-you so much for sharing this information with us, especially so quickly after it occured! It makes me question how safe the internet is. Certain websites are safer than others obviously, but WordPress is a site I use frequently and would have never expected an issue like this to occur. I plan to take your advice on the password suggestions. I know it sounds like common sense, but so many people use the same password or have a real weak one, so thanks for sharing. Keep up the blogging.

    Like

  74. yogadotin

    is it required to change password?

    Like

  75. moneymakingjus

    Thanks buddy!!!

    Like

  76. Dzulqarnain

    I thought it was not safe to change the password now when the problem still unresolved.
    So I hope you’ll inform us when this problem has been solved

    Like

  77. mjcache

    Thanks for being upfront and informing us. We have full faith in WordPress that all will be resolved.

    Like

  78. rawlinsview

    I can not say that I am comfortable or that I feel this is a fully “transparent ” statement. Do you believe that personal information was revealed? Are you recommending that we change passwords and email connections?

    I am doing sensitive political work with correspondents in the Middle East. I feel that I need more info.

    Like

  79. honorarynewfie

    Appreciate the warning, Matt.
    Even when the news isn’t so cheerful it’s still good to know that we’re dealing with honest, open people.

    Like

  80. twixraider

    Thanks for taking care of business and the users. Any idea what the intention was?

    Like

  81. shamballa9944

    I never cease to be impressed with how you guys handle these issues. It is exemplary!

    If every organization handle themselves as WP does, the world would be in far better shape!!! TY

    Like

  82. Debbie Adams

    Thank you for promptly posting this.

    Like

  83. Pingback: WordPress.com Hackers Stole Sensitive Bits of Source Code | john_kaufman
  84. simplysensecents

    Thank you Matt! Did this affect self hosted blog accounts as well?

    Like

  85. stephsquared2010

    I’m new to WordPress and I appreciate this kind of “heads-up”. As much as I hate trying to remember several different (complicated) passwords, it’s getting more and more important to do so these days!

    Like

  86. Sandi Krawchenko Altner

    Thank you. I appreciate the disclosure because it reinforces my sense that there are decent and solid people behind WordPress. I did a lot of research before I launched my blog and am very happy I chose this company.

    Like

  87. Pingback: Security Incident (via WordPress.com News) « Spirit Lights The Way
  88. jeeshenlee

    Thank you for the transparency!

    Like

  89. Jan

    Thanks for informing the users, crap happens. I got spam to the email address I use here on 13 Apr 2011 18:26:53 -0000, offering “Rayon PCIe Serial Cards” from Acceed in german language. May be pure coincidence, spam on that address is very rare but does happen (like once every few weeks).

    Like

    • MK

      Most likely pure coincidence – there’s a lot of spam out there. 😉 Feel free to drop us a line if you have any questions.

      Like

  90. Anne

    Appreciate the initiative to let us know even if (so far) users don’t experience anything strange (yet)! Will change passwords now… Not that they’d be interested in my blog anyway but if they will be trying to make a statement (and just gathering force now), then it’s time to secure our blogs.

    Like

  91. bridalswag

    I have suddenly been receiving mail from blogs to which I never subscribed. Could this be related?
    Thanks!

    Like

  92. darelparker

    I really believe that the true measure of an organization occurs not when they are at their best, but rather when they are at their worst. That is when you see real leadership. That is when you see people making tough decisions and going that extra mile to make things right.

    Thank you Matt, and the rest of the Automattic team. We really do appreciate all your hard work. We know you’ve got it covered.

    Like

  93. born2canaancathaven

    Thanks for the heads-up. Hope who ever it was got an earful! Any idea what they were actually after? I know there is a concentrated attack on emails in general going on at the moment, looks like a random-sort program kicking up short alphanumerics, repeating for their passwords, then shooting some very unpleasant spam to their contact lists. Any chance these guys were shopping for a “mailing list”?

    (btw, “WordPress passwords are hashed and salted using phpass.” – sounds delicious!)

    Like

    • MK

      The activity appears to have been largely exploratory, and not targeted at a specific area. We’re still investigating.

      Like

  94. Larry Arbuckle

    Thanks Matt! “Go Get em” and thanks to WordPress for making me look good!

    Like

  95. Budi Rahardjo

    Thanks for the (open) news. The most important thing is to react/recover quickly. Hopefully it doesn’t happen again.

    Like

  96. Kelly Booth

    Thank you for the honesty! I have been meaning to change passwords so I just did that for a bunch of things.

    Like

  97. Pingback: Wordpress.com hacked | Daniel Hood
  98. illutionz

    Appreciate the announcement.

    Like

  99. Pingback: Oops! Apparently Wordpress was hacked « The Heretical Philosopher
%d bloggers like this: