WordPress suffered a “root-level” security breach this week that left key elements of the blogging platform’s source code exposed.
Hosting over 19 thousand blogs worldwide, with over 300 posts made a minute, the attack has the potential to fuel malware attacks from sites using the WordPress platform.
“Automattic (WordPress parent company – Ed.) had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed,” said founder Matt Mullenweg on the WordPress security blog.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
However, security experts have praised the measures taken by WordPress to protect their user’s sensitve information, insisting that the attack could have had far worse consequences were the blogging platform not so well prepared.
“Although the hackers would have been able to download much of the source code on the servers, possibly including custom-developed code of premium clients of the company, WordPress appears to have followed best practice and encrypted the password files, as well as private information such as credit card details,” said Phil Lieberman, president of the identity management specialist Lieberman Software.
“Media reports over the last day or so have played up the hack as if it is the end of the world for the blogging industry, when it plainly isn’t. By encrypting user credentials and associated data, WordPress has followed the advice of the IT security professionals,” he added.
WordPress are urging users to use strong passwords for the site, and to never use the same password for multiple log-in portals.