Hackers Breach WordPress Source Code
In yet another compromise that has struck the servers of blogging platform WordPress, the company’s founding developer Matt Mullenweg disclosed Wednesday that its source code has been breached.
The compromise comes more than a month after WordPress suffered a massive distributed denial of service attack at “multiple Gigabits per second and tens of millions of packets per second,” which it considered to be the largest compromise it ever faced.
Mullenweg wrote in an official blog post warning its customers that its servers had suffered a low-level root break-in, possibly exposing anything contained in those servers.
The compromise that struck the source code of WordPress might not stand at par with the hack that beset the email service provider Epsilon early last week, where its database containing personally identifiable information was exposed in an unauthorized access into its email system.
The database contained at least the email addresses of customers of Epsilon’s clients such as Barclaycard, Citigroup, Disney, JP Morgan Chase, hotel chain Marriott, bookseller AbeBooks, and sports apparel dealer Lacoste.
But however minimal Automattic (owner of WordPress.org) presumed the compromise into its source code to have reached, Mullenweg has advised bloggers using WordPress platform to change their passwords as soon as possible.
“While much of our code is open source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited,” he wrote.
Graham Cluley, a senior technology consultant at Sophos, wrote in a blog post that “it would be more sensible for WordPress bloggers” to change their passwords if they felt they’re no longer secure.
Cluley wrote that “many internet users have chosen to use the same password on multiple websites” which could lead to an extended compromise once one website is hacked.
“If your password was stolen from one website, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you,” he said, advising readers to always use unique passwords.
He added that the (source code) compromise could only possibly affect the blog posted on WordPress.org, not those sites that opted to self-host their own blog using the software of WordPress.
Meanwhile, Automattic has started reviewing “logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access” according to Mullenweg.
Automattic also assured WordPress users that it was unlikely that their passwords have been stolen aside from the source code, adding that the hackers could still hardly break into them since Automattic stores the passwords in hashed format which is difficult to penetrate.