Several servers that support WordPress have been compromised recently, and the attackers may have obtained source code, according to ComputerWorld. Automattic has been reviewing log records to determine how much information was exposed and re-evaluating “avenues to gain access.” They are investigation under the assumption that the source code was exposed and copied. “While much of our code is open source, there are sensitive bits of our, and our partners’ code. Beyond that, however, it appears information disclosed was limited.” This follows a recent Denial of Service attack on WordPress.
The company has no specific advice for WordPress users besides using strong passwords, and not using the same password for multiple sites. Good advice, and I strongly suggest that bloggers and subscribers using WordPress blogs change their passwords now as a precaution, and take the time to change any other sites where they used the same password to something different as well. It may seem a nuisance because the target appears to be source code, however this has not been confirmed to be the only or even primary objective. In the comment section of the WordPress blog post, a user asked if WordPress stores passwords in plain text or stores hashes of passwords and it was confirmed that WordPress uses the Portable PHP password hashing framework.
I am interested in this particular breach as I use WordPress to host my blog. I will be paying attention to any and all developments regarding this investigation and incident. I will be very interested in root cause and corrective actions taken.
The investigation is ongoing, and will take time to complete, and Automattic has taken “comprehensive steps to prevent an incident like this from occurring again.”