WordPress hosts WP Engine discovered the breach earlier this week. It contacted customers immediately and urged them to change passwords. Federal law enforcement have been notified and a “leading cyber security firm” employed to help with the investigation.
The company later force reset the WP Engine User Portal, WordPress database, SFTP, WordPress admin and protected install passwords of 30,000 customers. WP Engine says the action was taken “out of an abundance of caution” and there is currently no indication that the data was used “inappropriately.”
Details on the nature of the breach remain scarce. The company admits its customers may be “frustrated” at the lack of information but warns it is limited in what it can reveal because its ongoing investigation involves law enforcement.
WP Engine says it is now “proactively” completing a security audit of its systems and increasing the protection used on customer accounts. Affected users have been emailed advice on how to reset their passwords and regain access to their WordPress sites.
WordPress began life as a simple content management system (CMS), a tool used by website administrators to create and edit pages of content. Since its early beginnings, it has evolved to become the single largest CMS in use, powering millions of websites but invisible to most users.
It has also become a popular personal blogging platform on WordPress.com, a service that provides hosted WordPress installs so anyone can make their own website in minutes and manage it online. The platform has been hit by security breaches and zero-day exploits several times before in the past though, in part because its huge user base makes it a lucrative target for hackers.
WP Engine’s investigation into this week’s breach is continuing. The company has not said when it expects to be able to provide new details but invites users to contact its support team with any questions they may have.
All customers will need to reset their passwords before signing back into their account. It is recommended that the password of other online services should also be changed if logged in with the same credentials as those used for WP Engine.
