WordPress Admits Hackers Stole Source Code

There were red faces at WordPress.com after a hacker gained access to multiple servers, and stole the source code that powers the blogs for its VIP customers, including the likes of CNN, CBS, and Flickr.

This attack follows a distributed-denial-of-service attack that knocked WP offline last month.

The “low-level” break-in on several WordPress.com servers gave the attacker the highest level of access to all of the information stored on the systems, Matt Mullenweg, founder of Automattic, wrote on the WordPress.com corporate blog on 13 April. The root-level attack may have the biggest impact on the VIP customers because the source code for VIP customers was exposed.

Sensitive Source Code

Most of the code that powers the WordPress blogging platform is open source. However, there are “sensitive bits of our and our partners’ code,” on WordPress.com that may have been exposed and copied, Mullenweg said.

“Tough note to communicate today,” Mullenweg wrote.

Mullenweg did not say which of the VIP sites were affected, but said, “The information disclosed was limited.”

TechCrunch is a VIP customer and the site reported that VIP customers “are all on ‘code red’” as the company investigates the incident. Automattic is currently in the process of changing all the passwords and API keys that were in the source code.

It seemed unlikely that personally identifiable user information was exposed, but Automattic has yet to complete its investigation. However, TechCrunch noted that as the site source code includes API keys and passwords for Twitter and Facebook, the attacker can potentially gain access to sensitive information and shut WordPress.com customers out of their social-networking sites.

The company is reviewing its data logs to determine the extent of the breach and what was stolen and patching security holes to “prevent an incident like this from occurring again.”

“Our investigation into this matter is ongoing and will take time to complete,” Mullenweg wrote.

Audits Recommended

When remediating these incidents, it’s critical that system administrators perform a full security audit, Josh Shaul, CTO of Application Security, told eWEEK. If the administrator is just closing the specific hole that the attackers used, it’s possible the attackers “just got locked inside with you,” Shaul said.

There is no way to know whether or not the attacker created other backdoor mechanisms or discovered other vulnerabilities during the time it was in the network. If the administrator does not perform a full security audit, even if the actual attack path had been closed off, the hackers have the inside knowledge to get back in, Shaul said.

Mullenweg suggested that WordPress customers make sure they are using strong passwords, and that they aren’t reusing them across multiple sites. He also suggested using password managers like LastPass or KeePass to make it easier to track complicated passwords.

Attackers also broke into WordPress in 2009 by exploiting a security vulnerability to create new “hidden” administrator accounts. The site was also hit by an “extremely large” distributed-denial-of-service attack on 3 March, making it near impossible to access blogs hosted on the platform for about two hours.

WordPress users hosting the software on their own servers are not affected by this breach.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

21 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

22 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

23 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago