WordPress Admits Hackers Stole Source Code

There were red faces at WordPress.com after a hacker gained access to multiple servers, and stole the source code that powers the blogs for its VIP customers, including the likes of CNN, CBS, and Flickr.

This attack follows a distributed-denial-of-service attack that knocked WP offline last month.

The “low-level” break-in on several WordPress.com servers gave the attacker the highest level of access to all of the information stored on the systems, Matt Mullenweg, founder of Automattic, wrote on the WordPress.com corporate blog on 13 April. The root-level attack may have the biggest impact on the VIP customers because the source code for VIP customers was exposed.

Sensitive Source Code

Most of the code that powers the WordPress blogging platform is open source. However, there are “sensitive bits of our and our partners’ code,” on WordPress.com that may have been exposed and copied, Mullenweg said.

“Tough note to communicate today,” Mullenweg wrote.

Mullenweg did not say which of the VIP sites were affected, but said, “The information disclosed was limited.”

TechCrunch is a VIP customer and the site reported that VIP customers “are all on ‘code red’” as the company investigates the incident. Automattic is currently in the process of changing all the passwords and API keys that were in the source code.

It seemed unlikely that personally identifiable user information was exposed, but Automattic has yet to complete its investigation. However, TechCrunch noted that as the site source code includes API keys and passwords for Twitter and Facebook, the attacker can potentially gain access to sensitive information and shut WordPress.com customers out of their social-networking sites.

The company is reviewing its data logs to determine the extent of the breach and what was stolen and patching security holes to “prevent an incident like this from occurring again.”

“Our investigation into this matter is ongoing and will take time to complete,” Mullenweg wrote.

Audits Recommended

When remediating these incidents, it’s critical that system administrators perform a full security audit, Josh Shaul, CTO of Application Security, told eWEEK. If the administrator is just closing the specific hole that the attackers used, it’s possible the attackers “just got locked inside with you,” Shaul said.

There is no way to know whether or not the attacker created other backdoor mechanisms or discovered other vulnerabilities during the time it was in the network. If the administrator does not perform a full security audit, even if the actual attack path had been closed off, the hackers have the inside knowledge to get back in, Shaul said.

Mullenweg suggested that WordPress customers make sure they are using strong passwords, and that they aren’t reusing them across multiple sites. He also suggested using password managers like LastPass or KeePass to make it easier to track complicated passwords.

Attackers also broke into WordPress in 2009 by exploiting a security vulnerability to create new “hidden” administrator accounts. The site was also hit by an “extremely large” distributed-denial-of-service attack on 3 March, making it near impossible to access blogs hosted on the platform for about two hours.

WordPress users hosting the software on their own servers are not affected by this breach.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Three UK Investigates After Outage Impacted Some 999 Calls

Thursday outage of Three UK network impacts thousands of people, with operator confirming some 999…

1 day ago

CMA Secures Google Commitment To Tackle Fake Reviews

British competition watchdog secures undertaking from Google to tackle fake reviews, as Amazon probe continues

1 day ago

Trump Signs AI ‘Free From Idealogical Bias’ Executive Order

After earlier revoking Biden's AI safety executive order, President Trump signs new executive order to…

1 day ago

OpenAI’s ‘Operator’ Agent Automates Online Tasks

OpenAI launches AI agent called 'Operator' to automatically fill out forms, make restaurant reservations, book…

2 days ago

Pakistan’s Parliament Passes Bill For Strict Control On Social Media

Bill passed to give Pakistani government sweeping controls on social media, but critics argue it…

2 days ago

Indian Tribunal Suspends Meta’s Data Sharing Ban

After Meta had warned that India's data sharing ban could collapse WhatsApp's business model, tribunal…

2 days ago