Blogging platform WordPress has revealed that a hack left partners' source code exposed.
Automattic, the company that maintains the WordPress platform, said that hackers gained root access to its servers and breached sensitive code belonging to both the company and its partners.
Writing in a blog post, Automattic's founder Matt Mullenweg admitted that the company had experienced a low-level (root) break-in to several of its servers and potentially anything on those servers could have been revealed.
He said: “We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed and re-securing avenues used to gain access. We presume our source code was exposed and copied.
“While much of our code is open source, there are sensitive bits of our and our partners' code. Beyond that however, it appears information disclosed was limited.
Based on what we've found, we don't have any specific suggestions for our users beyond reiterating these security fundamentals: use a strong password, meaning something random with numbers and punctuation; use different passwords for different sites, if you have used the same password on different sites, switch it to something more secure.”
He concluded by saying that an investigation into the matter is ongoing and the company has taken comprehensive steps to prevent an incident such as this from occurring again.
Graham Cluley, senior technology consultant at Sophos, who use the WordPress platform for its Naked Security blog site, said that it was worth pointing out that the security incident only potentially affects blogs posted on WordPress.com, not sites which have decided to self-host their own WordPress blog using the software from WordPress.org, but it was sensible to follow the password advice.
Cluley said: “We don't know that the WordPress.com security breach gave the hackers access to bloggers' passwords, but we do know that many internet users have chosen to use the same password on multiple websites. So if your password was stolen from one website, it could then be used to unlock many other online accounts and potentially cause a bigger problem for you. So always use unique passwords.
“Even though your WordPress password may not have been compromised, it still makes sense and is good practice to make sure that you have chosen a good, strong password now.”
Last month, Automattic was hit by a large distributed denial-of-service (DDoS) attack that impacted all three of its data centres in Chicago, San Antonio and Dallas. WordPress was also compromised a year ago when a setting was modified that redirected visitors to a malicious website.