WP Engine, the WordPress managed hosting solution setup by WordPress itself to help WordPress users, has had its security breached in a cyber-attack that has exposed customer credentials.

WP Engine became aware of the breach on the 9th December, and quickly moved to contact all of its customers directly, and also released a statement on its blog stating:

“We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base.”

wp

No evidence has yet been found that customer information has been compromised or used for nefarious purposes. WP Engine though decided not to take any chances, deciding to act with ‘an abundance of caution,’ and have taken the precautionary purpose of voiding all passwords that were associated with customer accounts.

WP Engine also stated that they had begun an immediate investigation and had also ‘engaged a leading cyber security firm to help our Security Team investigate the exposure.’ A federal law enforcement agency is also said to have become involved, at the behest of WP Engine itself.

It is not yet clear who the actors are behind the hack, or quite how they managed to gain access to WP Engine files, but the breach is thought to have severely embarrassed executives at WP Engine, especially given the fact that they provide “hosting for mission critical sites”.

That said, there can be no denying that WP Engine have acted proactively to the security breach and they  have been credited for the open manner and speed in the way they have responded.\ WP Engine’s support team were said to be working overtime to help customers.

overtime

That said, WP Engine users were quick to vent their frustrations on social media forums such as Twitter.

WP Engine CEO Heather J Brunner also posted a statement responding to the criticims in which she said she had been personally involved in every stage of the company’s response:

Please allow me to express my deepest apologies for the frustration caused by the exposure involving customer credentials. I recognize the concern this news causes. When we became aware of the exposure, we committed all company resources, globally, to take action. In addition to our own investigation, we have also engaged with third party security experts and federal law enforcement.”

All WP Engine clients have now been informed according WP Engine itself of the need to update all their passwords, and have been given instructions on how to do so. Customers who have not yet updated their password credentials have been stongly urged to do so, as they will be unable to access any of their WordPress site information until they do so.  The five passwords that must be changed are:

  • WP Engine User Portal
  • SFTP
  • Original WP-Admin Account
  • WordPress Database
  • Password Protected Installs and Transferable Installs