WP Engine Identifies Cloud Infrastructure Provider as Entry Point for Recent Security Breach


On December 9th, 2015, WP Engine sent out an urgent notice to its customers regarding a security breach wherein customer credentials were exposed. This incident prompted an investigation, which is now complete.

According to the most recent and final update, investigators determined that the security exposure came through one of the host’s cloud infrastructure providers. Customer credentials were exposed on December 4th and detected by WP Engine on December 9th. At that point customers were notified, the investigation was launched, and customer credentials were reset as a security precaution.

“WP Engine was attacked by an external criminal whose point of entry came through one of our cloud infrastructure providers,” founder and CTO Jason Cohen told the Tavern.

“An investigation by our own security team and independent security experts revealed the attacker bypassed multiple layers of authentication and gained unauthorized access to an administrative panel provided by this infrastructure provider. The criminal’s behavior in this exposure matches a pattern seen in other attacks throughout 2015,” he said.

When news of the breach was first published customers expressed frustration about the host’s lack of two-factor authentication. However, Cohen said that 2FA would not have made an impact for those affected by the recent security breach.

“Because the point of entry wasn’t one of our systems, 2FA would not have prevented this event,” he said. “That said, 2FA is a best-practice, and so we do have plans to roll out 2FA in our User Portal in early 2016.

“We also recommend that our customers enable 2FA for their WordPress site using one of the following recommended plugins: Google Authenticator or Clef, or use an external authentication system such as Google OAuth,” Cohen said.

WP Engine contacted the companies that were directly impacted by the attacker and implemented a plan to ensure their security. The independent investigation is now complete, but WP Engine continues to work with law enforcement authorities who are conducting a criminal investigation.

There are 26 comments

Comments are closed.