WP Engine Security Breach: Customer Credentials Exposed

wp-engine

WP Engine customers received an urgent notification in their inboxes Wednesday evening regarding a security breach.

At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base.

WP Engine currently has no evidence that customer information was used inappropriately but has invalidated customer passwords as a precaution. The following five passwords associated with customer accounts will have to be reset:

  • WP Engine User Portal
  • WordPress Database
  • SFTP
  • Original WP-Admin Account
  • Password Protected Installs and Transferable Installs

The notice states that WP Engine is taking immediate action on their end but does not include any details. The company apologized for the inconvenience of having to invalidate all customer passwords.

Customers took to Twitter to express frustration and bemoaned the host’s lack of two-factor authentication.

Representatives from WP Engine were not able to comment on the situation beyond the official notice that was posted. The company will update customers as soon as the security team learns more from their ongoing investigation. If you are a customer or have clients who host with WP Engine, you will need to reset all your passwords according to the instructions at the bottom of notice.

30 Comments


  1. I have extreme understanding this is the worst case scenario for any host, and I imagine more information will be forthcoming.

    But agh, I’m not looking forward to the clients we put on WP Engine to avoid something like this and explain this tactfully without more details and some repurcutions.

    Report


  2. There goes an hour of my day resetting passwords on client accounts. A non-billed hour.

    Report


  3. Not that I support managed hosting companies. Nothing against WPEngine but I like to manage my own thing…couldn’t you…

    Install 2-factor authentication?

    Simply reset all passwords and sending them an e-mail with their new passwords?

    I am sure you can do in WordPress, click a reset button, and automatically triggering an e-mail to the client, that includes a link so clients can click and set their own password.

    I know when I reset my Google password, I can’t use a previously used password.

    Report


    1. Resetting the WordPress database password would break the site as the wp-config.php file would also have to be updated. As this file can be in two possible locations and the site maintainer may have some non-standard setup, it would be difficult for the hosting company to automate this change.

      Report


      1. From what I’ve been told by them, they changed all the Database Passwords and updated the wp-config.php accordingly.

        It is causing some issues with accessing phpMyAdmin from the WP Engine Dashboard, which is unfortunate as I was going to reset WP Admin passwords that way.

        Report


    2. Yes, I agree. I dislike being controlled. It’s basically like WordPress.com.

      Report


  4. I prefer to use a vanilla v-host rather than a high profile wp hosting service. They may not add WP value, but they don’t take away value either.They do their job – host.

    Report


  5. Had a chat with them tonight – they are working overtime over there with the live chat! It’s usually closed at 8pm CST. The person I spoke with said nothing was compromised but they want everyone to change passwords as a security precaution.

    I literally was up all night transferring / launching a site for a client on their service. Hope this doesn’t happen very often.

    Report


    1. This is the first time in my experience, which granted is only one year. Besides that WP Engine has been nothing but good and secure.

      A minor annoyance compared to alternative.

      Report


  6. As someone that has hosted with WP Engine since early 2012 I’m still coming out ahead. The day our agency moved all sites there was the day we stopped dealing with hacks and security issues. We used to spend a chunk of every month cleaning up one site or another. It was awful.

    I see resetting a bunch of passwords as no problem at all when compared to the work they have saved us over the years.

    Keep up the good work WPE. Sorry you’re going to have a crappy couple of days. You’ll be that much stronger on the other side.

    Report


    1. The day our agency moved all sites there was the day we stopped dealing with hacks and security issues.

      Until this week.

      Report


      1. Ha! That’s right. Four blissful years of not dealing with this stuff. And the extra bonus: when something did go wrong, who is left cleaning up the mess? Not me. I just have to do a pw reset next time I want to log into x, y, or z. My customers weren’t that bothered to have to do the same. 

        Maybe some larger fallout will be coming down the line. For now though WPE is handling it like champs.

        Report


    2. Agreed – WP Engine put an end to years of hacked sites and embarrassing client interactions (why does Google say my site isn’t safe??).

      Add to that the SWEET staging platform and live chat support and this little kerfuffle is minor.

      In fact, the way WPE got out in front of this reminds me of how BAD some other hosts are about communicating with their customers.

      I’ve had big named hosts do things like change PHP versions, move servers, change IP addresses, and never say a word about it until hours were spent with tech support telling me I’m crazy.

      I’m not saying my experience with WPE has been perfect, but compared to the old days it’s been pretty damned good.

      Report


  7. Someone from Lithuania kept on trying to hack my site every day. I heard about the breach several hours ago (I live in NY). I changed my email passwords and my blog’s passwords this morning.

    Report


  8. I’m still a happy customer :)

    I got a message yesterday from wpengine telling me that this was going on. How nice to have a compagny that doesn’t try to arrange problems like this behind closed doors.

    Even our trusted banks have security issues and once in a while they are closed for hours caused by attacks or other technical problems.

    WPengine takes away a lot of technical stress and they have a perfect helpdesk and chat aswell!

    Report


  9. Shit happens. WPEngine owned it. Took action and notified customers. Perfect example of an honest transparent execution of putting customers first even if it means inconveniencing customers. Well done WPEngine – I have even more respect for you now then I already had before. Whether or not an actual security breach occurred is secondary to the possibility that a security breach did occur – to assume that the worst possible case scenario has occurred is always going to be the safest approach to take.

    Report


    1. Yep, going to cost them a lot of negative fallout in the short term, but in the long term I believe it will gain them even more respect. ;)

      Report


  10. At GEMServers we partnered with Launchkey to provide passwordless authentication for WordPress. Can’t steal passwords that don’t exist. It is a truly awesome security technology. Launchkey also has great 2FA for those who prefer that.

    We agree with their founders that moving beyond traditional passwords is a necessity. I’d encourage other hosting providers to do the same.

    Report


  11. I’ve been hosting with WPE for 3 years and have about 85 sites on there. While this is a huge inconvenience to reset all of these passwords, I have yet to have one client request yet that their SFTP login isn’t working. I either maintain the intial WP login user or deleted it long ago and use my own login regardless… and any of my clients that have their own user login to the customer area also received that email.

    I say, “well done!” It was worst-case to reset all of those but they also mitigated any danger by doing so. I’m ever-more impressed with how they handle things in a managed setting’s expectations.

    Report


    1. I’ll reserve judgement once, if, we learn causation. Understanding cause and correction is most important.

      Report


  12. I think that certain high-profile hosts in the WP community are high-value targets for hackers… for the bragging rights if nothing else. I sometimes wonder if it is better to host with some small, unknown, low-profile datacenter who have good security but who are not ‘out there’ all the time talking about how good their security is.

    Report


    1. That is what I do, I host all my websites (except 3) with a small local hosting/domain registrar company.

      The other 3 are with GoDaddy (the domains), their DNS servers point to the local hosting company. The local hosting company doesn’t do .co & .me domains and I wanted a domain hack.

      Report


  13. Security will always be a problem on-line. It just goes with the territory Even as a relatively small local business that does not store any customers details on line we have taken a lot of steps to stop the site being hacked including two step authentication.

    Without any customers detailed being stored online the only thing they can really do is to take over the wording and appearance of the site. So it is checked everyday. One of our local competitors did have their site hacked we have been lucky so far but statistically sometime in the next thousand years someone will try and succeed.

    All we can do in the meantime is do what we can to stop it happening and prepare backups etc for if it does.

    Report


  14. I like the fresh feeling of a new password now and then anyway. In fact, a service to change my passwords automatically sounds like a good idea. Until that service gets hacked…

    Report


  15. WOW so much false sense of security in the comments. I guess there is bliss in ignorance, if you don’t know how the security works you don’t know how much it sucks (which always might be – not at all, but that needs to be proven first)

    The need to reset database and SFTP passwords indicates that there is a non zero possibility that the attacker got access to the DB, and if that happened then no password reset will help at all as he could have created for himself an admin user to be used much later.

    The only way to securely recover from a security breach is to return to a backup from before it happened. Any other way and you are just assuming that you have found all the backdoors which were installed in the breach.

    Report


    1. Thanks for this. I am not a WP Engine customer. But, if I were, I’d want to see a proper risk assessment, and then an explanation of how and why the measures taken are supposed to address those risks.

      Until that’s provided, the only thing that WPE’s good PR should lead to is the suspension of judgment.

      Report


  16. Woah…They Charge So Much from their Customers and Force them to Forget Caching Plugins + So many other Dumb Rules & they Can’t even Manage to Protect their Customers Credentials?
    Shame on them!

    Report


    1. They don’t allow caching plugins because they have their own caching technology. The rule prevents conflict issues.

      Report


  17. Well, good to see the fast reaction time. I was going to move a site to WPengine today. Funny timing.

    Report

Comments are closed.