30 Comments

  1. Ronald Huereca

    I have extreme understanding this is the worst case scenario for any host, and I imagine more information will be forthcoming.

    But agh, I’m not looking forward to the clients we put on WP Engine to avoid something like this and explain this tactfully without more details and some repurcutions.

    Report

  2. Michael

    There goes an hour of my day resetting passwords on client accounts. A non-billed hour.

    Report

  3. Miroslav Glavic

    Not that I support managed hosting companies. Nothing against WPEngine but I like to manage my own thing…couldn’t you…

    Install 2-factor authentication?

    Simply reset all passwords and sending them an e-mail with their new passwords?

    I am sure you can do in WordPress, click a reset button, and automatically triggering an e-mail to the client, that includes a link so clients can click and set their own password.

    I know when I reset my Google password, I can’t use a previously used password.

    Report

    • Damien Carbery

      Resetting the WordPress database password would break the site as the wp-config.php file would also have to be updated. As this file can be in two possible locations and the site maintainer may have some non-standard setup, it would be difficult for the hosting company to automate this change.

      Report

      • Eric Defore

        From what I’ve been told by them, they changed all the Database Passwords and updated the wp-config.php accordingly.

        It is causing some issues with accessing phpMyAdmin from the WP Engine Dashboard, which is unfortunate as I was going to reset WP Admin passwords that way.

        Report

    • Sacha

      Yes, I agree. I dislike being controlled. It’s basically like WordPress.com.

      Report

  4. mac2net

    I prefer to use a vanilla v-host rather than a high profile wp hosting service. They may not add WP value, but they don’t take away value either.They do their job – host.

    Report

  5. JJ

    Had a chat with them tonight – they are working overtime over there with the live chat! It’s usually closed at 8pm CST. The person I spoke with said nothing was compromised but they want everyone to change passwords as a security precaution.

    I literally was up all night transferring / launching a site for a client on their service. Hope this doesn’t happen very often.

    Report

    • Kristian

      This is the first time in my experience, which granted is only one year. Besides that WP Engine has been nothing but good and secure.

      A minor annoyance compared to alternative.

      Report

  6. Jason Lemieux

    As someone that has hosted with WP Engine since early 2012 I’m still coming out ahead. The day our agency moved all sites there was the day we stopped dealing with hacks and security issues. We used to spend a chunk of every month cleaning up one site or another. It was awful.

    I see resetting a bunch of passwords as no problem at all when compared to the work they have saved us over the years.

    Keep up the good work WPE. Sorry you’re going to have a crappy couple of days. You’ll be that much stronger on the other side.

    Report

    • Foolpress

      The day our agency moved all sites there was the day we stopped dealing with hacks and security issues.

      Until this week.

      Report

      • Jason Lemieux

        Ha! That’s right. Four blissful years of not dealing with this stuff. And the extra bonus: when something did go wrong, who is left cleaning up the mess? Not me. I just have to do a pw reset next time I want to log into x, y, or z. My customers weren’t that bothered to have to do the same. 

        Maybe some larger fallout will be coming down the line. For now though WPE is handling it like champs.

        Report

    • Randy Runnels

      Agreed – WP Engine put an end to years of hacked sites and embarrassing client interactions (why does Google say my site isn’t safe??).

      Add to that the SWEET staging platform and live chat support and this little kerfuffle is minor.

      In fact, the way WPE got out in front of this reminds me of how BAD some other hosts are about communicating with their customers.

      I’ve had big named hosts do things like change PHP versions, move servers, change IP addresses, and never say a word about it until hours were spent with tech support telling me I’m crazy.

      I’m not saying my experience with WPE has been perfect, but compared to the old days it’s been pretty damned good.

      Report

  7. Kimba Wiggins

    Someone from Lithuania kept on trying to hack my site every day. I heard about the breach several hours ago (I live in NY). I changed my email passwords and my blog’s passwords this morning.

    Report

  8. Rogier

    I’m still a happy customer :)

    I got a message yesterday from wpengine telling me that this was going on. How nice to have a compagny that doesn’t try to arrange problems like this behind closed doors.

    Even our trusted banks have security issues and once in a while they are closed for hours caused by attacks or other technical problems.

    WPengine takes away a lot of technical stress and they have a perfect helpdesk and chat aswell!

    Report

  9. Ed

    Shit happens. WPEngine owned it. Took action and notified customers. Perfect example of an honest transparent execution of putting customers first even if it means inconveniencing customers. Well done WPEngine – I have even more respect for you now then I already had before. Whether or not an actual security breach occurred is secondary to the possibility that a security breach did occur – to assume that the worst possible case scenario has occurred is always going to be the safest approach to take.

    Report

  10. lukepettway

    Gotta hand it to them, they handled this pretty well.

    Report

    • Ed

      Yep, going to cost them a lot of negative fallout in the short term, but in the long term I believe it will gain them even more respect. ;)

      Report

  11. John Teague

    At GEMServers we partnered with Launchkey to provide passwordless authentication for WordPress. Can’t steal passwords that don’t exist. It is a truly awesome security technology. Launchkey also has great 2FA for those who prefer that.

    We agree with their founders that moving beyond traditional passwords is a necessity. I’d encourage other hosting providers to do the same.

    Report

  12. Jesse Petersen

    I’ve been hosting with WPE for 3 years and have about 85 sites on there. While this is a huge inconvenience to reset all of these passwords, I have yet to have one client request yet that their SFTP login isn’t working. I either maintain the intial WP login user or deleted it long ago and use my own login regardless… and any of my clients that have their own user login to the customer area also received that email.

    I say, “well done!” It was worst-case to reset all of those but they also mitigated any danger by doing so. I’m ever-more impressed with how they handle things in a managed setting’s expectations.

    Report

  13. Al

    I think that certain high-profile hosts in the WP community are high-value targets for hackers… for the bragging rights if nothing else. I sometimes wonder if it is better to host with some small, unknown, low-profile datacenter who have good security but who are not ‘out there’ all the time talking about how good their security is.

    Report

    • Miroslav Glavic

      That is what I do, I host all my websites (except 3) with a small local hosting/domain registrar company.

      The other 3 are with GoDaddy (the domains), their DNS servers point to the local hosting company. The local hosting company doesn’t do .co & .me domains and I wanted a domain hack.

      Report

  14. Scott Cheyne

    Security will always be a problem on-line. It just goes with the territory Even as a relatively small local business that does not store any customers details on line we have taken a lot of steps to stop the site being hacked including two step authentication.

    Without any customers detailed being stored online the only thing they can really do is to take over the wording and appearance of the site. So it is checked everyday. One of our local competitors did have their site hacked we have been lucky so far but statistically sometime in the next thousand years someone will try and succeed.

    All we can do in the meantime is do what we can to stop it happening and prepare backups etc for if it does.

    Report

  15. Dylan Kuhn

    I like the fresh feeling of a new password now and then anyway. In fact, a service to change my passwords automatically sounds like a good idea. Until that service gets hacked…

    Report

  16. mark k.

    WOW so much false sense of security in the comments. I guess there is bliss in ignorance, if you don’t know how the security works you don’t know how much it sucks (which always might be – not at all, but that needs to be proven first)

    The need to reset database and SFTP passwords indicates that there is a non zero possibility that the attacker got access to the DB, and if that happened then no password reset will help at all as he could have created for himself an admin user to be used much later.

    The only way to securely recover from a security breach is to return to a backup from before it happened. Any other way and you are just assuming that you have found all the backdoors which were installed in the breach.

    Report

    • KTS915

      Thanks for this. I am not a WP Engine customer. But, if I were, I’d want to see a proper risk assessment, and then an explanation of how and why the measures taken are supposed to address those risks.

      Until that’s provided, the only thing that WPE’s good PR should lead to is the suspension of judgment.

      Report

  17. Common Man

    Woah…They Charge So Much from their Customers and Force them to Forget Caching Plugins + So many other Dumb Rules & they Can’t even Manage to Protect their Customers Credentials?
    Shame on them!

    Report

    • Nate

      They don’t allow caching plugins because they have their own caching technology. The rule prevents conflict issues.

      Report

  18. skyshab

    Well, good to see the fast reaction time. I was going to move a site to WPengine today. Funny timing.

    Report

Comments are closed.

%d bloggers like this: