Cancel

Sarah Gooding

WP Engine Security Breach: Customer Credentials Exposed

wp-engine

WP Engine customers received an urgent notification in their inboxes Wednesday evening regarding a security breach.

At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base.

WP Engine currently has no evidence that customer information was used inappropriately but has invalidated customer passwords as a precaution. The following five passwords associated with customer accounts will have to be reset:

  • WP Engine User Portal
  • WordPress Database
  • SFTP
  • Original WP-Admin Account
  • Password Protected Installs and Transferable Installs

The notice states that WP Engine is taking immediate action on their end but does not include any details. The company apologized for the inconvenience of having to invalidate all customer passwords.

Customers took to Twitter to express frustration and bemoaned the host’s lack of two-factor authentication.

Representatives from WP Engine were not able to comment on the situation beyond the official notice that was posted. The company will update customers as soon as the security team learns more from their ongoing investigation. If you are a customer or have clients who host with WP Engine, you will need to reset all your passwords according to the instructions at the bottom of notice.

Category:
Tags: ,
30

30 responses to “WP Engine Security Breach: Customer Credentials Exposed”

  1. I have extreme understanding this is the worst case scenario for any host, and I imagine more information will be forthcoming.

    But agh, I’m not looking forward to the clients we put on WP Engine to avoid something like this and explain this tactfully without more details and some repurcutions.

    Create forum topic from comment
    Reply

  3. Not that I support managed hosting companies. Nothing against WPEngine but I like to manage my own thing…couldn’t you…

    Install 2-factor authentication?

    Simply reset all passwords and sending them an e-mail with their new passwords?

    I am sure you can do in WordPress, click a reset button, and automatically triggering an e-mail to the client, that includes a link so clients can click and set their own password.

    I know when I reset my Google password, I can’t use a previously used password.

    Create forum topic from comment
    Reply

  5. Had a chat with them tonight – they are working overtime over there with the live chat! It’s usually closed at 8pm CST. The person I spoke with said nothing was compromised but they want everyone to change passwords as a security precaution.

    I literally was up all night transferring / launching a site for a client on their service. Hope this doesn’t happen very often.

    Create forum topic from comment
    Reply

  6. As someone that has hosted with WP Engine since early 2012 I’m still coming out ahead. The day our agency moved all sites there was the day we stopped dealing with hacks and security issues. We used to spend a chunk of every month cleaning up one site or another. It was awful.

    I see resetting a bunch of passwords as no problem at all when compared to the work they have saved us over the years.

    Keep up the good work WPE. Sorry you’re going to have a crappy couple of days. You’ll be that much stronger on the other side.

    Create forum topic from comment
    Reply

      • Ha! That’s right. Four blissful years of not dealing with this stuff. And the extra bonus: when something did go wrong, who is left cleaning up the mess? Not me. I just have to do a pw reset next time I want to log into x, y, or z. My customers weren’t that bothered to have to do the same. 

        Maybe some larger fallout will be coming down the line. For now though WPE is handling it like champs.

        Create forum topic from comment
        Reply

    • Agreed – WP Engine put an end to years of hacked sites and embarrassing client interactions (why does Google say my site isn’t safe??).

      Add to that the SWEET staging platform and live chat support and this little kerfuffle is minor.

      In fact, the way WPE got out in front of this reminds me of how BAD some other hosts are about communicating with their customers.

      I’ve had big named hosts do things like change PHP versions, move servers, change IP addresses, and never say a word about it until hours were spent with tech support telling me I’m crazy.

      I’m not saying my experience with WPE has been perfect, but compared to the old days it’s been pretty damned good.

      Create forum topic from comment
      Reply

  8. I’m still a happy customer :)

    I got a message yesterday from wpengine telling me that this was going on. How nice to have a compagny that doesn’t try to arrange problems like this behind closed doors.

    Even our trusted banks have security issues and once in a while they are closed for hours caused by attacks or other technical problems.

    WPengine takes away a lot of technical stress and they have a perfect helpdesk and chat aswell!

    Create forum topic from comment
    Reply

  9. Shit happens. WPEngine owned it. Took action and notified customers. Perfect example of an honest transparent execution of putting customers first even if it means inconveniencing customers. Well done WPEngine – I have even more respect for you now then I already had before. Whether or not an actual security breach occurred is secondary to the possibility that a security breach did occur – to assume that the worst possible case scenario has occurred is always going to be the safest approach to take.

    Create forum topic from comment
    Reply

  11. At GEMServers we partnered with Launchkey to provide passwordless authentication for WordPress. Can’t steal passwords that don’t exist. It is a truly awesome security technology. Launchkey also has great 2FA for those who prefer that.

    We agree with their founders that moving beyond traditional passwords is a necessity. I’d encourage other hosting providers to do the same.

    Create forum topic from comment
    Reply

  12. I’ve been hosting with WPE for 3 years and have about 85 sites on there. While this is a huge inconvenience to reset all of these passwords, I have yet to have one client request yet that their SFTP login isn’t working. I either maintain the intial WP login user or deleted it long ago and use my own login regardless… and any of my clients that have their own user login to the customer area also received that email.

    I say, “well done!” It was worst-case to reset all of those but they also mitigated any danger by doing so. I’m ever-more impressed with how they handle things in a managed setting’s expectations.

    Create forum topic from comment
    Reply

  13. I think that certain high-profile hosts in the WP community are high-value targets for hackers… for the bragging rights if nothing else. I sometimes wonder if it is better to host with some small, unknown, low-profile datacenter who have good security but who are not ‘out there’ all the time talking about how good their security is.

    Create forum topic from comment
    Reply

    • That is what I do, I host all my websites (except 3) with a small local hosting/domain registrar company.

      The other 3 are with GoDaddy (the domains), their DNS servers point to the local hosting company. The local hosting company doesn’t do .co & .me domains and I wanted a domain hack.

      Create forum topic from comment
      Reply

  14. Security will always be a problem on-line. It just goes with the territory Even as a relatively small local business that does not store any customers details on line we have taken a lot of steps to stop the site being hacked including two step authentication.

    Without any customers detailed being stored online the only thing they can really do is to take over the wording and appearance of the site. So it is checked everyday. One of our local competitors did have their site hacked we have been lucky so far but statistically sometime in the next thousand years someone will try and succeed.

    All we can do in the meantime is do what we can to stop it happening and prepare backups etc for if it does.

    Create forum topic from comment
    Reply

  16. WOW so much false sense of security in the comments. I guess there is bliss in ignorance, if you don’t know how the security works you don’t know how much it sucks (which always might be – not at all, but that needs to be proven first)

    The need to reset database and SFTP passwords indicates that there is a non zero possibility that the attacker got access to the DB, and if that happened then no password reset will help at all as he could have created for himself an admin user to be used much later.

    The only way to securely recover from a security breach is to return to a backup from before it happened. Any other way and you are just assuming that you have found all the backdoors which were installed in the breach.

    Create forum topic from comment
    Reply

    • Thanks for this. I am not a WP Engine customer. But, if I were, I’d want to see a proper risk assessment, and then an explanation of how and why the measures taken are supposed to address those risks.

      Until that’s provided, the only thing that WPE’s good PR should lead to is the suspension of judgment.

      Create forum topic from comment
      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may also like

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Discover more from WP Tavern

Subscribe now to keep reading and get access to the full archive.

Continue reading