WP Engine customers received an urgent notification in their inboxes Wednesday evening regarding a security breach.
At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base.
WP Engine currently has no evidence that customer information was used inappropriately but has invalidated customer passwords as a precaution. The following five passwords associated with customer accounts will have to be reset:
- WP Engine User Portal
- WordPress Database
- SFTP
- Original WP-Admin Account
- Password Protected Installs and Transferable Installs
The notice states that WP Engine is taking immediate action on their end but does not include any details. The company apologized for the inconvenience of having to invalidate all customer passwords.
Customers took to Twitter to express frustration and bemoaned the host’s lack of two-factor authentication.
@wpengine What's with the lack of 2FA?
— Jordan Felle (@jordanfelle) December 10, 2015
Representatives from WP Engine were not able to comment on the situation beyond the official notice that was posted. The company will update customers as soon as the security team learns more from their ongoing investigation. If you are a customer or have clients who host with WP Engine, you will need to reset all your passwords according to the instructions at the bottom of notice.
I have extreme understanding this is the worst case scenario for any host, and I imagine more information will be forthcoming.
But agh, I’m not looking forward to the clients we put on WP Engine to avoid something like this and explain this tactfully without more details and some repurcutions.