WPEngine Credentials Exposed

Update 1 (3:10pm CST on Dec 10th): WPEngine is working with federal law enforcement as part of their investigation into the breach. They are also working with a ‘leading cyber security firm’, presumably someone who specializes in incident response and forensics. They haven’t provided any further details about the incident yet.

Original post:

About an hour ago WordPress hosting company WPEngine sent out an email to their customers asking them to change their passwords.

The passwords they want you to change are the user portal, sFTP, your WordPress database password, your original wp-admin WordPress account and any password protected installs and transferable installs.

We have reached out to WPEngine and received this response from Eric Jones:

As we indicated in our notification to customers at WP Engine, the security of our members’ personal information is a top priority. In response to an exposure involving some of our customers’ credentials, we are taking proactive steps to mitigate the issue. While we have no evidence that the information was used inappropriately, out of an abundance of caution, we have initiated an investigation and notified customers that we are invalidating five passwords associated with their WP Engine account. Customers were provided with specific instructions on how to reset each of them.

Again, we are committed to the protection of our customers’ personal information. As we learn more from our ongoing investigation, we will provide updates to our customers if we learn of information that affects them.

Additional information and any future updates about this event are available at http://wpengine.com/infosec

A snapshot of the email sent about an hour ago is below:

WPEngine breach email

We will update this post as we learn more.

~Mark.

Did you enjoy this post? Share it!

Comments

34 Comments
  • Thanks, I have changed my passwords
    The best,
    P.L.

  • Thanks Mark, you guys are on the ball! Thankfully I'm not hosted with WPEngine but nonetheless, I'm personally appreciative of you and the team's efforts, keep up the awesome work!!

    • I am also not hosted on WPEngine. Nonetheless Thanks mark for head up.

  • Good to hear they react quickly to protect those WordPress installations, thanks for the heads up.

  • I have some additional information on this - I'd like to discuss in further.

    • @John The only update we have seen so far is this:

      "Update 12/10/2015 3:53am Central: In an attempt to provide more assistance to the recommendations below, you can find updated step-by-step links on how to reset your passwords here"

      So not really much more details other than a link to reset the passwords.

  • Great for WP Engine for picking it up so quickly, I still think they're awesome. (As well as Wordfence for spreading the news so quickly)
    Linda

  • So, this is only for people hosted by WPEngine. I am hosted by BlueHost, so am I correct in assuming I do not need to change anything?

    Thanks.

    • @Carlyn That is correct. This was something that happened to WPEngine on their servers. Only WPEngine customers need to be concerned.

  • No comment on the XSS vuln you fixed in your own plugin today?
    https://plugins.trac.wordpress.org/changeset/1304473/wordfence

    • Are you referring to the one we discovered, reported, and fixed ourselves?

      tim

      • Yes, but you've not announced it anywhere, not advised customers that there's an active XSS vuln, and that patching is important? I get WP-Engine hack is huge, and this shouldn't take away from it, I've relied upon your reporting for some time, but I would've expected you to at least note the XSS issue somewhere publicly.

        • I understand your concern but can I clear something up? The vulnerability was discovered by a researcher here and patched in the plugin release we sent out, all within a very short time. In addition to addressing the plugin issue we also patched it on our servers so that if you were running an earlier version of Wordfence, it still couldn't be exploited. That's without you updating anything. It's not anything I would call 'active' because it was immediately remediated with the patch on our servers. We also added the information about it to the release notes and then spread the word about the release on twitter and facebook. I hope this helps you understand what happened. Should you want to discuss this further you can email us at genbiz@wordfence.com where we will be happy to answer any of your questions.

          • Ahh, it being internally patched and inactive makes all the difference. I still thing you should write a blogpost about it even so, considering your audience, detailing what you found, and how you fixed it, is of great interest :)

          • Thanks, just want you to know that we had an extensive internal conversation about this. We will likely share more in future.

  • I received an email alerting me to the problem with a link to this article. This article mentions instructions on how to change the passwords...all five of them. Where are these instructions? They're not in the email.

    • Check WPEngine's post on their site.

      tim

  • Such a bad news struck to WPEngine. Luckily, I am not hosted there but I know many friends who are. Will send them this news over their way.

    Thank you!

  • I'm new to Wordpress. I have installed Wordfence in my development environment but not deployed the website. Is Wordfence the same as WPEngine? I don't understand the connection. Does this mean I have to change my password?

    • Hi,

      Unless your website is hosted with WPEngine (https://wpengine.com/), your data is completely safe.

      No need to worry! WordFence is just being on the ball and alerting those who potentially might be customers of both WordFence and WPEngine.

  • WP Engine is literally the best. They were on top of it right away and they're always quick on support. I've never had any issues since I left the bargain hosting companies and went to them. I have over 20 websites hosted there and trust them with all of my clients.

  • Knowing how long ago the credentials were stolen would be helpful.

    • Agreed. The last update on the situation was at 3:53am and no further information has been released.

      tim

  • I am glad your on the ball and protecting everyone.. I was confused by your letter I did not know what "wpengine" was , if you would have said in your email it was a hosting account I would not have gotten so concerned and upset at first..

    Since I am not hosted by them then I do not have to worry about it..

    Thanks again for your constant diligence.

    Bernie6911

  • Hmm. Interesting. But, doesn't WPE not allow WordFence on their servers? That is one of the things that is keeping me from moving over to them, to be honest. I rely on WF too much to not be able to use it.

    • You are correct. They currently do not allow Wordfence and several other plugins.

      tim

  • Here's the URL of the topic that provides detailed instructions:
    https://wpengine.com/support/infosec/#6

  • Love the proactive announcement by WPEngine. Thanks for the heads up!

  • Yes...pretty nice of Worfence to let everyone know because WPEngine does not allow wordence installations due to conflicts with their own built-in security measures. I have one WPEngine site and the speed is great. Costs more than a regular hosting company but you get better speed and security.

  • Great to see two companies which don't work in directly together both being pro-active in the announcement, a quick to resolve any issues. I am a recent adopted of WP Engine, and whilst it would be great id there were to allow Wordfence on there servers,

    I'm not put off by this, i always judge a service not just on performance but also on support. One area they are let down on is reliance on email to make client notifications especially when there are so many choices in terms of communication methods, something i hope they will address in the near future and for myself making use of IFTT will bridge the gap temporarily.

  • Thanks for sharing this information. I've alerted my clients who use their service.

  • When I saw it first I was a bit afraid and asked myself, for I didn't know: was I a customer of WPEngine? I didn't remember but the name was so familiar to me. In the end it proved I wasn't, I just visited their website some time ago but I didn't created an account with them.

  • WP Engine compare to Wordfence who is the best player??

    • WPEngine is a hosting provider. We make a security plugin you can run on any WordPress site. So we are in different businesses.