WordPress blogging platform hacked

Users of the popular WordPress blogging platform are being urged to revisit their password security after parent company Automattic revealed that its servers had been hacked and potentially everything on them revealed.

Matt Mullenweg, the founder of Automattic, said in a blog post dated 13 April that the firm "had a low-level (root) break-in to several of our servers".

"We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied," he said.

"While much of our code is open source, there are sensitive bits of our and our partners' code. Beyond that, however, it appears that information disclosed was limited."

Mullenweg added that the investigation into the incident is ongoing and may take some time to complete. In the meantime, he urged users to have different passwords for different sites and to use strong passwords.

Graham Cluley, Sophos senior technology consultant, pointed out in a blog post that the hack is likely to have affected only blogs posted on WordPress.com, and "not sites which have decided to self-host their own WordPress blog using the software from WordPress.org".

He also urged web users to practise good password policies.

"We don't know that the WordPress.com security breach gave the hackers access to bloggers' passwords, but we do know that many internet users have chosen to use the same password on multiple web sites," he said.

"So if your password was stolen from one web site, it could then be used to unlock many other online accounts, and potentially cause a bigger problem for you. So always use unique passwords."

WordPress suffered a denial-of-service attack for several hours last month, but it is not thought that the two incidents are related.