Blog sites hacked

• 

  beckwithmansion · Member · May 23, 2018 at 1:42 pm

  • Copy link
  • Add topic to favorites

  I recently learned through my malware provider that my blog sites were hacked because of a security breach at WordPress.com. (The way it was explained to me was WordPress.com was hacked, user IDs and passwords stolen, and then JetPack was used to gain access and hijack sites. Several of mine were hacked in this manner.)

  First, why weren’t WordPress.com users notified of the security breach?

  Second, what is WordPress.com doing to mitigate the damage? (i.e. will wordpress.com be providing malware services to victims of the security breach? etc.)

• 

  staartmees · Member · May 23, 2018 at 2:19 pm

  • Copy link

  Wait for an answer form Staff.

• 

  supernovia · Staff · May 23, 2018 at 5:35 pm

  • Copy link

  Hi folks,

  There has been some misinformation making the rounds, so to clarify, there has been no security breach for user accounts at WordPress.com. But if someone has your WordPress.com account credentials, they could log in and modify your site.

  WordFence notified us of a malicious plugin being installed on some accounts, so we are investigating and will be in touch with those account owners. We’ll also take steps to ensure that none of our users accidentally install that plugin.

  In the meantime, we encourage all users to pick a strong password and use 2FA. https://en.support.wordpress.com/selecting-a-strong-password/

  Also, we aren’t seeing this plugin on your particular account, but we will reach out by email to confirm.

• 

  beckwithmansion · Member · May 24, 2018 at 3:51 pm

  • Copy link

  You aren’t seeing the plug in because I removed it as soon as I heard about it. Wordfence has since posted a clarification that there wasn’t a breach at WordPress.com. (Which, when you consider they initially wrote, “An attacker will sign in to a WordPress.com account using compromised credentials,” sounds like the compromise was a the WordPress.com end.) I’m glad there wasn’t a breach.

• 

  supernovia · Staff · May 24, 2018 at 7:43 pm

  • Copy link

  Yup. We are very careful with security around here. As a WordPress.com user, you’ll need to mind who could gain access to your account: don’t use the same password on multiple sites (in case there’s a data breach elsewhere), don’t leave yourself logged into public computers, don’t share your password, but do change it often and use 2FA. And if you have other admins on your site, ensure they’re diligent as well.

  Since you are also maintaining your own installation, you’ll need to protect that as well with updates, backups, being careful about the code and plugins you use to modify your site, etc. But it sounds like you’re on it. :)