WordPress.com suffers hacker attack - how to change your password

by Graham Cluley on April 13, 2011 | Leave a comment

Filed Under: Data loss, Vulnerability

WordPress.comMillions of blog owners around the world are being advised to consider their password security, after WordPress.com was hacked.

To its credit, Automattic - the company behind the WordPress.com blogging platform - didn't mince its words or try to apply any spin to the incident, explaining it had suffered a "low-level (root) break-in to several of [its] servers, and potentially anything on those servers could have been revealed."

Automattic's Matt Mullenweg wrote:

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

WordPress's gurus continue to investigate the security breach, and say they have taken steps to prevent it happening again.

It's worth pointing out that the security incident only potentially affects blogs posted on WordPress.com, not sites which have decided to self-host their own WordPress blog using the software from WordPress.org.

So, until we know more, I think it would be sensible for all WordPress.com users to follow the advice - and consider if they are using a secure password. Better safe than sorry, after all.

Here's how you change your WordPress.com password, if you think it might not be secure.

1) Go to Users / Personal settings

WordPress personal settings

2) Choose a strong, unique password.

Change your WordPress.com password

Not sure what a strong password is, or why it's important you should choose a unique one? Watch our video.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

We don't know that the WordPress.com security breach gave the hackers access to bloggers' passwords, but we do know that many internet users have chosen to use the same password on multiple websites. So if your password was stolen from one website, it could then be used to unlock many other online accounts - and potentially cause a bigger problem for you.

So always use unique passwords.

Furthermore, computer users should ensure they don't use dictionary words as passwords as it is relatively easy for hackers to figure these out using electronic dictionaries that simply try out every word until they get the right one.

If video doesn't float your boat, here's a podcast where we talk around the issues of password security:

Even though your WordPress password may not have been compromised, it still makes sense and is good practice to make sure that you have a chosen a good, strong password now.

Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <strike> <strong>

About the author

Graham Cluley has worked in the computer security industry for more than 20 years, developing anti-virus software and doing quite a lot of talking about internet threats. He's won awards for his blogging, but is proudest of the text adventure games he wrote when he was still wearing short trousers. You can learn more about those (the games, not the trousers) at grahamcluley.com. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.