WordPress Hacked, Source Code Stolen

Servers belonging to Automattic, which makes the popular WordPress blogging software, say that their servers were hacked and that the company’s source code is believed to have been “exposed and copied,” according to a company blog post Wednesday

The post, by Matt Mullenweg, Automattic’s co-founder, said that the company had a “low-level (root) break-in to several of our servers.” While the company doesn’t know the exact target of the hackers, “potentially anything on those servers could have been revealed.”

Mullenweg said the company was operating under the assumption that its source code was copied and, while much of it is open source, the copied data did contain “bits of our and our partners’ code” that are sensitive.

Automattic has taken “comprehensive steps to prevent an incident like this from occurring again,” but Mullenweg declined to speculate on whether the hundreds of thousands of blog operators that use WordPress need to be concerned about security vulnerabilities. He encouraged blog owners to make sure they are using strong passwords to secure their WordPress installations, and to refrain from reusing passwords – generic “good housekeeping” advice that wasn’t specific to the breach.

This isn’t the first time Automattic has found itself in the crosshairs. In March, the company was the target of a large denial of service attack. WordPress installations hosted on infrastructure managed by Network Solutions were also the target of attacks in April, 2010 that redirected thousands of WordPress blogs to malware-laden drive by download Web sites.