Automattic warns of WordPress server break-in

Automattic, the company behind the popular open-source blogging platform WordPress, had announced a major security breach on its servers which has granted unknown attackers access to 'sensitive' code.

Discovered late yesterday, the attack on 'several' of the company's servers left the unknown individuals with full low-level access to the system, having compromised the 'root' account on the server. This gave the attackers complete control over the target systems.

"We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access," claimed Automattic's Matt Mullenweg in an announcement following the discovery of the attack. "We presume our source code was exposed and copied."

While at first glance that might not appear to be too serious - Automattic's main product, WordPress, is open-source, and anyone is free to download, modify, and redistribute the source code under the GNU General Public Licence - Mullenweg warns that the attackers have likely got their hands on code that was never meant for public dissemination.

"While much of our code is open source, there are sensitive bits of our and our partners’ code," Mullenweg admitted - and confessed that the attackers have likely copied this 'sensitive' code for their own use.

User accounts for Automattic's WordPress-powered blogging platform, WordPress.com, are not thought to be part of the information disclosed during the attack - although the company is warning its users to ensure they are following password best practices, such as using different passwords for different websites and ensuring that passwords are strong enough to thwart dictionary attacks.

"Our investigation into this matter is ongoing," Mullenweg explained, "and will take time to complete."

The exact method of attack used during the intrusion is not yet known.