WordPress.com, which hosts millions of blogs using the popular WordPress blogging software, announced yesterday that its servers had been breached and that sensitive data was likely taken.
“We presume our source code was exposed and copied,” WordPress founder Matt Mullenweg said in a blog posting yesterday. “While much of our code is Open Source, there are sensitive bits of our and our partners’ code.”
Mullenweg was unusually candid for a company president disclosing a major data breach.
“We don’t have any specific suggestions for our users beyond reiterating these security fundamentals,” he wrote. “Use a strong password, meaning something random with numbers and punctuation; use different passwords for different sites; if you have used the same password on different sites, switch it to something more secure.”
He added that “it appears information disclosed was limited,” but said the company would continue to investigate.
WordPress.com’s own statistics page says it hosts more than 19 million blogs. Last month, the site was hit by a crippling distributed denial-of-service (DDoS) attack, which temporarily knocked all WordPress.com sites offline.
Mullenweg said at the time that the DDoS attack "may have been politically motivated against one of our non-English blogs," but further details have not been disclosed.
Mullenweg developed the WordPress blogging software in 2003, when he was 19. The software is free and open-source, and can be downloaded from WordPress.org. Millions of websites use WordPress software without being connected to WordPress.com.
In 2005, Mullenweg founded a software-development company called Automattic, which in turn launched WordPress.com as a competitor to larger blogging hosts such as Blogger and LiveJournal.