We suggest that our clients use managed WordPress hosting. Most managed hosts offer more robust security, specialize in WordPress and offer automatic site back-ups. The host we often recommend is WP Engine. They're the host we use for our site and we've had great service, 100% up-time and no site hacks. But sometimes even the best hosts run into problems.
Late Wednesday evening, WP Engine began sending emails to customers to let them know of a security breach. While there was little in the email that explained exactly what happened, the folks at WP Engine did let us know what steps they had taken to protect customer data.
We have begun an investigation, however there is immediate action we are taking. Additionally, there is action that requires your immediate attention.
While we have no evidence that the information was used inappropriately, as a precaution, we are invalidating the following five passwords associated with your WP Engine account. This means you will need to reset each of them. Instructions for how to reset these passwords are at the bottom of this email.
- WP Engine User Portal
- WordPress Database (No reset needed. WP Engine takes care of this)
- Original WP-Admin Account
- Password Protected Installs and Transferable Installs
The instructions for the password resets mentioned in the email may have been a little vague so we've taken the time to provide a brief video tutorial. We show you exactly where you need to go and what steps to take.
We expect WP Engine to provide more information as their investigation continues. We're glad they took swift action to secure client data. The inconvenience of having to reset passwords is nothing compared to the pain caused had someone actually gained access to billing and credit card data. Hopefully, this will push WP Engine toward 2-factor authentication for login.
What You Can Do to Improve Your Online Security
This incident has been a reminder that we should take our online security seriously. As we move more and more of our personal and financial information online, the number of hackers and identity thieves will only increase. You can take the following steps to help protect your online personal and business data:
- Use a very strong password. Chances are that there is software being used by hackers right now that can guess your current password in a matter of minutes. If you don't believe it, check out Unmasked: What 10 million passwords reveal about the people who choose them. Your passwords should be at least 15 characters long and, when possible, incorporate uppercase letters, lowercase letters, numbers and special characters. Do not use the names of your children, grandchildren, pets or significant dates!
- Don't use the same password for everything. If you use the same password to log into your bank as you do for Facebook, you're asking for trouble. Using the same password for all sites means that anyone who hacks a less secure site that you've logged into now has access to your entire online life.
- Change your passwords frequently. As time consuming and inconvenient as it is, it has now become a necessity. Many financial institutions now require a password update at regular intervals.
There are services such as LastPass to help you manage and keep up with your passwords. The only question is what happens when they're hacked? This may one of those times where good old pen and paper are still the best option. Write 'em down and lock 'em up!
One of the first things you should do is limit login attempts. This feature is built into many managed hosts such as WP Engine. If you don't use a managed host, you can easily add this extra layer of security with a plugin. Just search the WordPress plugin repository for "limit login attempts" and you'll see lots of options. Just be sure you choose one that has been updated recently and is compatible with the most recent version of WordPress.
Another great tool Better WordPress reCAPTCHA (with no CAPTCHA reCAPTCHA). This plugin adds Google's reCAPTCHA to the login page of your WordPress site. You'll need a Google account to get your reCATPCHA credentials, but setup is pretty easy. The plugin is well documented and has a 4.1 out of 5 rating among users.
If you aren't on a manged host and want a full WordPress security suite, take a look at WordFence. It's available in free and premium options. The list of features in the free version is impressive. We used WordFence on our site prior to moving to WP Engine. If we were ever to move our site back to a non-managed host, we would probably use it again. The only caveat is that WordFence may slow your site down. Their Live Traffic Logging feature can increase page load times by over 3 seconds. This feature is essential and can be safely turned off in the settings.
We Trust WP Engine Security
No company is immune to being hacked and we continue to recommend WP Engine as a hosting platform for our clients. Their response and openness concerning this security breach has been commendable. Our site is still hosted on their platform. That being said, we will continue to monitor the situation and update this post should any new developments cause us to change our position.
UPDATE 6:45pm EST 12/11/15: At 1:45pm CST, Heather J. Brunner, CEO of WP Engine, addressed customers directly on the WP Engine website. below is the introductory paragraph:
Please allow me to express my deepest apologies for the frustration caused by the exposure involving customer credentials. I recognize the concern this news causes. When we became aware of the exposure, we committed all company resources, globally, to take action. In addition to our own investigation, we have also engaged with third party security experts and federal law enforcement.
Disclosure of Material Connection: Some of the links in the post above are “affiliate links.” This means if you click on the link and purchase the item or service, we will receive an affiliate commission. We only recommend products or services we use and believe will add value to our readers and clients. We are disclosing this in accordance with the Federal Trade Commission’s 16 CFR, Part 255: “Guides Concerning the Use of Endorsements and Testimonials in Advertising.”