Hosting Providers; One Account, Many Implications
February 20, 2016 • RBS
WordPress is open source web software that allows users to create a website or blog. The core software is built by hundreds of community volunteers, and when you’re ready for more there are thousands of plugins and themes available to transform your site into almost anything you can imagine.
Over 60 million people have chosen WordPress to power the place on the web they call “home” — we’d love you to join the family. While WordPress is free, in many cases the software has a reputation for not being the most secure piece of software, but in fairness it typically has been insecure plugins that have lead to more of the issues. Regardless, small bloggers to large organizations have chosen WordPress as their platform.
Due to this popularity, there is a need for secure hosting providers that focus on WordPress and it has resulted in several companies filling this need. Today, RBS researchers discovered a server hosted at a well-known WordPress based hosting company that was compromised. The company, WPEngine.com boasts they are the best managed wordpress hosting company and claim to have over 30,000 customers in 120 countries.
WORDPRESS HOSTING, PERFECTED
Stunning speed, powerful security, and best-in-class customer service. At WP Engine, WordPress isn’t just our platform, it’s our passion.
Our best-in-class architecture and highly redundant systems keep WordPress fast, scalable, and secure.
WP Engine appears to be a very reputable company and their results seem to show they are doing very well. Regardless, from time to time, they recognize that it is possible for some of their customers to have issues and they address it in their FAQ:
OUR WORDPRESS SITES HAVE BEEN HACKED IN THE PAST. HOW DOES WP ENGINE ENSURE WORDPRESS SITES RUNNING ON THE WP ENGINE PLATFORM ARE SECURE?
When it comes to security patches and WordPress core updates, WP Engine is proactive in keeping your site secure with automatic updates. We also perform proactive security and malware scans to ensure that all WordPress sites running on WP Engine are free from intrusions.
Whether it’s a security update for a popular plugin or emergency maintenance due to an issue with a data center, WP Engine’s technical support team will ensure you’re the first to know if your site is impacted by a security risk. You can sleep easily knowing that the WP Engine team strives to provide the most secure WordPress hosting solution on the market.
The data that was exposed is a phpMyAdmin SQL Dump that appears to have been generated on Feb 18, 2016. After analysis of the dump, it appears to be a customer server and includes 317 full emails, usernames, and encrypted passwords.
(1, ‘wpengine’, ‘[hashed password]’, ‘wpengine’, ‘[email protected]’, ‘http://wpengine.com’, ‘2014-10-14 19:48:55’, ”, 0, ‘wpengine’)
What is a bit alarming is that the first account appears to be owned by WP Engine. While RBS cannot immediately confirm there is a larger issue, the concern in seeing an account of this type is that WP Engine could potentially use it (presumably with the same password) for other customers, and maybe even all of their accounts. If this is the case, then there is a potential that all customer servers could be at risk, should this password be compromised by attackers. RBS contacted WP Engine support as soon as this came to our attention and provided the information in the data dump. The support staff that responded said that they would alert the “correct team”, and also thanked us for the report. RBS has further contacted the website that appears to be compromised, alerting them to the situation.
As we continue to track data breaches for our Cyber Risk Analytics service, we have always been very mindful of the systemic risk that exists with cloud providers and hosting solutions. While on the surface, this one compromise suggests it is a single company, the hosting provider account being present signals there could be a much larger issue with possible far-reaching catastrophic impact. RBS has followed-up with WP Engine to ask for clarification or an official statement on the presence of the account found in the dump. In the meantime, while we are not suggesting that WP Engine has done anything wrong or is the reason for the breach, if you are a WP Engine customer, it may be advised for you to contact WP Engine support to discuss the ramifications.
Update February 20th @ 11:46pm EST:
WP Engine support replied to our questions about the wpengine user account. Based on the information provided the concern about a larger systemic risk does not appear to be an issue.
As for that wpengine user, it is used on all installs on our platform. All passwords are randomized however, and can be changed manually if needed via phpMyAdmin. We have ways to reset the password to a different randomized MD5 password as well.