Final Update 12/31/2015 2:00PM Central:
The independent investigation has now been completed. As such, we are sharing a final summary of the security exposure.
WP Engine was attacked by an external criminal whose point of entry came through one of our cloud infrastructure providers. We believe the exposure began on December 4, 2015. Upon detection of the exposure on December 9, 2015, WP Engine notified all of our customers and took immediate action by launching a full investigation and rolling credentials for our customers as a security precaution.
In conjunction with our internal security teams investigation, WP Engine also retained third party security experts to investigate the exposure and assist in the remediation of any potential issues identified.
A few companies were directly impacted by the attacker. WP Engine contacted each one and implemented a comprehensive plan of action to ensure their security.
WP Engine continues to work closely with law enforcement authorities on this matter. Their criminal investigation continues.
Security requires ongoing vigilance and is a shared responsibility. We encourage our customers to always use strong passwords and never use the same password on multiple sites or services. We appreciate your patience as we have moved through this process and value the trust and confidence you place in WP Engine.
Update 12/22/2015 5:00pm Central:
Thank you for your patience during this ongoing investigation. As outlined in our updates, this investigation is comprehensive and multi-faceted, including outside cyber security firms and two federal law enforcement agencies.
The WP Engine Security Team has completed our internal investigation relating to the exposure and we have held direct phone conversations with the few companies that have been directly impacted. At this time, we have no evidence that any other companies have been directly impacted by the exposure other than those we have already contacted.
We anticipate that our outside security firm will conclude their own independent investigation and issue their final report as early as next week. We continue to work with federal law enforcement however their investigation will be ongoing. We do not expect to make any new Infosec updates until the conclusion of the independent investigation.
Update 12/16/2015 6:15pm Central:
As we continue to put our full resources behind this investigation, the WP Engine security team, with the support of our third-party security firms are making progress. We continue to actively work with federal law enforcement and have now engaged a second federal agency.
Since the investigation began, we have completed a number of initiatives that augment our existing security systems with new tools, not only to aid the on-going investigation, but also to enhance the scanning and monitoring of our platform and our customers sites.
We also think it is important to clarify that WP Engine uses a 3rd party to process credit cards and we do not access or store our customers 16-digit credit card numbers or CVV number.
While we are still in the early stages of this criminal and security investigation, we remain focused on supporting you, our customers, and are committed to share additional information as quickly as it is available and appropriate to share.
Update 12/13/2015 1:00pm Central:
WP Engine continues to work around the clock and as part of the ongoing investigation, our security team has begun to work with an additional security consultant in addition to our third-party cyber security firm in order to objectively accelerate the investigation. We will continue to post updates here as they become available.
Update from Heather J Brunner CEO 12/11/2015 1:45pm Central:
Please allow me to express my deepest apologies for the frustration caused by the exposure involving customer credentials. I recognize the concern this news causes. When we became aware of the exposure, we committed all company resources, globally, to take action. In addition to our own investigation, we have also engaged with third party security experts and federal law enforcement.
While we have no evidence that the information was used inappropriately, out of an abundance of caution, we began invalidating customer credentials and communicating the necessary steps to update passwords. This process has now been completed.
We appreciate that your sites serve as the engine for your business, and that responsibility is one we take extremely seriously.
We recognize you have questions and we will continue to update you, through this site, as additional information from this active investigation becomes available. I have been personally involved every step of the way and I want to thank each of you for the trust and confidence you place in our company.
Heather J. Brunner
Update 12/10/2015 3:10pm Central:
Our investigation is still actively in progress. We share your frustration that we cannot provide answers to many of your questions. However, because this is an active, on-going investigation, including federal law enforcement, we are limited in what we can share at this time.
We are acting quickly and on the side of caution, and we sincerely apologize for the inconvenience this has caused.
We became aware of the exposure yesterday, December 9th. Our team immediately took steps to mitigate the exposure, including:
We want to share information with you as soon as it is available and appropriate to share, rather than wait until all the facts are known. We believe this is the right thing to do even though it creates additional frustration as not all information is known. Updates will continue to be posted here.
Update 12/10/2015 3:53am Central: In an attempt to provide more assistance to the recommendations below, you canfind updated step-by-step links on how to reset your passwords here.
Update 12/9/2015 11:13pm Central: We are committed to updating this area with information. Our investigation is ongoing, and we have given customers these recommendations out of an abundance of caution.
12/9/2015 9:03pm Central
Urgent WP Engine Security Notification
At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base.
We have begun an investigation, however there is immediate action we are taking. Additionally, there is action that requires your immediate attention.
While we have no evidence that the information was used inappropriately, as a precaution, we are invalidating the following five passwords associated with your WP Engine account. This means you will need to reset each of them. Instructions for how to reset these passwords are at the bottom of this email.
WP Engine User Portal
WordPress Database (No reset needed. WP Engine takes care of this)
Original WP-Admin Account
Password Protected Installs and Transferable Installs
As a security best practice we also recommend, if you use this password elsewhere with other applications, that you change and update those passwords as well.
We apologize for any inconvenience this event may have caused. We are taking this exposure as an opportunity to review and enhance our security, and remain committed to strong internal security practices and processes.
We take the security of our customers very seriously. Should you have any questions after resetting your User Portal password, please feel free to contact the WP Engine support team.
The WP Engine Team
Password Protected Installs and Transferable Installs This is the password you use to access any installs, both staging and live, that you have enabled Password Protection on or for your Transferable Installs. To reset this password, go to the Utilities section of the User Portal for the specific install and use the edit icon to change the password.