Skip to main content

April WordPress hack the latest in long line of similar attacks

WordPress LogoAutomattic, the purveyor of WordPress, has suffered a recent security breach that could present to significant security risk for WordPress-powered sites.

“Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed,” WordPress founder Matt Mullenweg explained on the WordPress blog, on Wednesday. Mullenweg goes on to write that WordPress is reviewing the logs and suspects its source code was copied. The company has little advice for users, other than to strengthen their passwords. Not only is the WordPress blog hosting affected, but many of Automattic’s other services are potentially at-risk.

The consequences of this attack by hackers will definitely be felt by the major VIP members of the WordPress service such as NASA, CBS and The New York Times. Alexia Tsosis from TechCrunch (also a VIP member) says “VIP customers are all on ‘code red’ and in the process of changing all the passwords/API keys they’ve left in the source code.”  Tsosis says that Automattic is downplaying the potential severity of this attack.

There have been a bevy of hack attacks occurring lately against big name companies, such as the DDoS attacks against Sony PlayStation by Anonymous, as well as the EMC breach, Epsilon, and lets not forget that this isn’t the first time WordPress has been attacked.

WordPress was hit hard in 2009 when hidden admin accounts were creating back doors. Just last month, WordPress also suffered a huge DDoS attack, affecting 10 percent of its hosted sites. Let’s remember that this blog host serves some 18 million sites. Mullenweg originally believed the March Distributed Denial of Service attack was motivated politically by China, though later he changed his thoughts on who the culprits may be. There’s no word yet that this April root break-in is politically motivated, but these attacks may be building to some sort of crescendo.

Jeff Hughes
Former Digital Trends Contributor
I'm a SF Bay Area-based writer/ninja that loves anything geek, tech, comic, social media or gaming-related.
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more