WP Engine breach was very likely via Linode

You could say that Linode has been a bit of a pain in WP Engine’s ass lately.

Linode is one of their service providers (they were their only/primary one for a long time, I believe), which basically means WP Engine uses a bunch of their infrastructure. Well, Linode’s been getting DDoS’d like crazy, making a bunch of WP Engine websites go down.

As of this moment, I can’t get to Linode’s own website, and that’s been pretty common. Their Status page (if it loads for you) is a big wasteland of sadness. Someone has it out for them, and WP Engine and other Linode customers are taking a lot of heat from that.

WP Engine has been moving people off Linode, sometimes quietly, and sometimes in response to customer complaints, due to the DDoS issues. But if I were guessing, I’d guess they are actually moving all customers off Linode and onto other providers; many are moving to Rackspace, and maybe some to Amazon as well.

In addition to the DDoS issues, Linode is also the likely culprit of WP Engine’s disclosed breach from December 9th, and subsequent reset of all account, site, and other passwords on WP Engine’s network. WP Engine won’t confirm it (I asked), but it’s pretty obvious if you line up Linode’s disclosed breach and WP Engine’s.

It also appears a startup called PagerDuty got hosed by Linode, and that was back in July. Seriously, Linode is getting hit from all angles, and from what I’m reading they may deserve some of it, but it sucks for their customers. This Hacker News thread has that story and more, and is pretty awful.

All of this adds up to WP Engine taking big credibility hits, and they are absolutely losing customers to other hosts. I don’t know what the final tally will be, but these issues from Linode are costing them a lot of money, and I’ve seen first-hand a lot of long-time WP Engine fans waver their commitment over all of this.

I also heard back from Jason Cohen about the day they learned about their breach (which I questioned before, because it was conspicuously soon after a major event for them: WCUS). He said that they took action on December 9th, which was the same day they learned of it themselves.

As far as keeping Linode as a service provicer, he gave a non-answer answer, saying, “We continue to evaluate the situation for our customers while being extra vigilant over our network.” I’d guess Linode is a goner.

Similar Posts