WP Engine sent emails to all existing (and apparently many former) customers stating that they needed to reset every password associated with their account:
While we have no evidence that the information was used inappropriately, as a precaution, we are invalidating the following five passwords associated with your WP Engine account. This means you will need to reset each of them. Instructions for how to reset these passwords are at the bottom of this email.
- WP Engine User Portal
- WordPress Database
- SFTP
- Original WP-Admin Account
- Password Protected Installs and Transferable Installs
As a security best practice we also recommend, if you use this password elsewhere with other applications, that you change and update those passwords as well.
One WP Engine customer forwarded me an email exchange where WP Engine responded saying that they do not store any plaintext passwords, but the nature of the reset makes me think that the vulnerability was actually system-wide. This is a pretty depressing email to get, if you’re a WP Engine customer, not to mention if you have a lot of clients there. I feel bad for any of you dealing with this today.
Unfortunately, the nature of the exposure isn’t clear at all, so I hope we’ll be able to learn more from WP Engine about what happened once they get through all these password resets. If I were hosted there, their current explanation would not be enough to assuage my concerns.
They are providing updates on their website about steps they are taking.
