Well this is great. I'm doing a talk tomorrow at OWASP London[1] on Wordpress Security. Interestingly while sorting out google dorks for the presentation I found 27,000 references to PHP Shell backdoors. If you're going, I look forward to seeing you there. Please don't laugh at me every time I mention wordpress and security in the same sentence.<p>[1] - <a href="https://www.owasp.org/index.php/London#Next_Meeting.2FEvent" rel="nofollow">https://www.owasp.org/index.php/London#Next_Meeting.2FEvent</a>
As an off-topic request, I prefer links to the original source, not to intermediate sources. Yesterday TechCrunch got love for an announcement made on Google Blog; today for an announcement made at Wordpress. In neither case did they add any value.
Really sparse on the details. Were the servers accessed due to a vulnerability in WordPress, other PHP or world-accessible code, a server misconfiguration, an "inside job", or what? I think it's important to have a bit more information about the nature of the attack, so that we know if independent WordPress installations are vulnerable and if/when we should reset keys and passwords.
These days it isn't just about making sure you have good passwords and a decent firewall.<p>If you run a site that has valuable information you will end up being a target. That's just a fact. How you respond to these types of security incidents is what will set you apart from the pack. Sadly most breaches are covered up. They are bad for PR and most people don't understand them.<p>Always make sure you have a plan in place. Even if it is just shutting down a list of servers incident response can go a long way.
TechCrunch indicates that hacker got access to source code of WordPress.com VIP sites and "only" Twitter and FB API keys are leaked.<p>Does anybody know how WordPress.com saves MySQL passwords? Does it differ from Wordpress installations? Vanilla Wordpress installations have them among the rest of the code and thus those might have leaked too.
Considering few recent cases of this kind, what's the best way to store passwords/keys/other credentials? Can I avoid leaking sensitive information even if an attacker gains root access to my app machine?