Today, the 10th of December, WPEngine (a WordPress only managed hosting company and one of our primary hosting partners) informed us that they had experienced a potential data breach – “We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials.”
They recommended that we reset the following passwords for all the installations we manage:
- WP Engine User Portal
- WordPress Database (No reset needed. WP Engine takes care of this)
- SFTP
- Original WP-Admin Account
- Password Protected Installs and Transferable Installs
Here at Connected, we take the security of our client’s websites seriously and therefore followed the steps recommended by WP Engine … and went further by pruning surplus SFTP accounts and updating passwords for all Administrator accounts (not just the original wp-admin account). We use unique, 24 character passwords using a mixture of letters, numbers and other characters – ultra super secure.
Notification to fix for all our clients took less than 4hrs. Keep calm and carry on.
Matthew