Heartbleed Security Update
WordPress.com has taken steps to deal with the Heartbleed vulnerability. Here’s what you need to know.
Last week, a very serious bug in OpenSSL was disclosed. OpenSSL, a set of open source tools to handle secure communication, is used by most Internet websites. This bug, nicknamed Heartbleed, allowed an attacker to read sensitive information from vulnerable servers and possibly steal things like passwords, cookies, and encryption keys.
Was WordPress.com vulnerable to Heartbleed?
Yes. WordPress.com servers were running the latest version of OpenSSL, which was vulnerable. We generally run the latest version of OpenSSL to enable performance enhancements, such as SPDY, for our users. The non-vulnerable versions of OpenSSL were over two years old.
Has WordPress.com fixed the issue?
Yes. We patched all of our servers within a few hours of the public disclosure.
Has WordPress.com replaced all SSL certificates and private keys?
Yes. Out of an abundance of caution, we have replaced all of our SSL certificates, along with regenerating all of the associated private keys. In addition, our servers support forward secrecy so that even if our private keys were compromised, they could not have been used to decrypt old encrypted communication.
Will you be forcing me to reset my WordPress.com password?
At this time, we will not be forcing you to change your password.
Should I change my WordPress.com password?
If you want to, you are welcome to change your password. If you are using the same password other places on the Internet, we urge you to change your password and remind you to use unique passwords wherever possible.
WordPress.com News 
Will we be okay to keep our password if we enable two-step verification? Even if someone potentially has our password?
LikeLike
It’s always a good idea to enable two-step verification 🙂 If you use the same password multiple places on the web, we recommend that you change it. Otherwise, it’s really up to you. Changing your password is pretty easy and if creates peace of mind, then it’s worth it.
LikeLike
Thank you for the update! It’s always nice to hear info like this first hand rather than wondering if the lists of compromised companies popping up everywhere are truly accurate. I appreciate it!
LikeLike
Does “within a few hours” mean that if we changed our password the day after heartbleed was publicized last week, our accounts should be secure, or would it be prudent to change our WordPress password again?
LikeLike
We don’t think you need to change your password again. But if you are concerned, it’s pretty easy to change, so I would just go for it.
LikeLike
Thank you for the update Barry, and for letting us know that WordPress takes security seriously and that WordPress has taken steps to protect us from this bug and other threats. 🙂
-John Jr
LikeLike
Thanks to the technical personnel at wordpress.com. Your nimble response to the heartbleed crisis is much appreciated.
LikeLiked by 1 person
Good article. Thanks so much as always. 🙂
LikeLike
Thanks for this: very reassuring …
er, assuming you are who you say you are
😉
LikeLike
Thanks for the peace of mind! :;)
LikeLike
Thanks for the quick update and letting us know!
LikeLike
Thanks for taking care of us. 😀
LikeLike
Thank you. May be a dumb question but if we did not change our password would we be vulnerable?
LikeLike
If you use the same password on multiple sites and one of those sites failed to patch their servers in a timely manner then it’s possible you could be more vulnerable than if you use a unique password for each site. If you are concerned about it I would just go ahead and change your password – it can’t hurt.
LikeLike
Thank you for fixing this Issue. Indeed WordPress is awesome. 🙂
LikeLike
Can I ask why people call this “untraceable” when there were clearly was to trace the attacks?
I understand people saying it’s not in the apache logs, and the network logs do not likely go back 2 years, but not logging a particular thing, or having those logs rotate out seems a way different thing than saying a certain action is untraceable.
EFF clearly posted references to heartbleed activity from IPs 193.104.110.12 and 193.104.110.20, obtained from 5 month old network logs specifically because the encrypted TCP signature was so distinctive and matched the proof of concept.
https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013
I completely understand most don’t keep network logs that long, and some don’t even log network and just rely on apache logs depending on their position in the team, but why use the word untraceable for a very traceable act if you happen to be logging or looking for it, and it has a clear TCP payload signature for the malformed request, even encrypted apparently? Is it to stop people from looking in recent network logs or even looking for such obvious activity right now?
LikeLike
I think that while it might be possible to find possible uses of this exploit if you keep network captures, it’s also very likely that it was possible to exploit this issue without detection, depending on the level of sophistication and method used.
LikeLike
Always right up there, ahead of the pack. Another friend asked me to show her how to create a blog, and it’s great to be able to confidently say, ‘Of course it has to be WordPress’. I have a tiny problem, though, with the idea of using new, unique passwords — especially with my memory! 🙂
LikeLike
There is some great software out there that helps you manage your passwords online:
* 1password – https://agilebits.com/onepassword
* LastPass – https://lastpass.com/
* Keepass – http://keepass.info/
LikeLike
Okay, so… I’m totally newbie about this topic.. keys and SSL etc.. Should we change our password as soon as possible to avoid any problems? (I will probably change here, just for the sake of doubt)
LikeLike
It’s not required that you changed your password, but it can’t hurt anything.
LikeLike
Thank you for the information. I have been working with my domain provider to see if I’m affected with using WordPress.org. They are confused, but trying to cooperate. Robert
LikeLike
Hi Robert,
It looks like you are hosted with Namecheap – they published a FAQ entry here: https://www.namecheap.com/support/knowledgebase/article.aspx/9343 and looks like they are on top of things.
LikeLike
Thank you for taking the appropriate steps. It is well appreciated.
LikeLike
Indeed – I saw the report. I think sites that left their servers un-patched for days after the public disclosure are in the most trouble. It’s also possible that this vulnerability was widely exploited in the 2+ years the bug existed and we just don’t know yet. We will keep a close eye on things and make changes to our policies and recommendations if needed.
LikeLike
Thanks for the update. I’ve been a bit worried for quite sometime. In fact, I’ve changed passwords in some of my social networking accounts already. It’s a good thing I can really rely on WordPress to keep the security walls up. Thanks!
LikeLike
Great job, your efforts are appreciated! It is good to know that we are safe.Thank you WordPress for keeping security up and running.
LikeLike
What a model of timely, clear, helpful information – and of course action! Thank you and congratulations
LikeLike
So Barry SIN numbers here in Canada have been stolen. Heart bleed has to be one of the worst breeches of security in internet history. Thanks to all at wordpress for patching things up! It is a nightmare!
LikeLike
Thank you very much for this: we actually take your intervention for granted, but to be informed of it is always good.
LikeLike
Everyone needs to change their passwords everywhere! Better to be safe than sorry!
LikeLike
I just changed my password and I am feeling better now. I heard and read about the bug but never took steps to protect my online work. Glad I read your post. Thanks a bunch for the information.
LikeLike
I’m surprised that so far the only site or service that’s emailed me about changing passwords has been IFTTT. I’d have expected to hear something by email from most sites, incl WordPress.
That said, would have appreciated something more informative than “You are welcome to change your passwords if you want to.” Presumably the way you’ve put it means that you don’t think it’s a critical thing to do.
LikeLike
Thanks for the tips. Do you have any protection against attacks like Heartbleed for the future?
LikeLike
Was HeartBleed affecting the sign-in-process or comment-approval adminstration on here at any point since it was discovered by WordPress staff?
LikeLike
I’m changing my password straight away…. Thanks for this eye opener.
LikeLike
I’m so glad I use different passwords for everything.
LikeLike
Thank you for this information, I appreciate it.
LikeLike