Summary: WooTheme Hacker Attack & Community Response

in Blog

As many of you have probably heard by now – WooThemes, a small yet profitable and well liked startup based in South Africa, suffered a severe hack on April 24th, shutting down the popular site for three days. The attack, described as “very malicious” by co-founder Adriaan Pienaar, deleted the company’s server and its entire database, including backup data. All traces of the path the perpetrators used to conduct the hack were also erased.

WooThemes Hack Response

WooTheme’s biggest product is the WordPress plugin WooCommerce. The plugin allows users to turn their WordPress site into an e-commerce site complete with the ability to track sales. Given this, the main concern was not just an inability to use the site, but also the security of personal and credit card information. Once the site was back online, co-founder Mark Forrester updated the company blog with full details of the hack including notice that no sensitive or confidential data was stolen as users’ encrypted credit card details were safely hosted elsewhere.

Forrester also noted that the company moved its web hosting from VPS (virtual private server) to WPEngine, the leaders in WordPress site hosting, where it now has a dedicated server with “backups upon backups of backups” and, of course, exceptionally tight security.

The company was able to act swiftly to restore access and has been lauded among its users for being fully transparent in its efforts to communicate the event and its resolution. As information was discovered, it was continually shared with customers. A temporary blog was set up for updates, Twitter updates were dispersed, and their downtime blog was updated constantly (you can read an excerpt here.) Because customers were fully informed without having to ask, there was little to no backlash. This result is a testament to the company’s down-to-earth personality and its public relations savvy.

WooThemes Hack Response

The lesson to be learned here, or reiterated anyway, is regardless of your host or platform take precautions to protect your work.

Here are a few tips:

Mix up your passwords – The more complicated the combination of upper- and lower-case letters, symbols, numbers, etc. the harder it is for a would-be hacker to figure out how to access your site.

Use plugins for enhanced security – Secure WordPress has features like removing error information on login pages, adding index.html to plugin directories, and hiding the WordPress version. Choose your plugin wisely -some can actually make it easier to hack your site. A little research on your chosen plugin will go a long way, as well as using plugins from a trusted source.

Back up your data – and back it up again. As you can see from WooTheme’s story, multiple backups in various locations could have saved them the time and headache of trying to retrieve data. WordPress offers tips and tools for backing up data here; or you can use the WordPress Backup to Dropbox plugin.

Above all, be aware of the threats out there, and upgrade your core site, themes and plugins regularly with the latest version of WordPress. It’s the single most important thing you can do to keep your site secure.

Questions for discussion:

Were you affected by the WooThemes hack?

How do you think WooThemes handled this attack?

What security precautions do you recommend?

Tell us your thoughts in the comments below!

Comments (1)

  • Comment by robthecomputerguy

    Although I am not a customer of WooThemes, I am a fan, and somehow always thought one day I would purchase one of their themes.  Unfortunately, this episode was so thoroughly disturbing that I could bear to even possibly give serious thought to ever using, or ever recommending, any of their products to a client.  I have more data backed up on my hackintosh than apparently they do.  (8 TB) Trying to deflect or at least mitigate their incompetence by calling the attack “very malicious” is absurd.  Let’s get two things straight here: 1, they didn’t have any backups other than duplicate copies of files on the same hosting account – not even a separate hard drive!  And duplicate copies do not constitute a backup, no way, no how.  Nobody went and deleted their backups, and I think I know this for a fact.  How?  Then they would have reported TWO servers being “very maliciously” hacked.  I mean really!  This is so ridiculous!  HostGator $49.99 a month gives you a weekly backup on a VPS account.  Come on!!  2, The notion that customer information was not accessed is implausible at best, and I know in my bones they’re lying about that one.  They may not have had credit card numbers stolen, but that would only be because they used a third party payment processor.  I’m supposed to believe that they separated those systems for whatever/security reasons but they made one copy and only one copy of their entire intellectual property portfolio on a virtual machine in the cloud, and called that machine backed up by duplicating files in the same space?  
    The incompetence of WooThemes reflects poorly on us all in the WordPress community and it’s simply not OK.  Being hacked is one thing but this company is one of the top 5 WordPress based businesses for at least the past 5 years, and it is unacceptable that WooThemes’ customers should have their trust in this company so seriously doubted, and it is frankly also unacceptable that they were so irresponsible and have left this stain on the community – if WooThemes is that pathetically incompetent – and they think switching to another reseller hosting company is going to solve their problems – then we all lose a little bit of credibility when we have to get over the hurdle of “Well if this big WordPress oriented company could have this many problems and be that incompetent…”  I regularly get calls from customers when these types of incidents happen wanting to confirm site security, audit a site for security, or they want to have the whole WordPress discussion all over again: making sure that indeed WordPress is an OK software to use for their website and is honestly secure, because they’ll pay to switch it if it’s really not that secure after all.
    Sorry, but not cool, Woo, not cool at all.  I couldn’t help watching that ridiculousness that they were cranking it up for sympathy.  You get none from me Woo, none at all.