

Security Incident - sucuri2
http://en.blog.wordpress.com/2011/04/13/security/

======
iramiller
Using the phrase "low level" to describe someone gaining complete control of
your systems is not something you see in a general PR release for an incident.
The friends and family I have recommended wordpress.com to are likely to
misunderstand the importance of this event.

~~~
trotsky
Agreed, I think that was a poor choice of words in this case. To be fair,
communication skills often take a temporary hit in these situations when
you're still actively coping.

------
briandoll
Good reminder how honesty and transparency are essential in surviving issues
like this. There are currently two PAGES of comments on this post,
overwhelmingly positive and thankful for this sort of early disclosure.

This reminds me of a talk by Gary Vaynerchuk where he joked that he wished
some of his consulting clients (via <http://vaynermedia.com>) would screw up
badly so they had an opportunity to apologize. Strong bonds are formed in
times of trouble.

------
pacifika
This is why startups should always provide users the option to change their
password, don't delay this essential funcitonality please.

------
sucuri2
They didn't post much details, but if you have accounts at wordpress.com/.org,
you know what to do (change passwords, etc) :)

------
iuguy
Is cleanup on Wordpress.com/org something Sucuri.net can help with? Is there
an opportunity for Sucuri to do something at a special rate for affected
HN'ers?

~~~
dotBen
This is an issue effecting WordPress.com, where users have no access to the
source code.

Given you go on to mention WordPress.org and even mention a discount for HN
users, it feels as though this is a pitch for a specific vendor..? :(

~~~
iuguy
I can see how it might appear to be that way. For the record I have no
relationship with Sucuri whatsoever. I do however know that they engage in
WordPress cleanups and (from what I've heard independently but YMMV) they're
rather good at their job. That's why I asked because sucuri submitted the post
- I'd rather the HN community got a good deal and I asked the question than
people paid over the odds when they could've got something better.

I can see how it looks like a pitch, but in some ways it's an anti-pitch or a
pre-negotiation. They specialise in wordpress compromises, we deal with
completely different stuff but in the security space. We can deal with your
compromised wordpress install but sucuri does this day in day out - we deal
more with your network being broken into. I thought it might be good to
highlight the poster's speciality in the area, and (cheekily) ask for a HN
discount.

Apologies if I've betrayed some HN etiquette here, that was not my intention.
For What It's Worth I'll be talking tomorrow at OWASP London about WordPress
Security and (again, independently) recommending Sucuri's scanner - it's
better than Plecost, not by much, but enough.

~~~
dotBen
fair enough. thanks for circling back!

Where can we see your talk/slides/etc on WordPress Security (sadly London is
no longer home)

~~~
iuguy
I'll upload them but I think there's enough interest to do a webex or
something. I've had a few emails asking about it, so it may be worthwhile.

