Our site got hacked during the weekend, causing loss of client data. We just finished rebuilding the site and it’s back to working state.

Many of our clients received very distressing emails about an exploit on WPML plugin. This email was sent from an intruder who got into our site and used our mailer. Obviously, that message was not sent from us. If you received such an email, please delete it. Following links in hacked emails can cause additional problems.

We updated wpml.org, rebuilt everything and reinstalled everything. We secured access to the admin use 2-factor authentication and minimized the access that the web server has to the file system.

These are more precautions than actual response to the hack. Our data shows that the hacker used inside information (an old SSH password) and a hole that he left for himself while he was our employee.

This hack was not done via an exploit in WordPress, WPML or another plugin, but using this inside information. In any case, the damage is great and it’s done already.

To be clear:

  • WPML plugin running on your site does not contain this exploit.
  • Your payment information was not compromised (we don’t store it).
  • The intruder does have your name and email and might have access to your account at WPML.org.
  • The intruder indeed stole the sitekeys, but they are of no use. The sitekeys allow your site to get updates from wpml.org. The intruder cannot push any changes to your site using these keys.

We recommend now to all clients to reset their accounts in wpml.org. To do this, log-in to your account. Please don’t follow links in emails, as the attacker may still be sending emails to trick you. To log-in, open a browser, type in https://wpml.org and log-in.

There will most likely be additional post-breach actions that we’ll need to take. We’ll send a follow-up email early this week with a more complete summary.

Of course, we all apologize for being responsible of this mess. Our team is available to help with anything that you need. You can leave comments here or use our contact form to write to us directly.

32 Responses to “WPML.org Site Back to Normal After an Attack During the Weekend”

  1. Amir, I received the email from “WPML Updates ” with Subject “WPML Warning”, and I include the content of that email below. Is this email come from the hacker or is this email came from WPML officially?

    — begin of email content —
    You’re seeing this because you are using WPML. You purchased WPML and installed it on one or more of your sites. Or maybe you jus plan to.

    I did the same but only to get myself in a whole lot of troubles. WPML came with a bunch of ridiculous security holes which, despite my efforts to keep everything up to date, allowed the most important two of my websites to be hacked.

    WPML exposed sensitive information to someone with very little coding skills but merely with access to the WPML code and some interest in seeing how easy is to break it.

    I’m able to write this here because of the very same WPML flaws as this plugin is used on wpml.org too.

    Please take this with the warm recommendation of triple-enforcing your security on websites where you use WPML if you must use it. Make frequent backups and monitor your websites closely. Do not leave sensible information laying around in the database or on the server.
    Use only WPML components and features that you really need. Or ask for your money back.

    Do not expect that if you’re charged for a piece of software, it means that is 100% hack proof. WPML is highly acclaimed but doesn’t prove itself.

    It’s a shame that after unreasonable price tag and lousy support, things were able to go even worse.

    I’ve emailed them with details about the vulnerable code and hopefully they will be able to react quickly enough with an update. But be warned!

    Peace!
    — end of email content —

    • That email was sent from the hacker. When he hacked into our site, he got the access to our mailer (which we quickly changed). So he sent him malicious emails with our signature.

      Our site was hacked not from an exploit in our plugin, but from a doorway that was left in our server. The hacker did not modify WPML code and did not inject security holes into it.

  2. Well done for taking appropriate and immediate action. I am sure that all of your customers know that you do all you can to keep their info and plugins safe. Obviously we trust humans with the most important of all info, and that can and will, always be a risk.

    • Thanks Alan. You put it exactly. We can’t stop trusting people. We need to remember the inherent risks and handle them.

  3. Thanks for the quick update. I think that you’ve handled this really well and responded really, really quickly. Sorry that this has happened to you and hope that people show understanding.

  4. Hi Amir,
    Things that happen…

    I received a email from the hacker… and soon another mail from hello@wpml.org, on behalf of Amir…. explaining the problem and a link to change the Passoword (I have not used),

    this second email is yours or also the hacker?

  5. Apparently the instructions to check old tickets in case of compromised credentials is from you as well? I can’t see my old tickets on the support page, where exactly are they supposed to be?

    • First, you need to be logged-in to your WPML account. Please be sure to login using the same account that you used to open the support tickets. Then, go to the support main page (not the archive). At the top, you will see the list of tickets that you’ve created.

      https://wpml.org/forums/forum/english-support/

      Our site is pretty loaded right now, as hundreds of clients are logged-in cleaning support tickets. This load will go down soon and the site will be faster to use.

  6. Hi,

    I don’t understand how to disable my account. Could you indicate me how to do? I had difficulties to connect to the account.

    2. the hacker has our credentials for many CMS and FTP and other and the email address. What advice you to do to protect? To change the passwords everywhere? Is that not too late?
    Does he can have access to my email box?

    Regards
    Sophie

  7. Hi Amir,

    Sorry, again, but in the mail I received from you, you say: “We recommend that you disable the accounts that you created for us, so that nobody can use them to get into your and your client’s websites.”

    Whta do you mean exactly? To disable our account by WPML? I don’t understand, which accounts could we have craeted for WPML?

    Does we have to indicate our server hoster that the WPML has been hacked?

    Thanks,
    Sophie

  8. Hi,

    Don not understand how to reset my account. I’m logged in, but don’t see how to.
    And what are the consequences?

    Thanks.

    Regards,
    Funs

    • To change your password for WPML.org, do this:

      1. Log into your account. Visit https://wpml.org and click on the account link at the top right.
      2. In your account, click on Account Settings (the first item on the page).
      3. Scroll down to the password section and enter it into the two fields (one for verification).

  9. Hey, one thing, i have an expired account, but is there. I recived the hacked email, i did not follow the link off course, but using my credentials (user/pass) i was not able to login.

    Is there any posibility that the hacker also changed the user account password? Or this is normaly since is and old account expired?

    I made the Password Recovery, i´ve changed the pass, but then just to be sure, i´ve entered the account settings and i´ve changed the pass again. 🙂

      • Thanks Amit, but my worry is because my user account is old and i do not remember if “originaly” i had other information on my account, since when i tried to login my password didn´t work, so, the hacker could changed the passwords on the accounts? For example i do not remember if i use my credit card or paypal information when i used the plugin, and i can´t be sure if that information, now is empty, is because was empty or the hacker did it. When i loged in now the first thing that happened was to complete some user information, name, company, etc, and again, i do not remember if that information was not there due to an old account or was the hacker that erease it. Yes i know i do not have any active website using WPML with my user right now, in fact i neverd do that since i´m developer and i leave the client to buy the licence for the particular website.

        • Hi Roberto, I understand your worry absolutely,

          I have reviewed your profile and you are all safe, as a matter of fact we do not and never store any of the purchase information on our side, it’s all secured by PayPal and Stripe, on top of that you support profile is clear and there’s no other private information that was shared with us.

          It’s a strange feeling to not be sure, believe me, I know, but now we are back on track,
          but as I said there’s nothing compromised with your profile,

          Hope that helps.

  10. Hi Amir,
    I’m a bit insecure: does this message come in the original from WPML / you? If so, I can’t find an archive of my support tickets … What do I have to do?

    Regards, Lutz

    This message reached me today at 16.39 CET:

    >>>>>>
    Hi Lutz,
    We need to make sure that the recent hack into WPML.org website doesn’t risk your websites.
    I’m writing to you because in the past you opened support tickets for WPML, which have private messages. Since an intruder hacked into our site, we need to assume that he has access to all our data. This includes the support threads and the private messages.
    Please log-in to wpml.org and go to the technical support forum.
    Once logged-in, you will see a list of the tickets that you created.
    Visit the tickets and open the private replies. There, you will see which credentials you shared with us. We recommend that you disable the accounts that you created for us, so that nobody can use them to get into your and your client’s websites.
    We’re very sorry for this inconvenience. After a detailed review of what was stolen, this is the only remaining exploit which we found.
    Deleting these threads from our forum will not help because we believe that the attacker already downloaded the tickets archive.
    If you need our help, please use our support forum or write to use directly.
    Amir
    <<<<<<<

  11. Amit,

    After a quick security audit in my head, I was already going to do what you recommend. I’m glad to see you are encouraging others to as well, but I would note that this should be prominent in the message at the top of this page, as well as emailed to people – not buried in a comment. Also:

    – Any databases shared with SPML support should mean that all accounts/passwords in those databases should be considered compromised (as well as any other data in them).

    – Don’t forget any dev sites you might have shared access to as well. And if a dev site was compromised, any creds stored in that site are compromised, and if they mirror creds in other sites (like your production copy of the site) that was NOT shared, a person could try the dev site creds on your production site and get in.

    • That is true, though we are talking here only theoretically – at the moment we have no evidence of any of our clients’ site’s being compromised, the intruder did not damage our plugins code. As you said it should be a routine task to change always the credentials shared with supporters after the issue is debugged, I have also refreshed our Support procedures to meet that goal.

  12. Hi,

    Before the week-end and before WPML been hacked so, I had a thread open with a support. I was asking my support if he was needing the credentials again (I had changed server few days ago).
    And I received yesterday 21 January at 18.30, central europe time a mail from my support where he says that yes he needs the new credentials.

    Is that secure now to send new credentials through the technical support forum?

    Regards,
    Sophie

    • Yes, our site was attacked over the weekend and data lost. But it’s secured now and you can use the private replies. I recommend that to do this:

      1. Create a separate account for our supporters and don’t give your own admin account
      2. After the supporter is done, close that account

  13. Hi Amir,

    Thank for your answer.
    But , I need that you explain me more precisely.
    1. How can I create a separate account for the supporters? The, I tried as well to close my account yesterday, but I didn’t found the possibility to do it. Maybe, could you give more precision about the various accounts you speak about.

    2. “Don’t give your own admin account” about which admin account are you speaking about? In connection with what I say just up, I have only one account user name and one pass word for WPML. Can you inlight me about the “admin account”?

    3. I tried to change yesterday the pass word of my account in WPML but I saw that the pass word is generated by WPML. So, I couldn’t. But, maybe, it’s not necessary?

    Soory for all those very practical questions, but I am a bit lost with the various accounts and the way to close them.

    Regards,
    Sophie

    • Sorry for the confusion. We’re not asking to create new accounts here on wpml.org, but on the site that you want us to log into and check. For example, if you need our supporters to access your site great-widgets.com, we ask that you create a new account on great-widgets.com and share that with us. Don’t give us the password for your existing administrator account on great-widgets.com, but create a new account for us. When our supporters are done working on your site, remember to remove that account, as it’s no longer needed.

      Does this make sense?

  14. Hello, from today i’m not be able to login to my account. I’ve already reset the password but login doesen’t work.

Leave a Reply

Please leave here comments about this page only.
For technical support and feature suggestions, head to our forum. We are waiting there!

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>