We want to reassure our customers that the current version of the Heartbleed bug, a recently discovered high priority security vulnerability, is not affecting sites hosted by WP Engine.
At WP Engine we take WordPress security very seriously. We conduct regular security assessments and work to address security vulnerabilities to protect our customers and their data. We also conduct ad hoc tests if a security threat, such as the Heartbleed bug, is brought to our attention. Accordingly, our security engineers have tested for Heartbleed and confirmed that customer sites and our User Portal are not vulnerable as of the date of this post.
The Heartbleed bug is currently impacting the open source software OpenSSL, which is used to encrypt web communications. The vulnerability can allow attackers to access encrypted data and communications. Fortunately, the version of OpenSSL we use here at WP Engine is not either of the versions impacted by the vulnerability.
You can use this tool to check whether your site is vulnerable to the Heartbleed bug. If you have reason to believe your site is vulnerable, you can contact our Support Team via Live Chat in the User Portal.
Please rest assured that our security team is monitoring the situation.
Conor Gilsenan says
Can you please provide more details for the tech community who will understand them? For example, which specific version of OpenSSL do you actually use? If you used any compromised version from “Apr 18 13:21:31 2012 GMT” onward, then you must assume that your private key was compromised at that point even if you switched to a patched version after the fact. Your SSL cert is 2 years old and that is the same timeframe which the Heartbleed Bug has been in the wild. Without knowing which versions of OpenSSL you have used within the last 2 years with that certificate, you should be cautious and regenerate your certificates now as a precaution.
Please follow up with another blog post saying that the certificates have been regenerated as a precaution.
https://lastpass.com/heartbleed/?h=wpengine.com
Jason Cosper says
Our current and all previous customer facing versions of nginx have been compiled against a fully patched and secure version of OpenSSL 0.9.8. At no point has the Heartbleed bug been an issue, so certificates do not need to be regenerated.
Thanks for the concern, Connor!
Cody says
Just wanted to tell you that you did a great job staying out in front of this! I started a live chat only to look at your twitter account/this blog and see my concern was unnecessary! Excellent proactive work as always 🙂
Jason Cosper says
Glad you appreciate it, Cody! Just trying to do our best to look out for everyone who places their trust in us.
Jason says
Sorry for being uninformed on this, but what if our SSL cert is from a 3rd party (such as verisign/symantec)? Is my site on WPengine still secure?
Thanks for helping me understand.
Jason
Jason Cosper says
Because our servers weren’t leaking any information to begin with, your certificate should be totally fine!