Several of our customers have experienced a security breach, which happened by manipulating PHP. A full report of the breach and what we’ve done to lock down this issue, and how we’re preventing an entire class of similar breaches is forthcoming; we’re waiting until we understand all of the incidents and are confident in our information.
For now, all of our customers are running under new security rules which are still somewhat in flux as we continue to refine the new security rules and processes.
Most of you will not experience anything new.
Some of you will notice that certain plugins or themes are unable to write certain files to disk. That is almost certainly a result of the new rules, and you should contact support and explain the issue so that we can make sure that either (1) that’s a temporary condition or (2) help you to find another solution that doesn’t have this vulnerability or (3) adjust our rules to allow for that case.
Thanks in advance for your patience as we implement these rules. They will make your blogs safer in the end, and of course we’d rather have to adjust a few plugins than risk exposing you to a variety of attacks.
Also please note that all the evidence indicates this was not a vulnerability in WordPress core, nor was this a vulnerability in our non-PHP systems (e.g. firewalls, SFTP, database access points, user portal, etc). Again, a full report will come later when we believe we have all the information and our security policies aren’t still in flux.