WordPress.com has reported a breach of their site — root access was obtained but the exposure was contained.

While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Some ask in the WordPress.com blog comments whether “sensitive bits” could be API keys and tokens for partner sites like Twitter. So far WordPress has downplayed this risk.

WordPress.com also notes their password hashes are stronger than just unsalted MD5 thanks to Solar Designer’s phpass. They incorporated the stronger hash algorithms with salt since the beginning of 2008 (version 2.5).

It might be worth noting that Solar Designer is known also for developing John the Ripper, a password cracking tool, and he has warned of potentially weak implementations of phpass.

The openness of WordPress.com and the details of their password security practices should be seen as a sliver of good news, at least when compared with the Barracuda and HB Gary incidents that brought to light unsalted MD5 hashes. The risk may be lower with salted and strong hashes but even they can be recovered so WordPress gives the following usual advice to their users as a response.

• Use a strong password, meaning something random with numbers and punctuation.
• Use different passwords for different sites.
• If you have used the same password on different sites, switch it to something more secure.

The breach does not affect independent and self-hosted WordPress sites.