'

Wordpress.com hands out coupons after password glitch

Wordpress.com users are being told to change their passwords, after they were left in a "less secure format" for over a year.

In the same week that WordPress announced that the blogging platform powers 14.7 percent of the top million websites worldwide, WordPress sent out an email to a segment of its hosted users asking them to change their passwords, amid a lax in security.

The email pointed to a security fix that has caused user passwords to Wordpress.com to be stored in a less-than secure way:

"We recently found and fixed a mistake that we'd like to tell you about. Passwords on WordPress.com are saved in a way that makes them extremely secure, such that even our own employees are unable to see your actual password – the one you enter to login to your WordPress.com account.

However, between July 2007 and April 2008, and September 2010 and July 2011, a mistake in one of our systems used to find and correct bugs on WordPress.com accidentally logged some users' passwords in a less secure format during registration."

Clear to state that there was "no evidence that this data was access maliciously or misused", it asked users to update WordPress passwords.

To apologise, WordPress included a coupon code for all users, to use on a custom domain, a design upgrade, VideoPress or for additional storage space.

WordPress -- as it stands -- is used by over 50 million people, either through downloads of the popular blogging software, or through the hosted Wordpress.com service. WordPress 3.2, the latest version of the software, has been downloaded over 5.3 million times.

However, WordPress has been the center of controversy surrounding vulnerabilities in its software. Exploits are regularly fixed -- with hosted WordPress blogs updating automatically.

On Friday, it was discovered that a WordPress plug-in exploit was used to attack a U.S. defense contractor. Over a gigabyte of emails and 'schematics' belonging to an unmanned drone manufacturer was stolen by hacktivist group, Anonymous.

A spokesperson for parent company Automattic confirmed the email as genuine, but declined to comment further.

Related content: