At the bottom of MFO Home, it says "Proudly Powered by WordPress", https://www.mutualfundobserver.com/
Then there is news on security breach at GoDaddy's WordPress that says that emails, passwords, etc were compromised. What is MFO advising its members to do? https://gizmodo.com/a-security-breach-exposed-emails-and-site-passwords-of-1848108614
"GoDaddy recently learned that the impacts of a compromised password can be far-reaching. The domain registrar and web hosting platform revealed on Monday that it had experienced a security breach that disclosed up to 1.2 million email addresses for active and inactive Managed WordPress customers, as well as those customers’ WordPress administrator passwords."
GoDaddy is only one of a multitude of web hosting companies that offers WordPress to its customers. GoDaddy doesn’t own WordPress or control WordPress accounts that are hosted elsewhere.
This breach only affects WordPress accounts which are hosted by GoDaddy. Since I do not believe that GoDaddy hosts MFO, this breach should not be of consequence to MFO or its users.
Media references to GoDaddy WordPress confused me. I wonder why WordPress hasn't issued a clarifying release.
I learned more about WordPress.org and WordPress.com from this link. It seems that people can run WordPress software anywhere, including on their own servers. I also edited my post - it is WordPress, not WorldPress. https://kinsta.com/knowledgebase/what-is-wordpress/
These are the consequences and actions taken as of 11/22/2021.
Upon identifying this incident, we immediately blocked the unauthorized third party from our system.
Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
The original WordPress Admin password that was set at the time of provisioning was exposed.
If those credentials were still in use, we reset those passwords.
For active customers, sFTP and database usernames and passwords were exposed.
We reset both passwords.
For a subset of active customers, the SSL private key was exposed.
We are in the process of issuing and installing new certificates for those customers.
Our investigation is ongoing and we are contacting all impacted customers directly with specific details.
This was a serious breach for GoDaddy.
Their security team, an independent IT forensics firm, and law enforcement are still investigating.
Hopefully, the culprit(s) will be brought to justice and prosecuted to the full extent of the law.
A few pieces of information that I hope are helpful -
Our regular website does indeed run on WordPress, however, we do not use GoDaddy for hosting. So far as I know, the Mutual Fund Observer site has not been breached. I added the "So far as I know," because in most cases, a company's security has been breached for a period of time before they realize it.
This discussion board does not run through WordPress. It uses an open-source software called Vanilla Forums, which is not nearly so big a target as WordPress. Your password here never gets stored in WordPress.
That said, no site is ever safe from compromise. The advice from @JonGaltIII is spot on. 1. Use a password manager.
2. Do not recycle the same password over and over on multiple sites.
3. Use Two Factor Authentication whenever you're sharing personal or financial information.
4. Despite the convenience, don't allow shopping sites to store your credit card information if that's an option.
Happy holidays and stay safe!