I do not see myself as someone who reacts hysterically to every little thing and I am not the grumbling type. The reason why I write about this topic again is that such could possibly affect anyone with a WordPress account.
Last week I reported on a very nasty hacker attack (Details here). Everything seems to be fine again – hopefully. However, these post hack issues were not resolved by WordPress whose answers were in no way helpful, but by the jetpack team. They resolved the matter quickly and effectively. Thanks again!
But today I got my credit card statement and this definitely seems worth reporting to me.

The hacker not only destroyed my account and almost managed to kidnap my domain, but he also managed to withdraw US $ 6000 via WordPress. Now 6K is not such a small amount and that’s why I asked WordPress to answer a few questions about it. I think my questions were factual and calm:
“Today I received my Visa statement and I was shocked.
1) please check and adjust my payments and let me know what the payments were for – one by one
2) please tell me how it is possible, that such a high amount can be withdrawn from my account without authorization from my side
3) please tell me how this can be prevented in the future.“
I’m sorry to say that the answer I received was definitely unsatisfactory and had the character – like you learn in a course – how to deal with a low-spirited, annoying customer.
The small amounts are ok. But above all the most important question: how can someone use WordPress to debit my credit card with $ 6000 remained unanswered.
There is also the little thing that EUR 5215 was debited, but I only got EUR 5048 refunded. That’s a difference of US $ 197. That doesn’t make the world end, but the fact that WordPress doesn’t even mind answering that is a bit of a negative surprise.
So I would like to take this opportunity to point out again that there is the possibility of 2-factor authentication, with which a similar scenario can be prevented. At least that’s what I hope.
The majority of my credit card payments are under $ 500. In the past, when I made payments over $ 1-2,000, Visa called and asked for confirmation over the phone. And now $ 6000 is debited without anyone asking ?! That seems like a remarkable security issue to me.
To this unauthorized charge via WordPress. What would have happened if I hadn’t been able to react immediately? (travel abroad, stay in hospital …). The 6k would probably have gone badly.
Leave a Reply