WordPress is by far the most popular blogging platform and at last count we were hosting over 900 installations of it on our shared hosting servers. Many of these copies of WordPress are very old, and since WordPress is so popular security vulnerabilities in old copies of it are often exploited by attackers to hijack websites. This allows an attacker to redirect visitors to other sites, insert links to manipulate search engine rankings, set up phishing websites, and send spam.
This has always been a problem and it’s not one that’s specific to WordPress. Unfortunately in recent months we’ve seen a noticeable increase in WordPress sites being exploited in this way. We’ve set up measures in the past to detect compromised sites so that we can alert customers quickly, but ideally we want to prevent customers’ sites being compromised in the first place. We offer ModSecurity and CloudFlare, and customers can easily (and automatically) install updates via Softaculous, but we still regularly see sites being compromised simply because they’re out of date.
For that reason we have recently set up a system for automatically finding copies of WordPress which aren’t running the latest version, so that we can proactively ask our customers to update it before it can be exploited. We’ve already contacted dozens of customers to ask them to upgrade, and as a result most of those customers’ sites have now been updated to the latest version. There’s still a long way to go, so if you’re running WordPress (or any other third-party software) why not take this opportunity to make sure that you’ve updated to the latest version, and to turn on automatic updates?