Is WordPress under attack?

Is it just us or is WordPress having a hard time? We’ve noticed a number of updates to the WordPress platform over recent weeks and in each case there appears to be a slightly larger message advising that it has fixed ‘security bugs’.

.

There seems to be part of a larger pattern where sites all over the world running the WordPress platform are having problems with hackers and it seems coincidental that this is happening at a time when WordPress are frantically updating the platform every couple of weeks. Of course this might just be two plus two equals five and as we are going on ‘internet chatter’ and personal experience there is a good chance that we are simply reaching the wrong conclusion, but….

.

Global code

The problems appear to be that hackers have realised that WordPress is wide open, and with millions of sites now hosted on the platform the vulnerabilities in this mean that they can target and compromise a wide range of high

profile sites. If the gaps in a
basic WordPress installation are the same in any other then sites as visible as http://www.number10.gov.uk/ could be at risk.

.

Add to this the fact that most of the plug ins are free and developed by individuals, on whom we now rely to keep them up to date, and the opportunity for gaps to appear seem self-evident. In fact some of the recent reports we’ve seen suggest that it is the plug ins that are the weak spot with huge holes in the coding that allow hackers to hijack them. Just last week we had to advise a company that the gambling site link that had mysteriously appeared on their home pages was in fact buried in one of the plug ins that they were using.

.

There are a couple of simple steps you can take to reduce the chance of being hacked if you are on the WordPress platform including:

  • Take the new WordPress updates when they are offered. Don’t wait until the next release.
  • Update your plug ins regularly as well.
  • Remove completely any inactive plug ins you may have installed. These can conflict with the updated theme and cause operational problems as well as leaving a door open for the hackers.
  • Change your password to something far less memorable.
.

The problem with plug ins is that you have no ideas where they have come from. This means that they could not only include open doors for hackers but also they can themselves contain malicious code. We found a plug in last year that was very good and did an excellent job but had a link hidden within it which passed page rank to the programmers’ site. He was sitting on a PR8 site based on just these backlinks. Despite our best efforts there was no way to remove the link without breaking the plug in, so we did the next best thing and changed the destination url so it no longer leaked out of the site.

.

If you have any signs that WordPress is being targeted by hackers feel free to let us know….