Outdated WordPress versions vulnerable to sophisticated hacks

Since the dawn of the internet and long before that, there have been hackers with all kinds of different motivations.

There are hackers that are generally curious and don’t want to hurt anyone. There are also “blackhat” hackers who have more evil intentions and want to deface websites or steal money.

More recently a new breed of hackers have emerged with more subtle intentions. These new hackers scan websites en masse in hopes of finding vulnerable software (such as WordPress like this site). Once they’ve procured a decent list, they will hack the website and instead of defacing it, create a link or a redirect to a site that they own.

This hack accomplishes one of two things:

will drive more traffic to the hackers websites
will create more links to the hackers website which will help boost it in the search engines

This is what a horticulture website looks like when it is hacked

Protect yourself before you wreck yourself

Being armed with this knowledge is one of the best ways to protect yourself. Sure if a hacker is personally out to get you, thats not good. Protecting yourself from distributed attacks is more doable. It starts with the basics.

Updating to the latest software version

If you are running a CMS platform such as WordPress or Jommla or an eCommerce platform such as Magento, always make sure to update your software anytime their is an update.

If you are running any kind of addons, plugins, or extensions update those as well.

Use strong passwords

Many websites are protected by multiple layers of security. You have FTP, SSH, cpanel, WHM, and application layer passwords to worry about.

My general rule of thumb is this: never use a dictionary word, make sure it is 8 characters or longer, and use letters, numbers, symbols and at least one capital letter.

In addition stay away from common usernames such as “admin” or “root.”

Limit login attempts

If someone can’t log into your website in 5 username / password attempts they are most likely an attacker. Talk to your webmaster about enabling this functionality.

Trim the fat

If you have any sort of plugin or addon that you don’t need, get rid of it. The more code you have running on your website the more likely it is that some of it will be vulnerable.

Make sure you don’t keep backups stored in the open. I’ve seen many people backup their entire site via zip in the public directory. They have no idea they most likely just gave away the house on this one.

Get a consultation

If you are really concerned about your data, get a consultation from a network security consultant. Also FYI our preferred domain name search tool (particularly for NZ domain names) we recommend.

Final thoughts

I recently heard the quote “there are 2 types of people, those that know they’ve been hacked and those that don’t.”

If the NSA, the Pentagon and the White House have all been hacked, your website is just as vulnerable.

A lot of website security is up to the website hosting company, but they can really only do so much.

If you forget to lock your front door, do you fault the police department or your neighborhood watch for getting robbed?

Over the last 20 years, I’ve seen the back-end of a lot of websites. The majority of people don’t update their website. With this most recent form of hack, you could be hacked for weeks, months or even years without anyone even noticing!

As I said before, knowledge is power. If you are reading this you are on the right track.