You probably won’t do anything about this until it’s too damn late…
If you use WordPress for any of your sites then please take notice of the warnings to keep them up to date!
We’ve all seen the scare-mongering sales pitches for products that will secure your wordpress sites and lock them down against hacking attacks. But even if you have a bunch of that stuff installed… if you do not keep your installations bang up to date with the current version of WordPress… you are leaving a back door open for hackers.
And it’s scary just how much they can get control of from just one out-dated wordpress installation.
You see I have a back ground in computer security, licensing systems, networks and all that techie jazz. As a result I am pretty damn paranoid about security and always play it over-cautious.
So imagine my surprise when I was successfully hacked!
Luckily for me I keep masses of regular backups and so it was pretty easy (but still time consuming) to restore things back and shut down the chinks in my security armour. But from what I know of “most people”, they wouldn’t have had the backups I had and if they had got hit in the same way… they’d just be screwed.
Here is what happened…
I had a domain set up on my VPS hosting that I’d set up for testing purposes. It had a WP installation with security plugins and the like and all the usual precautions such as not using wp_ as the database prefix, not using admin as the admin username, not having a “record number 1 in the user table”, etc. Had all been done.
But I didn’t use the test site for a little while and it wasn’t on my auto-update list. So it slipped a couple of versions behind (it was WP version 5.2). Just being outdated left it vaunerable and hackers got in.
But what really shocked me was…
They were not limited to using the backdoor to hit just that site. They also managed to change php files of NON-Wordpress sites on the same server (even though they were on seperate accounts). In other words the exploit gave them much more power than you’d ever expect.
The annoying thing is that I control all my wordpress sites from a master account using MainWP which keeps all the accounts up to date and does a lot of bonus security fixes. But this one account, because it was only for test purposes was not added to my Main WP dashboard… and that one mistake cost me a day and a half of my time and if I hadn’t been so well backed up it could have devestated my business.
Like I said… I am usually paranoid about security… but one little bit of complaceny could have been much more costly than it was.
So keep ALL your wordpress installs bang up to date! Consider tools like MainWP which can help and make that something that is fully automatic (you can protect up to 5 sites like this for free with MainWP).