There’s been a big fuss lately over the latest WordPress hacks that have targetted older versions of WordPress.

And in my view, they show the less pretty side of WordPress and some people in the community… but not all of them.  The attitude has been a straight “upgrade your blog and you’ll be secure.”

Well, I have news for you.  They’re wrong.

You’re Never Secure

Even if you have the very latest version of everything there are, out there, what are known as zero day exploits.  These are vulnerabilities which are kept secret by the hackers who have found them.  They cease to be secret if they become widely used in a large scale attack.  Like the current one against WordPress.

Now, if there are vulnerabilities out there that nobody knows about then your high profile WordPress site or blog could be targetted in a way that you, I, or the (great and lovely) WordPress developers out there don’t know about.

Not Everyone Can Upgrade Immediately

Quite frankly, I find the glib assertion that staying up to date is all you need to be secure to be… terrifying.  It’s bad advice because it leaves people with the feeling that all they need to do is to stay up to date and all is well.  Not only that, but it sidesteps the whole issue that WordPress should really consider running security updates on older versions of WordPress – not all sites can quickly change from one version to another.  When WordPress 2.8 came out it broke multi-use widgets – you could recode them, but then settings could be lost.  There are sites out there that run hundreds of widgets, and re-configuring them will be a big job.  If a new vulnerability comes out in WordPress it may not even be relevant to some sites because they may be doing everything else correctly.

In fact, in a critical environment you absolutely do not update your software without running a full suite of tests to make sure the updates won’t bring down your site.  This is a major problem for sites which, in some cases, are turning over tens of thousands of pounds a month.  Yes, they can throw money at the problem, but it still takes time – and when there’s a vulnerability the one thing you don’t have is a lot of time.  So a site needs to rely on more than just WordPress for security.

Mr. Coveney clearly understands something about the phenomenology of risk, and he’s got some good practical advice. Perhaps we can persuade him to write something for Popular Logistics, our primary blog, which is about risk assessment, mitigation and control.

A Common-Sense WordPress Security Primer. By David Coveney at InterConnectit – or perhaps it’s pronounced “InterConnect IT.”

Possibly related posts: (automatically generated)

• Related posts on WordPress Security
• Security And Anti-spam Plugins For WordPress | Saigon SEO dot Com

Update: Vladimir Prelovac advises use of the plugin WordPress Exploit Scanner, by Donncha O Caoimh¹

Riyad Kalla of the blog/website Kallasoft has written one helpful post How to Remove reycross.com WordPress Malware.

Vladimir Prelovac – always sharp, wrote about this over a year ago: Check your website for virus attack ! and in how to check WordPress sites (Readers may remember our posts about Vladimir’s exceptionally helpful Insights Plugin, which I use daily.(See the rest of his WordPress Plugins – and you’ll see what great contributions he’s made to the WordPress toolbox)

My preliminary take on this is that by WordPress 2.8 or 2.9 – the vulnerability had been removed – so at a minimum, one can upgrade – and then manually remove the offending code. But – haven’t confirmed it – so we’ll try to update this.

Possibly related posts: (automatically generated)

• Related posts on malware
• Lavasoft Ad-Aware Pro Internet Security 2010 v8.1.2 | D&D | Deals …
• Malwarebytes Anti-Malware Review

1. I’ve done an injustice – as English-language users often do – to the Irish transliteration of his name. There are accents and phonetic markers missing. There’s probably a way to resolve that in WP and/or HTML, but I don’t know what it is. Mr. O Caoimh, it’s my understanding, is one of the early major contributors to WordPress – and with this plugin, now having undergone a number of iterations, he’s working to keep it safe. Gives an entirely new meaning to the idiom “gift of Blarney.”