Outdated versions of WordPress and outdated plugins have been blamed for the injection of malware in over 30,000 WordPress sites recently.
The injection hijacks visitors to the compromised sites and redirects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer. Source Websense
This report is not as bad as the 4800 Hacked Websites Lost With No Chance of Recovery
I’ve been writing a lot lately about WordPress security and why its so crucial to update WordPress scripts to secure your site so this only reinforces the need to secure your WordPress installation and take full backup.
More than 85 percent of the compromised sites were located in the U.S.
Weak admin passwords have also been blamed as many WordPress owners use short passwords and don’t change the username from the default, admin.
My advice to WordPress webmasters is to:
- Update WordPress
- Update plugins
- Update themes
- Limit login attempts
- Use strong and long username’s & passwords
- Secure .htaccess files
- Backup WordPress files & databases
The problem we have is when WordPress comes out with a new version (which is every freaking month) and we have to wait to find out which of our plugins will work with the new version. There is a lag. I think during this time it is possible for a hacker to use this vulnerability…so how can this be prevented? I have a really cool plugin that I want to keep using even tho the plugin author isn’t always up to speed on the newest version of WordPress.
Take full backup and store it away from your server.